Symfony2 ACL 结合另一个标准 [英] Symfony2 ACL combined with another criteria

问题描述

我想知道是否有人知道使用 Symfony2 ACL 系统实现这一目标的优雅方法.

I'm wondering if anyone knows of an elegant way to achieve this using the Symfony2 ACL system.

我有一个 Comment 实体(我的域对象)，它需要由 ROLE_USER 进行编辑，但这只能在评论发布后 5 分钟内进行 - 否则评论只能由 ROLE_ADMIN 编辑.

I have a Comment entity (my domain object) which needs to be editable by ROLE_USER but this is only allowed within 5 minutes of the comment being posted - otherwise the comment can only be edited by ROLE_ADMIN.

使其只能由ROLE_USER 和ROLE_ADMIN 编辑很简单，只需为每个创建一个RoleSecurityIdentity.

Making it so that it can only be edited by ROLE_USER and ROLE_ADMIN is simple, just make a RoleSecurityIdentity for each.

现在，当我想为 ROLE_USER 合并时间因素时，我的问题就出现了.我的第一个问题是它需要来自域对象的信息，而不仅仅是 ACL 表，但我认为这可以通过制作自定义 ObjectIdentity 类来解决，该类也可以保存 Comment 已发布.

Now my problem occurs when I want to incorporate the time factor for ROLE_USER. My first problem is that it needs information from the domain object, not just the ACL table but I think this is solvable by making a custom ObjectIdentity class which can also hold the time that the Comment was posted.

现在是困难的部分

我想我需要创建一个自定义的PermissionGrantingStrategy，它也知道要查看创建时间.这必须在检查 Comment 类型时加载，但我不知道如何加载它.有谁知道是否有某种工厂可以配置这种东西?因此，如果一个实体有一个特定的 PermissionGrantingStrategy 与之关联，那么它就会被使用，否则使用默认值?

I think I need to create a custom PermissionGrantingStrategy that knows to also look at the creation time. This has to be loaded when a Comment type is being checked, but I don't know how to get it to load. Does anyone know if there's some kind of factory through which this sort of thing can be configured? So that if an entity has a specific PermissionGrantingStrategy associated with it then it gets used otherwise the default is used?

我知道这有点长，如果有人知道如何实现这一点，非常感谢，因为 ACL 文档目前似乎有点稀疏.我的后备解决方案是简单地提供某种服务来检查是否可以编辑评论，而根本不理会 ACL.

I know this is a bit of a long one, many thanks if anyone knows how to achieve this as the ACL documentation seems a tad sparse at the moment. My fallback solution is to simply make some kind of service to check if a Comment can be edited and not bother with ACL at all.

推荐答案

您是否考虑过使用选民?有一个 cookbook recipe 用于实现 IP 黑名单选民，但可以轻松修改它以处理检查用于对评论对象进行编辑.

Have you considered using a voter? There's a cookbook recipe for implementing an IP blacklist voter, but it could be easily modified to handle checking for edits on Comment objects.

您可以在 SymfonyComponentSecurityAclVoterAclVoter(在线此处)，虽然你的显然可以增加而不是替换它并且更简单.

You can look at the default AclVoter at SymfonyComponentSecurityAclVoterAclVoter (online here), though yours can obviously augment instead of replace it and be much simpler.

作为概念的快速证明:

class CommentTimestampVoter implements VoterInterface
{
    public function supportsAttribute($attribute)
    {
        return 'edit' === $attribute;
    }

    public function vote(TokenInterface $token, $object, array $attributes)
    {
        // 1. check if $token->getUser() has ROLE_ADMIN and return VoterInterface::ACCESS_GRANTED if so
        // 2. check if $token->getUser() equals $object->getAuthor() and return VoterInterface::ACCESS_DENIED if not
        // 3. check that $object->getCreatedAt() is within the window allowed for editing and return VoterInterface::ACCESS_GRANTED if so
        // 4. return VoterInterface::ACCESS_DENIED
    }

    public function supportsClass($class)
    {
        return 'AcmeCommentBundleEntityComment' === $class;
    }
}

这篇关于Symfony2 ACL 结合另一个标准的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！