diff options
Diffstat (limited to 'Acl/Dbal')
| -rw-r--r-- | Acl/Dbal/AclProvider.php | 695 | ||||
| -rw-r--r-- | Acl/Dbal/MutableAclProvider.php | 1034 | ||||
| -rw-r--r-- | Acl/Dbal/Schema.php | 154 |
3 files changed, 0 insertions, 1883 deletions
diff --git a/Acl/Dbal/AclProvider.php b/Acl/Dbal/AclProvider.php deleted file mode 100644 index 6709023..0000000 --- a/Acl/Dbal/AclProvider.php +++ /dev/null @@ -1,695 +0,0 @@ -<?php - -/* - * This file is part of the Symfony package. - * - * (c) Fabien Potencier <fabien@symfony.com> - * - * For the full copyright and license information, please view the LICENSE - * file that was distributed with this source code. - */ - -namespace Symfony\Component\Security\Acl\Dbal; - -use Doctrine\DBAL\Connection; -use Doctrine\DBAL\Driver\Statement; -use Symfony\Component\Security\Acl\Model\AclInterface; -use Symfony\Component\Security\Acl\Domain\Acl; -use Symfony\Component\Security\Acl\Domain\Entry; -use Symfony\Component\Security\Acl\Domain\FieldEntry; -use Symfony\Component\Security\Acl\Domain\ObjectIdentity; -use Symfony\Component\Security\Acl\Domain\RoleSecurityIdentity; -use Symfony\Component\Security\Acl\Domain\UserSecurityIdentity; -use Symfony\Component\Security\Acl\Exception\AclNotFoundException; -use Symfony\Component\Security\Acl\Exception\NotAllAclsFoundException; -use Symfony\Component\Security\Acl\Model\AclCacheInterface; -use Symfony\Component\Security\Acl\Model\AclProviderInterface; -use Symfony\Component\Security\Acl\Model\ObjectIdentityInterface; -use Symfony\Component\Security\Acl\Model\PermissionGrantingStrategyInterface; - -/** - * An ACL provider implementation. - * - * This provider assumes that all ACLs share the same PermissionGrantingStrategy. - * - * @author Johannes M. Schmitt <schmittjoh@gmail.com> - */ -class AclProvider implements AclProviderInterface -{ - const MAX_BATCH_SIZE = 30; - - /** - * @var AclCacheInterface|null - */ - protected $cache; - - /** - * @var Connection - */ - protected $connection; - protected $loadedAces = array(); - protected $loadedAcls = array(); - protected $options; - - /** - * @var PermissionGrantingStrategyInterface - */ - private $permissionGrantingStrategy; - - /** - * Constructor. - * - * @param Connection $connection - * @param PermissionGrantingStrategyInterface $permissionGrantingStrategy - * @param array $options - * @param AclCacheInterface $cache - */ - public function __construct(Connection $connection, PermissionGrantingStrategyInterface $permissionGrantingStrategy, array $options, AclCacheInterface $cache = null) - { - $this->cache = $cache; - $this->connection = $connection; - $this->options = $options; - $this->permissionGrantingStrategy = $permissionGrantingStrategy; - } - - /** - * {@inheritdoc} - */ - public function findChildren(ObjectIdentityInterface $parentOid, $directChildrenOnly = false) - { - $sql = $this->getFindChildrenSql($parentOid, $directChildrenOnly); - - $children = array(); - foreach ($this->connection->executeQuery($sql)->fetchAll() as $data) { - $children[] = new ObjectIdentity($data['object_identifier'], $data['class_type']); - } - - return $children; - } - - /** - * {@inheritdoc} - */ - public function findAcl(ObjectIdentityInterface $oid, array $sids = array()) - { - return $this->findAcls(array($oid), $sids)->offsetGet($oid); - } - - /** - * {@inheritdoc} - */ - public function findAcls(array $oids, array $sids = array()) - { - $result = new \SplObjectStorage(); - $currentBatch = array(); - $oidLookup = array(); - - for ($i = 0, $c = count($oids); $i < $c; ++$i) { - $oid = $oids[$i]; - $oidLookupKey = $oid->getIdentifier().$oid->getType(); - $oidLookup[$oidLookupKey] = $oid; - $aclFound = false; - - // check if result already contains an ACL - if ($result->contains($oid)) { - $aclFound = true; - } - - // check if this ACL has already been hydrated - if (!$aclFound && isset($this->loadedAcls[$oid->getType()][$oid->getIdentifier()])) { - $acl = $this->loadedAcls[$oid->getType()][$oid->getIdentifier()]; - - if (!$acl->isSidLoaded($sids)) { - // FIXME: we need to load ACEs for the missing SIDs. This is never - // reached by the default implementation, since we do not - // filter by SID - throw new \RuntimeException('This is not supported by the default implementation.'); - } else { - $result->attach($oid, $acl); - $aclFound = true; - } - } - - // check if we can locate the ACL in the cache - if (!$aclFound && null !== $this->cache) { - $acl = $this->cache->getFromCacheByIdentity($oid); - - if (null !== $acl) { - if ($acl->isSidLoaded($sids)) { - // check if any of the parents has been loaded since we need to - // ensure that there is only ever one ACL per object identity - $parentAcl = $acl->getParentAcl(); - while (null !== $parentAcl) { - $parentOid = $parentAcl->getObjectIdentity(); - - if (isset($this->loadedAcls[$parentOid->getType()][$parentOid->getIdentifier()])) { - $acl->setParentAcl($this->loadedAcls[$parentOid->getType()][$parentOid->getIdentifier()]); - break; - } else { - $this->loadedAcls[$parentOid->getType()][$parentOid->getIdentifier()] = $parentAcl; - $this->updateAceIdentityMap($parentAcl); - } - - $parentAcl = $parentAcl->getParentAcl(); - } - - $this->loadedAcls[$oid->getType()][$oid->getIdentifier()] = $acl; - $this->updateAceIdentityMap($acl); - $result->attach($oid, $acl); - $aclFound = true; - } else { - $this->cache->evictFromCacheByIdentity($oid); - - foreach ($this->findChildren($oid) as $childOid) { - $this->cache->evictFromCacheByIdentity($childOid); - } - } - } - } - - // looks like we have to load the ACL from the database - if (!$aclFound) { - $currentBatch[] = $oid; - } - - // Is it time to load the current batch? - $currentBatchesCount = count($currentBatch); - if ($currentBatchesCount > 0 && (self::MAX_BATCH_SIZE === $currentBatchesCount || ($i + 1) === $c)) { - try { - $loadedBatch = $this->lookupObjectIdentities($currentBatch, $sids, $oidLookup); - } catch (AclNotFoundException $e) { - if ($result->count()) { - $partialResultException = new NotAllAclsFoundException('The provider could not find ACLs for all object identities.'); - $partialResultException->setPartialResult($result); - throw $partialResultException; - } else { - throw $e; - } - } - foreach ($loadedBatch as $loadedOid) { - $loadedAcl = $loadedBatch->offsetGet($loadedOid); - - if (null !