Symfony2 ACL and pager/multiple entities filtering

About

Asked 11/9, 2011 at 1:41 Answered 18/11, 2011 at 7:53

I've seen examples of ACL to deal with one entity but none to deal with fetching multiple items - such as a list of posts that belong to an author. One (bad) suggestion was to fetch all the items and then filter using acl - not going to work when we have a million items. What is the intended way to fetch multiple items - let's say I want to fetch all my posts (using any criteria I need such as published or ordered by) in batches of 50 for the pager (another reason why post filtering will not work - I'd end up with different page sizes).

Whisker answered 11/9, 2011 at 1:41 Comment(8)

You should not use ACL to identify which posts belong to an author. Before you fetch all user's entities you should use the ACL to validate if the "fetching all user's entities" is an allowed action or not. If it is, perform the action. If not, not. – Liter 1/11, 2011 at 15:44

Beg your pardon? How is my code going to know which items belong to the user if I don't use ACL? I'd have to add ref to the user in my posts - the entire point of acl is to not do that. Can you explain what I am not getting please? – Whisker 1/11, 2011 at 17:10

How does your ACL know what a user is? Users are objects (must not mean class, I mean the broad meaning of object in programming, e.g. an integer containing the user-id), so both ACL as the rest of your application share a domain here. ACL should sit on top of it, it should not sit everywhere. If you make sit it everywhere, you run into the problem you have in the question. If you don't, you don't have. Keep the functional parts of your application apart. ACL is ACL, Posts are Posts. In you controller or your business models, bring them together, but not earlier. – Liter 2/11, 2011 at 9:12

In symfony if you wanted to retrieve one post for a user you would a) fetch the post then b) check the acl permission for this post/current user. Fine. The problem is that this doesn't work for multiple items efficiently. It does not appear to be possible to fetch the first 50 posts this user is allowed to edit for example. What I can do is fetch every post in my database then go through the acl until I have 50 which is obviously not useable. I mean this is a common problem and there are currently no solutions anywhere - this question has been asked repeatedly and is a very real issue. – Whisker 3/11, 2011 at 18:34

All there is at the moment is a github attempt to patch the acl by allowing joins but last time I looked it was very much in the works – Whisker 3/11, 2011 at 18:35

Hi @Yashua, did you ever find a good solution for this? Currently I am on the verge of doing as suggested in this question by the other users. But it feels dirty as I am in the same boat as you. Cheers – Crush 16/2, 2015 at 23:32

@Crush - sort of - I moved over to NodeJS and gave up PHP/Symfony :) Best think I ever did. – Whisker 17/2, 2015 at 4:21

Ahh okay thanks @Yashua, that is not an option currently :p – Crush 18/2, 2015 at 11:53

I think, you shouldn't use ACL for determining which posts belong to a particular author because ACL is about access control / permissions, not about finding owners or determining object relations.

But certainly, you are perfectly ok to want to get a list of posts certain user can view, edit or moderate for example.

Currently, there is no functionality to do this on API level, but... well, I think in Symfony2 / Doctrine2 you can just do Native Query and join with acl_entries table.

But there is a drawback. In a large system acl_entries table will contain just too much rows and joining against it can be slow (we know, that MySQL is stupid sometimes). So you might also want to build some kind of caching system around this.

Pyrognostics answered 18/11, 2011 at 7:53 Comment(3)

I am just baffled this was not addressed. This means no admin generator, no paging, on a native level. – Whisker 19/11, 2011 at 9:23

I feel I am missing something. You and hakre suggest not using acl to fetch posts that belong to a user but instead using acl to see if they can do so. I just don't get this. I have to keep track of all the users that can edit a post outside of the acl structure then why does acl exist in the first place? I know the user can edit/delete a post since I have to manage that myself - I don't need acl to tell me the exact same thing. Having acl tell me that a user can fetch the posts that belong to him is pretty much useless. So I think I am not getting something fundamental. – Whisker 9/3, 2012 at 3:15

I am also quite confused with the statements made here and agree with @cyberwombat. I was thinking about how I can contain and separate the acl logic. In essence, I think the best idea is to perform a query against the acl for all the objects that pass the Permission Mask and get a list of those objects id. Then I can use this full list in a second query to that can also handle pagination. – Raasch 4/4, 2018 at 14:46

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags