0

I'm trying to find the best way to handle a "complex" security / privacy system using Symfony2.

I read a lot of documentation about the ROLES and the ACLs but I'm looking for something different. I need the rights to be calculated based on the properties of the objects.

In my case, I have a User object and multiple other objects (Project, Task, Label, and more...).

I need to check if a User can read or write any kind of object without storing the rights in the database (like the ACL system is doing). The rights should be "calculated" based on the relation between the User and a given object.

For example, the User(1) can write on the Task(2) because he is a member of the Project(3) and the Task(2) is in the Project(3).

The Roles of the security service can't handle that. The ACL could handle it but I don't want to store the rights in my database because I know that they are going to change a lot during the life of the product.

Is there a known good practice for that kind of needs or should I write my own system?

Thanks.

Aric Lasry
  • 1,769
  • 3
  • 11
  • 11
  • possible duplicate of [Symfony2 ACL combined with another criteria](http://stackoverflow.com/questions/7879173/symfony2-acl-combined-with-another-criteria) – kgilden Aug 14 '12 at 16:05

1 Answers1

1

"that they are going to change a lot during the life of the product" -> IMO, storing in database is the best, and ACLs are a good way to do that.

In your example above, ACLs would be great to manage rights between User and Projects, and rights on Tasks are depending on this Project Rights.

These rights would be accessible in your controllers and you views with respectively isGranted() and is_granted() if you implement your own aclVoter: http://symfony.com/doc/current/cookbook/security/voters.html

guillaumepotier
  • 7,369
  • 8
  • 45
  • 72
  • From what he's explaining, ACL clearly aren't the way to go (it's a hell to maintain ACL in sync with the data). Voters is the best solution. – AdrienBrault Aug 14 '12 at 20:10
  • I really don't want to store the rights in the database. The rules are going to be : If the `User` is the owner of the project, then he can do anything on the `Tasks` inside this project. If the user isn't the owner but he is the creator of the `Task` or the assigne, then he can do everything on this `Task`. What if I use the ACL and I forget to set the right permission when the `User` become responsible of the `Task` ? I would have to update all the database to match the new rules? – Aric Lasry Aug 15 '12 at 18:36
  • 1
    Ok, if it's just that, you could just use a custom Voter: you'll check there if current user is either Project owner or Task assigne and return the rights then. Have a look to my link above in my answer – guillaumepotier Aug 16 '12 at 10:39