== $this->cache) { - $this->cache->putInCache($loadedAcl); - } - - if (isset($oidLookup[$loadedOid->getIdentifier().$loadedOid->getType()])) { - $result->attach($loadedOid, $loadedAcl); - } - } - - $currentBatch = array(); - } - } - - // check that we got ACLs for all the identities - foreach ($oids as $oid) { - if (!$result->contains($oid)) { - if (1 === count($oids)) { - $objectName = method_exists($oid, '__toString') ? $oid : get_class($oid); - throw new AclNotFoundException(sprintf('No ACL found for %s.', $objectName)); - } - - $partialResultException = new NotAllAclsFoundException('The provider could not find ACLs for all object identities.'); - $partialResultException->setPartialResult($result); - - throw $partialResultException; - } - } - - return $result; - } - - /** - * Constructs the query used for looking up object identities and associated - * ACEs, and security identities. - * - * @param array $ancestorIds - * - * @return string - */ - protected function getLookupSql(array $ancestorIds) - { - // FIXME: add support for filtering by sids (right now we select all sids) - - $sql = <<<SELECTCLAUSE - SELECT - o.id as acl_id, - o.object_identifier, - o.parent_object_identity_id, - o.entries_inheriting, - c.class_type, - e.id as ace_id, - e.object_identity_id, - e.field_name, - e.ace_order, - e.mask, - e.granting, - e.granting_strategy, - e.audit_success, - e.audit_failure, - s.username, - s.identifier as security_identifier - FROM - {$this->options['oid_table_name']} o - INNER JOIN {$this->options['class_table_name']} c ON c.id = o.class_id - LEFT JOIN {$this->options['entry_table_name']} e ON ( - e.class_id = o.class_id AND (e.object_identity_id = o.id OR {$this->connection->getDatabasePlatform()->getIsNullExpression('e.object_identity_id')}) - ) - LEFT JOIN {$this->options['sid_table_name']} s ON ( - s.id = e.security_identity_id - ) - - WHERE (o.id = -SELECTCLAUSE; - - $sql .= implode(' OR o.id = ', $ancestorIds).')'; - - return $sql; - } - - protected function getAncestorLookupSql(array $batch) - { - $sql = <<<SELECTCLAUSE - SELECT a.ancestor_id - FROM - {$this->options['oid_table_name']} o - INNER JOIN {$this->options['class_table_name']} c ON c.id = o.class_id - INNER JOIN {$this->options['oid_ancestors_table_name']} a ON a.object_identity_id = o.id - WHERE ( -SELECTCLAUSE; - - $types = array(); - $count = count($batch); - for ($i = 0; $i < $count; ++$i) { - if (!isset($types[$batch[$i]->getType()])) { - $types[$batch[$i]->getType()] = true; - - // if there is more than one type we can safely break out of the - // loop, because it is the differentiator factor on whether to - // query for only one or more class types - if (count($types) > 1) { - break; - } - } - } - - if (1 === count($types)) { - $ids = array(); - for ($i = 0; $i < $count; ++$i) { - $identifier = (string) $batch[$i]->getIdentifier(); - $ids[] = $this->connection->quote($identifier); - } - - $sql .= sprintf( - '(o.object_identifier IN (%s) AND c.class_type = %s)', - implode(',', $ids), - $this->connection->quote($batch[0]->getType()) - ); - } else { - $where = '(o.object_identifier = %s AND c.class_type = %s)'; - for ($i = 0; $i < $count; ++$i) { - $sql .= sprintf( - $where, - $this->connection->quote($batch[$i]->getIdentifier()), - $this->connection->quote($batch[$i]->getType()) - ); - - if ($i + 1 < $count) { - $sql .= ' OR '; - } - } - } - - $sql .= ')'; - - return $sql; - } - - /** - * Constructs the SQL for retrieving child object identities for the given - * object identities. - * - * @param ObjectIdentityInterface $oid - * @param bool $directChildrenOnly - * - * @return string - */ - protected function getFindChildrenSql(ObjectIdentityInterface $oid, $directChildrenOnly) - { - if (false === $directChildrenOnly) { - $query = <<<FINDCHILDREN - SELECT o.object_identifier, c.class_type - FROM - {$this->options['oid_table_name']} o - INNER JOIN {$this->options['class_table_name']} c ON c.id = o.class_id - INNER JOIN {$this->options['oid_ancestors_table_name']} a ON a.object_identity_id = o.id - WHERE - a.ancestor_id = %d AND a.object_identity_id != a.ancestor_id -FINDCHILDREN; - } else { - $query = <<<FINDCHILDREN - SELECT o.object_identifier, c.class_type - FROM {$this->options['oid_table_name']} o - INNER JOIN {$this->options['class_table_name']} c ON c.id = o.class_id - WHERE o.parent_object_identity_id = %d -FINDCHILDREN; - } - - return sprintf($query, $this->retrieveObjectIdentityPrimaryKey($oid)); - } - - /** - * Constructs the SQL for retrieving the primary key of the given object - * identity. - * - * @param ObjectIdentityInterface $oid - * - * @return string - */ - protected function getSelectObjectIdentityIdSql(ObjectIdentityInterface $oid) - { - $query = <<<'QUERY' - SELECT o.id - FROM %s o - INNER JOIN %s c ON c.id = o.class_id - WHERE o.object_identifier = %s AND c.class_type = %s -QUERY; - - return sprintf( - $query, - $this->options['oid_table_name'], - $this->options['class_table_name'], - $this->connection->quote((string) $oid->getIdentifier()), - $this->connection->quote((string) $oid->getType()) - ); - } - - /** - * Returns the primary key of the passed object identity. - * - * @param ObjectIdentityInterface $oid - * - * @return int - */ - final protected function retrieveObjectIdentityPrimaryKey(ObjectIdentityInterface $oid) - { - return $this->connection->executeQuery($this->getSelectObjectIdentityIdSql($oid))->fetchColumn(); - } - - /** - * This method is called when an ACL instance is retrieved from the cache. - * - * @param AclInterface $acl - */ - private function updateAceIdentityMap(AclInterface $acl) - { - foreach (array('classAces', 'classFieldAces', 'objectAces', 'objectFieldAces') as $property) { - $reflection = new \ReflectionProperty($acl, $property); - $reflection->setAccessible(true); - $value = $reflection->getValue($acl); - - if ('classAces' === $property || 'objectAces' === $property) { - $this->doUpdateAceIdentityMap($value); - } else { - foreach ($value as $field => $aces) { - $this->doUpdateAceIdentityMap($value[$field]); - } - } - - $reflection->setValue($acl, $value); - $reflection->setAccessible(false); - } - } - - /** - * Retrieves