Symfony2 ACL与其他条件结合
我想知道是否有人知道使用Symfony2 ACL系统实现此目标的优雅方法。
I'm wondering if anyone knows of an elegant way to achieve this using the Symfony2 ACL system.
我有一个评论实体(我的域对象),需要由 ROLE_USER 进行编辑,但这仅在发表评论后5分钟之内允许-否则评论只能由 ROLE_ADMIN 进行编辑。
I have a Comment entity (my domain object) which needs to be editable by ROLE_USER but this is only allowed within 5 minutes of the comment being posted - otherwise the comment can only be edited by ROLE_ADMIN.
进行此操作,使其只能由 ROLE_USER进行编辑和 ROLE_ADMIN 很简单,只需为每个变量创建一个 RoleSecurityIdentity 。
Making it so that it can only be edited by ROLE_USER and ROLE_ADMIN is simple, just make a RoleSecurityIdentity for each.
现在,当我要合并 ROLE_USER 的时间因素时,就会出现我的问题。我的第一个问题是,它需要来自域对象的信息,而不仅仅是ACL表,但我认为可以通过创建自定义的 ObjectIdentity 类来解决此问题,该类也可以保存时间评论已发布。
Now my problem occurs when I want to incorporate the time factor for ROLE_USER. My first problem is that it needs information from the domain object, not just the ACL table but I think this is solvable by making a custom ObjectIdentity class which can also hold the time that the Comment was posted.
现在是困难部分
我想我需要创建一个自定义的 PermissionGrantingStrategy ,它也要考虑创建时间。必须在检查注释类型时加载此文件,但我不知道如何加载它。有人知道是否有某种工厂可以通过这种工厂进行配置吗?这样,如果一个实体具有与之关联的特定 PermissionGrantingStrategy ,那么它将被使用,否则将使用默认值?
I think I need to create a custom PermissionGrantingStrategy that knows to also look at the creation time. This has to be loaded when a Comment type is being checked, but I don't know how to get it to load. Does anyone know if there's some kind of factory through which this sort of thing can be configured? So that if an entity has a specific PermissionGrantingStrategy associated with it then it gets used otherwise the default is used?
我知道这是一个漫长的过程,非常感谢,如果有人知道如何实现这一点,因为目前ACL文档似乎还很少。我的后备解决方案是简单地提供某种服务,以检查是否可以编辑注释,而完全不用ACL。
I know this is a bit of a long one, many thanks if anyone knows how to achieve this as the ACL documentation seems a tad sparse at the moment. My fallback solution is to simply make some kind of service to check if a Comment can be edited and not bother with ACL at all.
您是否考虑过使用选民?有一个用于实现IP黑名单投票者的烹饪书食谱,但可以很容易地对其进行修改以进行检查
Have you considered using a voter? There's a cookbook recipe for implementing an IP blacklist voter, but it could be easily modified to handle checking for edits on Comment objects.
您可以在 Symfony\Component\Security\Acl\Voter\中查看默认的AclVoter。不过,AclVoter (在线此处)
作为概念的快速证明:
class CommentTimestampVoter implements VoterInterface
{
public function supportsAttribute($attribute)
{
return 'edit' === $attribute;
}
public function vote(TokenInterface $token, $object, array $attributes)
{
// 1. check if $token->getUser() has ROLE_ADMIN and return VoterInterface::ACCESS_GRANTED if so
// 2. check if $token->getUser() equals $object->getAuthor() and return VoterInterface::ACCESS_DENIED if not
// 3. check that $object->getCreatedAt() is within the window allowed for editing and return VoterInterface::ACCESS_GRANTED if so
// 4. return VoterInterface::ACCESS_DENIED
}
public function supportsClass($class)
{
return 'Acme\CommentBundle\Entity\Comment' === $class;
}
}