This topic contains 1 reply, has 2 voices, and was last updated by Yurii Muratov 6 years, 8 months ago.
- Topic
MyGoal:
I have got some users with many roles to access the platform. i want to give them access to a ressource as soon as one of the roles give them access.I found in symfony that we can choose the access_decision_manager strategy, and that there is one (the affirmative) who define the behavior i want.
So i update the security.yml file with this:
access_decision_manager:
strategy: affirmativeBut i doesn’t work.
So i inspect the code and i found that the system only check the first role(alphabetic) of my user.
I ended up falling on what seems to be an issue.In the “PermissionGrantingStrategy” file, in hasSufficientPermissions method at line 208.
protected function hasSufficientPermissions(
AclInterface $acl,
array $aces,
array $masks,
array $sids,
$administrativeMode
) {
$triggeredAce = null;
$triggeredMask = 0;
$result = false;foreach ($sids as $sid) {
foreach ($aces as $ace) {
if ($sid->equals($ace->getSecurityIdentity())) {
foreach ($masks as $requiredMask) {
if ($this->isAceApplicable($requiredMask, $ace, $acl)) {
$isGranting = $ace->isGranting();// give an additional chance for the appropriate ACL extension to decide
// whether an access to a domain object is granted or not
$decisionResult = $this->getContext()->getAclExtension()->decideIsGranting(
$requiredMask,
$this->getContext()->getObject(),
$this->getContext()->getSecurityToken()
);
if (!$decisionResult) {
$isGranting = !$isGranting;
}if ($isGranting) {
// the access is granted if there is at least one granting ACE
$triggeredAce = $ace;
$triggeredMask = $requiredMask;
$result = true;
// break all loops when granting ACE was found
break 3;
} else {
// remember the first denying ACE
if (null === $triggeredAce) {
$triggeredAce = $ace;
$triggeredMask = $requiredMask;
}
// break for all masks
break 3; // Here it should be a simple break, only to break the last loop and check all role.
}
}
}
}
}
}if ($triggeredAce === null) {
// ACE was not found
return null;
} else {
$this->getContext()->setTriggeredMask($triggeredMask);
}if (!$administrativeMode && null !== $this->auditLogger) {
$this->auditLogger->logIfNeeded($result, $triggeredAce);
}return $result;
}Besides Comments are explicit:
the first break = // break all loops when granting ACE was found -> so break 3;
on the second = // break for all masks -> so simple break; to only break the masks loop.
The forum ‘OroPlatform – Security’ is closed to new topics and replies.