all the ids which need to be queried from the database - * including the ids of parent ACLs. - * - * @param array $batch - * - * @return array - */ - private function getAncestorIds(array $batch) - { - $sql = $this->getAncestorLookupSql($batch); - - $ancestorIds = array(); - foreach ($this->connection->executeQuery($sql)->fetchAll() as $data) { - // FIXME: skip ancestors which are cached - // Fix: Oracle returns keys in uppercase - $ancestorIds[] = reset($data); - } - - return $ancestorIds; - } - - /** - * Does either overwrite the passed ACE, or saves it in the global identity - * map to ensure every ACE only gets instantiated once. - * - * @param array &$aces - */ - private function doUpdateAceIdentityMap(array &$aces) - { - foreach ($aces as $index => $ace) { - if (isset($this->loadedAces[$ace->getId()])) { - $aces[$index] = $this->loadedAces[$ace->getId()]; - } else { - $this->loadedAces[$ace->getId()] = $ace; - } - } - } - - /** - * This method is called for object identities which could not be retrieved - * from the cache, and for which thus a database query is required. - * - * @param array $batch - * @param array $sids - * @param array $oidLookup - * - * @return \SplObjectStorage mapping object identities to ACL instances - * - * @throws AclNotFoundException - */ - private function lookupObjectIdentities(array $batch, array $sids, array $oidLookup) - { - $ancestorIds = $this->getAncestorIds($batch); - if (!$ancestorIds) { - throw new AclNotFoundException('There is no ACL for the given object identity.'); - } - - $sql = $this->getLookupSql($ancestorIds); - $stmt = $this->connection->executeQuery($sql); - - return $this->hydrateObjectIdentities($stmt, $oidLookup, $sids); - } - - /** - * This method is called to hydrate ACLs and ACEs. - * - * This method was designed for performance; thus, a lot of code has been - * inlined at the cost of readability, and maintainability. - * - * Keep in mind that changes to this method might severely reduce the - * performance of the entire ACL system. - * - * @param Statement $stmt - * @param array $oidLookup - * @param array $sids - * - * @return \SplObjectStorage - * - * @throws \RuntimeException - */ - private function hydrateObjectIdentities(Statement $stmt, array $oidLookup, array $sids) - { - $parentIdToFill = new \SplObjectStorage(); - $acls = $aces = $emptyArray = array(); - $oidCache = $oidLookup; - $result = new \SplObjectStorage(); - $loadedAces = &$this->loadedAces; - $loadedAcls = &$this->loadedAcls; - $permissionGrantingStrategy = $this->permissionGrantingStrategy; - - // we need these to set protected properties on hydrated objects - $aclReflection = new \ReflectionClass('Symfony\Component\Security\Acl\Domain\Acl'); - $aclClassAcesProperty = $aclReflection->getProperty('classAces'); - $aclClassAcesProperty->setAccessible(true); - $aclClassFieldAcesProperty = $aclReflection->getProperty('classFieldAces'); - $aclClassFieldAcesProperty->setAccessible(true); - $aclObjectAcesProperty = $aclReflection->getProperty('objectAces'); - $aclObjectAcesProperty->setAccessible(true); - $aclObjectFieldAcesProperty = $aclReflection->getProperty('objectFieldAces'); - $aclObjectFieldAcesProperty->setAccessible(true); - $aclParentAclProperty = $aclReflection->getProperty('parentAcl'); - $aclParentAclProperty->setAccessible(true); - - // fetchAll() consumes more memory than consecutive calls to fetch(), - // but it is faster - foreach ($stmt->fetchAll(\PDO::FETCH_NUM) as $data) { - list($aclId, - $objectIdentifier, - $parentObjectIdentityId, - $entriesInheriting, - $classType, - $aceId, - $objectIdentityId, - $fieldName, - $aceOrder, - $mask, - $granting, - $grantingStrategy, - $auditSuccess, - $auditFailure, - $username, - $securityIdentifier) = array_values($data); - - // has the ACL been hydrated during this hydration cycle? - if (isset($acls[$aclId])) { - $acl = $acls[$aclId]; - // has the ACL been hydrated during any previous cycle, or was possibly loaded - // from cache? - } elseif (isset($loadedAcls[$classType][$objectIdentifier])) { - $acl = $loadedAcls[$classType][$objectIdentifier]; - - // keep reference in local array (saves us some hash calculations) - $acls[$aclId] = $acl; - - // attach ACL to the result set; even though we do not enforce that every - // object identity has only one instance, we must make sure to maintain - // referential equality with the oids passed to findAcls() - $oidCacheKey = $objectIdentifier.$classType; - if (!isset($oidCache[$oidCacheKey])) { - $oidCache[$oidCacheKey] = $acl->getObjectIdentity(); - } - $result->attach($oidCache[$oidCacheKey], $acl); - // so, this hasn't been hydrated yet - } else { - // create object identity if we haven't done so yet - $oidLookupKey = $objectIdentifier.$classType; - if (!isset($oidCache[$oidLookupKey])) { - $oidCache[$oidLookupKey] = new ObjectIdentity($objectIdentifier, $classType); - } - - $acl = new Acl((int) $aclId, $oidCache[$oidLookupKey], $permissionGrantingStrategy, $emptyArray, (bool) $entriesInheriting); - - // keep a local, and global reference to this ACL - $loadedAcls[$classType][$objectIdentifier] = $acl; - $acls[$aclId] = $acl; - - // try to fill in parent ACL, or defer until all ACLs have been hydrated - if (null !== $parentObjectIdentityId) { - if (isset($acls[$parentObjectIdentityId])) { - $aclParentAclProperty->setValue($acl, $acls[$parentObjectIdentityId]); - } else { - $parentIdToFill->attach($acl, $parentObjectIdentityId); - } - } - - $result->attach($oidCache[$oidLookupKey], $acl); - } - - // check if this row contains an ACE record - if (null !== $aceId) { - // have we already hydrated ACEs for this ACL? - if (!isset($aces[$aclId])) { - $aces[$aclId] = array($emptyArray, $emptyArray, $emptyArray, $emptyArray); - } - - // has this ACE already been hydrated during a previous cycle, or - // possible been loaded from cache? - // It is important to only ever have one ACE instance per actual row since - // some ACEs are shared between ACL instances - if (!isset($loadedAces[$aceId])) { - if (!isset($sids[$key = ($username ? '1' : '0').$securityIdentifier])) { - if ($username) { - $sids[$key] = new UserSecurityIdentity( - substr($securityIdentifier, 1 + $pos = strpos($securityIdentifier, '-')), - substr($securityIdentifier, 0, $pos) - ); - } else { - $sids[$key] = new RoleSecurityIdentity($securityIdentifier); - } - } - - if (null === $fieldName) { - $loadedAces[$aceId] = new Entry((int) $aceId, $acl, $sids[$key], $grantingStrategy, (int) $mask, (bool) $granting, (bool) $auditFailure, (bool) $auditSuccess); - } else { - $loadedAces[$aceId] = new FieldEntry((int) $aceId, $acl, $fieldName, $sids[$key], $grantingStrategy, (int) $mask, (bool) $granting, (bool) $auditFailure, (bool) $auditSuccess); - } - } - $ace = $loadedAces[$aceId]; - - // assign ACE to the correct property - if (null === $objectIdentityId) { - if (null === $fieldName) { - $aces[$aclId][0][$aceOrder] = $ace; - } else { - $aces[$aclId][1][$fieldName][$aceOrder] = $ace; - } - } else { - if (null === $fieldName) { - $aces[$aclId][2][$aceOrder] = $ace; - } else { - $aces[$aclId][3][$fieldName][$aceOrder] = $ace; - } - } - } - } - - // We do not sort on database level since we only want certain subsets to be sorted, - // and we are going to read the entire result set anyway. - // Sorting on DB level increases query time by an order of magnitude while it is - // almost negligible when we use PHPs array sort functions. - foreach ($aces as $aclId => $aceData) { - $acl = $acls[$aclId]; - - ksort($aceData[0]); - $aclClassAcesProperty->setValue($acl, $aceData[0]); - - foreach (array_keys($aceData[1]) as $fieldName) { - ksort($aceData[1][$fieldName]); - } - $aclClassFieldAcesProperty->setValue($acl, $aceData[1]); - - ksort($aceData[2]); - $aclObjectAcesProperty->setValue($acl, $aceData[2]); - - foreach (array_keys($aceData[3]) as $fieldName) { - ksort($aceData[3][$fieldName]); - } - $aclObjectFieldAcesProperty->setValue($acl, $aceData[3]); - } - - // fill-in parent ACLs where this hasn't been done yet cause the parent ACL was not - // yet available - $processed = 0; - foreach ($parentIdToFill as $acl) { - $parentId = $parentIdToFill->offsetGet($acl); - - // let's see if we have already hydrated this - if (isset($acls[$parentId])) { - $aclParentAclProperty->setValue($acl, $acls[$parentId]); - ++$processed; - - continue; - } - } - - // reset reflection changes - $aclClassAcesProperty->setAccessible(false); - $aclClassFieldAcesProperty->setAccessible(false); - $aclObjectAcesProperty->setAccessible(false); - $aclObjectFieldAcesProperty->setAccessible(false); - $aclParentAclProperty->setAccessible(false); - - // this should never be true if the database integrity hasn't been compromised - if ($processed < count($parentIdToFill)) { - throw new \RuntimeException('Not all parent ids were populated. This implies an integrity problem.'); - } - - return $result; - } -} diff --git a/Acl/Dbal/MutableAclProvider.php b/Acl/Dbal/MutableAclProvider.php deleted file mode 100644 index bd1976f..0000000 --- a/Acl/Dbal/MutableAclProvider.php +++ /dev/null @@ -1,1034 +0,0 @@ -<?php - -/* - * This file is part of the Symfony package. - * - * (c) Fabien Potencier <fabien@symfony.com> - * - * For the full copyright and license information, please view the LICENSE - * file that was distributed with this source code. - */ - -namespace Symfony\Component\Security\Acl\Dbal; - -use Doctrine\Common\PropertyChangedListener; -use Doctrine\DBAL\Connection; -use Symfony\Component\Security\Acl\Domain\RoleSecurityIdentity; -use Symfony\Component\Security\Acl\Domain\UserSecurityIdentity; -use Symfony\Component\Security\Acl\Exception\AclAlreadyExistsException; -use Symfony\Component\Security\Acl\Exception\ConcurrentModificationException; -use Symfony\Component\Security\Acl\Model\AclCacheInterface; -use Symfony\Component\Security\Acl\Model\AclInterface; -use Symfony\Component\Security\Acl\Model\EntryInterface; -use Symfony\Component\Security\Acl\Model\MutableAclInterface; -use Symfony\Component\Security\Acl\Model\MutableAclProviderInterface; -use Symfony\Component\Security\Acl\Model\ObjectIdentityInterface; -use Symfony\Component\Security\Acl\Model\PermissionGrantingStrategyInterface; -use Symfony\Component\Security\Acl\Model\SecurityIdentityInterface; - -/** - * An implementation of the MutableAclProviderInterface using Doctrine DBAL. - * - * @author Johannes M. Schmitt <schmittjoh@gmail.com> - */ -class MutableAclProvider extends AclProvider implements MutableAclProviderInterface, PropertyChangedListener -{ - private $propertyChanges; - - /** - * {@inheritdoc} - */ - public function __construct(Connection $connection, PermissionGrantingStrategyInterface $permissionGrantingStrategy, array $options, AclCacheInterface $cache = null) - { - parent::__construct($connection, $permissionGrantingStrategy, $options, $cache); - - $this->propertyChanges = new \SplObjectStorage(); - } - - /** - * {@inheritdoc} - */ - public function createAcl(ObjectIdentityInterface $oid) - { - if (false !== $this->retrieveObjectIdentityPrimaryKey($oid)) { - $objectName = method_exists($oid, '__toString') ? $oid : get_class($oid); - throw new AclAlreadyExistsException(sprintf('%s is already associated with an ACL.', $objectName)); - } - - $this->connection->beginTransaction(); - try { - $this->createObjectIdentity($oid); - - $pk = $this->retrieveObjectIdentityPrimaryKey($oid); - $this->connection->executeQuery($this->getInsertObjectIdentityRelationSql($pk, $pk)); - - $this->connection->commit(); - } catch (\Exception $e) { - $this->connection->rollBack(); - - throw $e; - } - - // re-read the ACL from the database to ensure proper caching, etc. - return $this->findAcl($oid); - } - - /** - * {@inheritdoc} - */ - public function deleteAcl(ObjectIdentityInterface $oid) - { - $this->connection->beginTransaction(); - try { - foreach ($this->findChildren($oid, true) as $childOid) { - $this->deleteAcl($childOid); - } - - $oidPK = $this->retrieveObjectIdentityPrimaryKey($oid); - - $this->deleteAccessControlEntries($oidPK); - $this->deleteObjectIdentityRelations($oidPK); - $this->deleteObjectIdentity($oidPK); - - $this->connection->commit(); - } catch (\Exception $e) { - $this->connection->rollBack(); - - throw $e; - } - - // evict the ACL from the in-memory identity map - if (isset($this->loadedAcls[$oid->getType()][$oid->getIdentifier()])) { - $this->propertyChanges->offsetUnset($this->loadedAcls[$oid->getType()][$oid->getIdentifier()]); - unset($this->loadedAcls[$oid->getType()][$oid->getIdentifier()]); - } - - // evict the ACL from any caches - if (null !== $this->cache) { - $this->cache->evictFromCacheByIdentity($oid); - } - } - - /** - * Deletes the security identity from the database. - * ACL entries have the CASCADE option on their foreign key so they will also get deleted. - * - * @param SecurityIdentityInterface $sid - * - * @throws \InvalidArgumentException - */ - public function deleteSecurityIdentity(SecurityIdentityInterface $sid) - { - $this->connection->executeQuery($this->getDeleteSecurityIdentityIdSql($sid)); - } - - /** - * {@inheritdoc} - */ - public function findAcls(array $oids, array $sids = array()) - { - $result = parent::findAcls($oids, $sids); - - foreach ($result as $oid) { - $acl = $result->offsetGet($oid); - - if (false === $this->propertyChanges->contains($acl) && $acl instanceof MutableAclInterface) { - $acl->addPropertyChangedListener($this); - $this->propertyChanges->attach($acl, array()); - } - - $parentAcl = $acl->getParentAcl(); - while (null !== $parentAcl) { - if (false === $this->propertyChanges->contains($parentAcl) && $acl instanceof MutableAclInterface) { - $parentAcl->addPropertyChangedListener($this); - $this->propertyChanges->attach($parentAcl, array()); - } - - $parentAcl = $parentAcl->getParentAcl(); - } - } - - return $result; - } - - /** - * Implementation of PropertyChangedListener. - * - * This allows us to keep track of which values have been changed, so we don't - * have to do a full introspection when ->updateAcl() is called. - * - * @param mixed $sender - * @param string $propertyName - * @param mixed $oldValue - * @param mixed $newValue - * - * @throws \InvalidArgumentException - */ - public function propertyChanged($sender, $propertyName, $oldValue, $newValue) - { - if (!$sender instanceof MutableAclInterface && !$sender instanceof EntryInterface) { - throw new \InvalidArgumentException('$sender must be an instance of MutableAclInterface, or EntryInterface.'); - } - - if ($sender instanceof EntryInterface) { - if (null === $sender->getId()) { - return; - } - - $ace = $sender; - $sender = $ace->getAcl(); - } else { - $ace = null; - } - - if (false === $this->propertyChanges->contains($sender)) { - throw new \InvalidArgumentException('$sender is not being tracked by this provider.'); - } - - $propertyChanges = $this->propertyChanges->offsetGet($sender); - if (null === $ace) { - if (isset($propertyChanges[$propertyName])) { - $oldValue = $propertyChanges[$propertyName][0]; - if ($oldValue === $newValue) { - unset($propertyChanges[$propertyName]); - } else { - $propertyChanges[$propertyName] = array($oldValue, $newValue); - } - } else { - $propertyChanges[$propertyName] = array($oldValue, $newValue); - } - } else { - if (!isset($propertyChanges['aces'])) { - $propertyChanges['aces'] = new \SplObjectStorage(); - } - - $acePropertyChanges = $propertyChanges['aces']->contains($ace) ? $propertyChanges['aces']->offsetGet($ace) : array(); - - if (isset($acePropertyChanges[$propertyName])) { - $oldValue = $acePropertyChanges[$propertyName][0]; - if ($oldValue === $newValue) { - unset($acePropertyChanges[$propertyName]); - } else { - $acePropertyChanges[$propertyName] = array($oldValue, $newValue); - } - } else { - $acePropertyChanges[$propertyName] = array($oldValue, $newValue); - } - - if (count($acePropertyChanges) > 0) { - $propertyChanges['aces']->offsetSet($ace, $acePropertyChanges); - } else { - $propertyChanges['aces']->offsetUnset($ace); - - if (0 === count($propertyChanges['aces'])) { - unset($propertyChanges['aces']); - } - } - } - - $this->propertyChanges->offsetSet($sender, $propertyChanges); - } - - /** - * {@inheritdoc} - */ - public function updateAcl(MutableAclInterface $acl) - { - if (!$this->propertyChanges->contains($acl)) { - throw new \InvalidArgumentException('$acl is not tracked by this provider.'); - } - - $propertyChanges = $this->propertyChanges->offsetGet($acl); - // check if any changes were made to this ACL - if (0 === count($propertyChanges)) { - return; - } - - $sets = $sharedPropertyChanges = array(); - - $this->connection->beginTransaction(); - try { - if (isset($propertyChanges['entriesInheriting'])) { - $sets[] = 'entries_inheriting = '.$this->connection->getDatabasePlatform()->convertBooleans($propertyChanges['entriesInheriting'][1]); - } - - if (isset($propertyChanges['parentAcl'])) { - if (null === $propertyChanges['parentAcl'][1]) { - $sets[] = 'parent_object_identity_id = NULL'; - } else { - $sets[] = 'parent_object_identity_id = '.(int) $propertyChanges['parentAcl'][1]->getId(); - } - - $this->regenerateAncestorRelations($acl); - $childAcls = $this->findAcls($this->findChildren($acl->getObjectIdentity(), false)); - foreach ($childAcls as $childOid) { - $this->regenerateAncestorRelations($childAcls[$childOid]); - } - } - - // check properties for deleted, and created ACEs, and perform deletions - // we need to perform deletions before updating existing ACEs, in order to - // preserve uniqueness of the order field - if (isset($propertyChanges['classAces'])) { - $this->updateOldAceProperty('classAces', $propertyChanges['classAces']); - } - if (isset($propertyChanges['classFieldAces'])) { - $this->updateOldFieldAceProperty('classFieldAces', $propertyChanges['classFieldAces']); - } - if (isset($propertyChanges['objectAces'])) { - $this->updateOldAceProperty('objectAces', $propertyChanges['objectAces']); - } - if (isset($propertyChanges['objectFieldAces'])) { - $this->updateOldFieldAceProperty('objectFieldAces', $propertyChanges['objectFieldAces']); - } - - // this includes only updates of existing ACEs, but neither the creation, nor - // the deletion of ACEs; these are tracked by changes to the ACL's respective - // properties (classAces, classFieldAces, objectAces, objectFieldAces) - if (isset($propertyChanges['aces'])) { - $this->updateAces($propertyChanges['aces']); - } - - // check properties for deleted, and created ACEs, and perform creations - if (isset($propertyChanges['classAces'])) { - $this->updateNewAceProperty('classAces', $propertyChanges['classAces']); - $sharedPropertyChanges['classAces'] = $propertyChanges['classAces']; - } - if (isset($propertyChanges['classFieldAces'])) { - $this->updateNewFieldAceProperty('classFieldAces', $propertyChanges['classFieldAces']); - $sharedPropertyChanges['classFieldAces'] = $propertyChanges['classFieldAces']; - } - if (isset($propertyChanges['objectAces'])) { - $this->updateNewAceProperty('objectAces', $propertyChanges['objectAces']); - } - if (isset($propertyChanges['objectFieldAces'])) { - $this->updateNewFieldAceProperty('objectFieldAces', $propertyChanges['objectFieldAces']); - } - - // if there have been changes to shared properties, we need to synchronize other - // ACL instances for object identities of the same type that are already in-memory - if (count($sharedPropertyChanges) > 0) { - $classAcesProperty = new \ReflectionProperty('Symfony\Component\Security\Acl\Domain\Acl', 'classAces'); - $classAcesProperty->setAccessible(true); - $classFieldAcesProperty = new \ReflectionProperty('Symfony\Component\Security\Acl\Domain\Acl', 'classFieldAces'); - $classFieldAcesProperty->setAccessible(true); - - foreach ($this->loadedAcls[$acl->getObjectIdentity()->getType()] as $sameTypeAcl) { - if (isset($sharedPropertyChanges['classAces'])) { - if ($acl !== $sameTypeAcl && $classAcesProperty->getValue($sameTypeAcl) !== $sharedPropertyChanges['classAces'][0]) { - throw new ConcurrentModificationException('The "classAces" property has been modified concurrently.'); - } - - $classAcesProperty->setValue($sameTypeAcl, $sharedPropertyChanges['classAces'][1]); - } - - if (isset($sharedPropertyChanges['classFieldAces'])) { - if ($acl !== $sameTypeAcl && $classFieldAcesProperty->getValue($sameTypeAcl) !== $sharedPropertyChanges['classFieldAces'][0]) { - throw new ConcurrentModificationException('The "classFieldAces" property has been modified concurrently.'); - } - - $classFieldAcesProperty->setValue($sameTypeAcl, $sharedPropertyChanges['classFieldAces'][1]); - } - } - } - - // persist any changes to the acl_object_identities table - if (count($sets) > 0) { - $this->connection->executeQuery($this->getUpdateObjectIdentitySql($acl->getId(), $sets)); - } - - $this->connection->commit(); - } catch (\Exception $e) { - $this->connection->rollBack(); - - throw $e; - } - - $this->propertyChanges->offsetSet($acl, array()); - - if (null !== $this->cache) { - if (count($sharedPropertyChanges) > 0) { - // FIXME: Currently, there is no easy way to clear the cache for ACLs - // of a certain type. The problem here is that we need to make - // sure to clear the cache of all child ACLs as well, and these - // child ACLs might be of a different class type. - $this->cache->clearCache(); - } else { - // if there are no shared property changes, it's sufficient to just delete - // the cache for this ACL - $this->cache->evictFromCacheByIdentity($acl->getObjectIdentity()); - - foreach ($this->findChildren($acl->getObjectIdentity()) as $childOid) { - $this->cache->evictFromCacheByIdentity($childOid); - } - } - } - } - - /** - * Updates a user security identity when the user's username changes. - * - * @param UserSecurityIdentity $usid - * @param string $oldUsername - */ - public function updateUserSecurityIdentity(UserSecurityIdentity $usid, $oldUsername) - { - $this->connection->executeQuery($this->getUpdateUserSecurityIdentitySql($usid, $oldUsername)); - } - - /** - * Constructs the SQL for deleting access control entries. - * - * @param int $oidPK - * - * @return string - */ - protected function getDeleteAccessControlEntriesSql($oidPK) - { - return sprintf( - 'DELETE FROM %s WHERE object_identity_id = %d', - $this->options['entry_table_name'], - $oidPK - ); - } - - /** - * Constructs the SQL for deleting a specific ACE. - * - * @param int $acePK - * - * @return string - */ - protected function getDeleteAccessControlEntrySql($acePK) - { - return sprintf( - 'DELETE FROM %s WHERE id = %d', - $this->options['entry_table_name'], - $acePK - ); - } - - /** - * Constructs the SQL for deleting an object identity. - * - * @param int $pk - * - * @return string - */ - protected function getDeleteObjectIdentitySql($pk) - { - return sprintf( - 'DELETE FROM %s WHERE id = %d', - $this->options['oid_table_name'], - $pk - ); - } - - /** - * Constructs the SQL for deleting relation entries. - * - * @param int $pk - * - * @return string - */ - protected function getDeleteObjectIdentityRelationsSql($pk) - { - return sprintf( - 'DELETE FROM %s WHERE object_identity_id = %d', - $this->options['oid_ancestors_table_name'], - $pk - ); - } - - /** - * Constructs the SQL for inserting an ACE. - * - * @param int $classId - * @param int|null $objectIdentityId - * @param string|null $field - * @param int $aceOrder - * @param int $securityIdentityId - * @param string $strategy - * @param int $mask - * @param bool $granting - * @param bool $auditSuccess - * @param bool $auditFailure - * - * @return string - */ - protected function getInsertAccessControlEntrySql($classId, $objectIdentityId, $field, $aceOrder, $securityIdentityId, $strategy, $mask, $granting, $auditSuccess, $auditFailure) - { - $query = <<<'QUERY' - INSERT INTO %s ( - class_id, - object_identity_id, - field_name, - ace_order, - security_identity_id, - mask, - granting, - granting_strategy, - audit_success, - audit_failure - ) - VALUES (%d, %s, %s, %d, %d, %d, %s, %s, %s, %s) -QUERY; - - return sprintf( - $query, - $this->options['entry_table_name'], - $classId, - null === $objectIdentityId ? 'NULL' : (int) $objectIdentityId, - null === $field ? 'NULL' : $this->connection->quote($field), - $aceOrder, - $securityIdentityId, - $mask, - $this->connection->getDatabasePlatform()->convertBooleans($granting), - $this->connection->quote($strategy), - $this->connection->getDatabasePlatform()->convertBooleans($auditSuccess), - $this->connection->getDatabasePlatform()->convertBooleans($auditFailure) - ); - } - - /** - * Constructs the SQL for inserting a new class type. - * - * @param string $classType - * - * @return string - */ - protected function getInsertClassSql($classType) - { - return sprintf( - 'INSERT INTO %s (class_type) VALUES (%s)', - $this->options['class_table_name'], - $this->connection->quote($classType) - ); - } - - /** - * Constructs the SQL for inserting a relation entry. - * - * @param int $objectIdentityId - * @param int $ancestorId - * - * @return string - */ - protected function getInsertObjectIdentityRelationSql($objectIdentityId, $ancestorId) - { - return sprintf( - 'INSERT INTO %s (object_identity_id, ancestor_id) VALUES (%d, %d)', - $this->options['oid_ancestors_table_name'], - $objectIdentityId, - $ancestorId - ); - } - - /** - * Constructs the SQL for inserting an object identity. - * - * @param string $identifier - * @param int $classId - * @param bool $entriesInheriting - * - * @return string - */ - protected function getInsertObjectIdentitySql($identifier, $classId, $entriesInheriting) - { - $query = <<<'QUERY' - INSERT INTO %s (class_id, object_identifier, entries_inheriting) - VALUES (%d, %s, %s) -QUERY; - - return sprintf( - $query, - $this->options['oid_table_name'], - $classId, - $this->connection->quote($identifier), - $this->connection->getDatabasePlatform()->convertBooleans($entriesInheriting) - ); - } - - /** - * Constructs the SQL for inserting a security identity. - * - * @param SecurityIdentityInterface $sid - * - * @return string - * - * @throws \InvalidArgumentException - */ - protected function getInsertSecurityIdentitySql(SecurityIdentityInterface $sid) - { - if ($sid instanceof UserSecurityIdentity) { - $identifier = $sid->getClass().'-'.$sid->getUsername(); - $username = true; - } elseif ($sid instanceof RoleSecurityIdentity) { - $identifier = $sid->getRole(); - $username = false; - } else { - throw new \InvalidArgumentException('$sid must either be an instance of UserSecurityIdentity, or RoleSecurityIdentity.'); - } - - return sprintf( - 'INSERT INTO %s (identifier, username) VALUES (%s, %s)', - $this->options['sid_table_name'], - $this->connection->quote($identifier), - $this->connection->getDatabasePlatform()->convertBooleans($username) - ); - } - - /** - * Constructs the SQL for selecting an ACE. - * - * @param int $classId - * @param int $oid - * @param string $field - * @param int $order - * - * @return string - */ - protected function getSelectAccessControlEntryIdSql($classId, $oid, $field, $order) - { - return sprintf( - 'SELECT id FROM %s WHERE class_id = %d AND %s AND %s AND ace_order = %d', - $this->options['entry_table_name'], - $classId, - null === $oid ? - $this->connection->getDatabasePlatform()->getIsNullExpression('object_identity_id') - : 'object_identity_id = '.(int) $oid, - null === $field ? - $this->connection->getDatabasePlatform()->getIsNullExpression('field_name') - : 'field_name = '.$this->connection->quote($field), - $order - ); - } - - /** - * Constructs the SQL for selecting the primary key associated with - * the passed class type. - * - * @param string $classType - * - * @return string - */ - protected function getSelectClassIdSql($classType) - { - return sprintf( - 'SELECT id FROM %s WHERE class_type = %s', - $this->options['class_table_name'], - $this->connection->quote($classType) - ); - } - - /** - * Constructs the SQL for selecting the primary key of a security identity. - * - * @param SecurityIdentityInterface $sid - * - * @return string - * - * @throws \InvalidArgumentException - */ - protected function getSelectSecurityIdentityIdSql(SecurityIdentityInterface $sid) - { - if ($sid instanceof UserSecurityIdentity) { - $identifier = $sid->getClass().'-'.$sid->getUsername(); - $username = true; - } elseif ($sid instanceof RoleSecurityIdentity) { - $identifier = $sid->getRole(); - $username = false; - } else { - throw new \InvalidArgumentException('$sid must either be an instance of UserSecurityIdentity, or RoleSecurityIdentity.'); - } - - return sprintf( - 'SELECT id FROM %s WHERE identifier = %s AND username = %s', - $this->options['sid_table_name'], - $this->connection->quote($identifier), - $this->connection->getDatabasePlatform()->convertBooleans($username) - ); - } - - /** - * Constructs the SQL to delete a security identity. - * - * @param SecurityIdentityInterface $sid - * - * @return string - * - * @throws \InvalidArgumentException - */ - protected function getDeleteSecurityIdentityIdSql(SecurityIdentityInterface $sid) - { - $select = $this->getSelectSecurityIdentityIdSql($sid); - $delete = preg_replace('/^SELECT id FROM/', 'DELETE FROM', $select); - - return $delete; - } - - /** - * Constructs the SQL for updating an object identity. - * - * @param int $pk - * @param array $changes - * - * @return string - * - * @throws \InvalidArgumentException - */ - protected function getUpdateObjectIdentitySql($pk, array $changes) - { - if (0 === count($changes)) { - throw new \InvalidArgumentException('There are no changes.'); - } - - return sprintf( - 'UPDATE %s SET %s WHERE id = %d', - $this->options['oid_table_name'], - implode(', ', $changes), - $pk - ); - } - - /** - * Constructs the SQL for updating a user security identity. - * - * @param UserSecurityIdentity $usid - * @param string $oldUsername - * - * @return string - */ - protected function getUpdateUserSecurityIdentitySql(UserSecurityIdentity $usid, $oldUsername) - { - if ($usid->getUsername() == $oldUsername) { - throw new \InvalidArgumentException('There are no changes.'); - } - - $oldIdentifier = $usid->getClass().'-'.$oldUsername; - $newIdentifier = $usid->getClass().'-'.$usid->getUsername(); - - return sprintf( - 'UPDATE %s SET identifier = %s WHERE identifier = %s AND username = %s', - $this->options['sid_table_name'], - $this->connection->quote($newIdentifier), - $this->connection->quote($oldIdentifier), - $this->connection->getDatabasePlatform()->convertBooleans(true) - ); - } - - /** - * Constructs the SQL for updating an ACE. - * - * @param int $pk - * @param array $sets - * - * @return string - * - * @throws \InvalidArgumentException - */ - protected function getUpdateAccessControlEntrySql($pk, array $sets) - { - if (0 === count($sets)) { - throw new \InvalidArgumentException('There are no changes.'); - } - - return sprintf( - 'UPDATE %s SET %s WHERE id = %d', - $this->options['entry_table_name'], - implode(', ', $sets), - $pk - ); - } - - /** - * Creates the ACL for the passed object identity. - * - * @param ObjectIdentityInterface $oid - */ - private function createObjectIdentity(ObjectIdentityInterface $oid) - { - $classId = $this->createOrRetrieveClassId($oid->getType()); - - $this->connection->executeQuery($this->getInsertObjectIdentitySql($oid->getIdentifier(), $classId, true)); - } - - /** - * Returns the primary key for the passed class type. - * - * If the type does not yet exist in the database, it will be created. - * - * @param string $classType - * - * @return int - */ - private function createOrRetrieveClassId($classType) - { - if (false !== $id = $this->connection->executeQuery($this->getSelectClassIdSql($classType))->fetchColumn()) { - return $id; - } - - $this->connection->executeQuery($this->getInsertClassSql($classType)); - - return $this->connection->executeQuery($this->getSelectClassIdSql($classType))->fetchColumn(); - } - - /** - * Returns the primary key for the passed security identity. - * - * If the security identity does not yet exist in the database, it will be - * created. - * - * @param SecurityIdentityInterface $sid - * - * @return int - */ - private function createOrRetrieveSecurityIdentityId(SecurityIdentityInterface $sid) - { - if (false !== $id = $this->connection->executeQuery($this->getSelectSecurityIdentityIdSql($sid))->fetchColumn()) { - return $id; - } - - $this->connection->executeQuery($this->getInsertSecurityIdentitySql($sid)); - - return $this->connection->executeQuery($this->getSelectSecurityIdentityIdSql($sid))->fetchColumn(); - } - - /** - * Deletes all ACEs for the given object identity primary key. - * - * @param int $oidPK - */ - private function deleteAccessControlEntries($oidPK) - { - $this->connection->executeQuery($this->getDeleteAccessControlEntriesSql($oidPK)); - } - - /** - * Deletes the object identity from the database. - * - * @param int $pk - */ - private function deleteObjectIdentity($pk) - { - $this->connection->executeQuery($this->getDeleteObjectIdentitySql($pk)); - } - - /** - * Deletes all entries from the relations table from the database. - * - * @param int $pk - */ - private function deleteObjectIdentityRelations($pk) - { - $this->connection->executeQuery($this->getDeleteObjectIdentityRelationsSql($pk)); - } - - /** - * This regenerates the ancestor table which is used for fast read access. - * - * @param AclInterface $acl - */ - private function regenerateAncestorRelations(AclInterface $acl) - { - $pk = $acl->getId(); - $this->connection->executeQuery($this->getDeleteObjectIdentityRelationsSql($pk)); - $this->connection->executeQuery($this->getInsertObjectIdentityRelationSql($pk, $pk)); - - $parentAcl = $acl->getParentAcl(); - while (null !== $parentAcl) { - $this->connection->executeQuery($this->getInsertObjectIdentityRelationSql($pk, $parentAcl->getId())); - - $parentAcl = $parentAcl->getParentAcl(); - } - } - - /** - * This processes new entries changes on an ACE related property (classFieldAces, or objectFieldAces). - * - * @param string $name - * @param array $changes - */ - private function updateNewFieldAceProperty($name, array $changes) - { - $sids = new \SplObjectStorage(); - $classIds = new \SplObjectStorage(); - foreach ($changes[1] as $field => $new) { - for ($i = 0, $c = count($new); $i < $c; ++$i) { - $ace = $new[$i]; - - if (null === $ace->getId()) { - if ($sids->contains($ace->getSecurityIdentity())) { - $sid = $sids->offsetGet($ace->getSecurityIdentity()); - } else { - $sid = $this->createOrRetrieveSecurityIdentityId($ace->getSecurityIdentity()); - } - - $oid = $ace->getAcl()->getObjectIdentity(); - if ($classIds->contains($oid)) { - $classId = $classIds->offsetGet($oid); - } else { - $classId = $this->createOrRetrieveClassId($oid->getType()); - } - - $objectIdentityId = $name === 'classFieldAces' ? null : $ace->getAcl()->getId(); - - $this->connection->executeQuery($this->getInsertAccessControlEntrySql($classId, $objectIdentityId, $field, $i, $sid, $ace->getStrategy(), $ace->getMask(), $ace->isGranting(), $ace->isAuditSuccess(), $ace->isAuditFailure())); - $aceId = $this->connection->executeQuery($this->getSelectAccessControlEntryIdSql($classId, $objectIdentityId, $field, $i))->fetchColumn(); - $this->loadedAces[$aceId] = $ace; - - $aceIdProperty = new \ReflectionProperty('Symfony\Component\Security\Acl\Domain\Entry', 'id'); - $aceIdProperty->setAccessible(true); - $aceIdProperty->setValue($ace, (int) $aceId); - } - } - } - } - - /** - * This processes old entries changes on an ACE related property (classFieldAces, or objectFieldAces). - * - * @param string $name - * @param array $changes - */ - private function updateOldFieldAceProperty($name, array $changes) - { - $currentIds = array(); - foreach ($changes[1] as $field => $new) { - for ($i = 0, $c = count($new); $i < $c; ++$i) { - $ace = $new[$i]; - - if (null !== $ace->getId()) { - $currentIds[$ace->getId()] = true; - } - } - } - - foreach ($changes[0] as $old) { - for ($i = 0, $c = count($old); $i < $c; ++$i) { - $ace = $old[$i]; - - if (!isset($currentIds[$ace->getId()])) { - $this->connection->executeQuery($this->getDeleteAccessControlEntrySql($ace->getId())); - unset($this->loadedAces[$ace->getId()]); - } - } - } - } - - /** - * This processes new entries changes on an ACE related property (classAces, or objectAces). - * - * @param string $name - * @param array $changes - */ - private function updateNewAceProperty($name, array $changes) - { - list(, $new) = $changes; - - $sids = new \SplObjectStorage(); - $classIds = new \SplObjectStorage(); - for ($i = 0, $c = count($new); $i < $c; ++$i) { - $ace = $new[$i]; - - if (null === $ace->getId()) { - if ($sids->contains($ace->getSecurityIdentity())) { - $sid = $sids->offsetGet($ace->getSecurityIdentity()); - } else { - $sid = $this->createOrRetrieveSecurityIdentityId($ace->getSecurityIdentity()); - } - - $oid = $ace->getAcl()->getObjectIdentity(); - if ($classIds->contains($oid)) { - $classId = $classIds->offsetGet($oid); - } else { - $classId = $this->createOrRetrieveClassId($oid->getType()); - } - - $objectIdentityId = $name === 'classAces' ? null : $ace->getAcl()->getId(); - - $this->connection->executeQuery($this->getInsertAccessControlEntrySql($classId, $objectIdentityId, null, $i, $sid, $ace->getStrategy(), $ace->getMask(), $ace->isGranting(), $ace->isAuditSuccess(), $ace->isAuditFailure())); - $aceId = $this->connection->executeQuery($this->getSelectAccessControlEntryIdSql($classId, $objectIdentityId, null, $i))->fetchColumn(); - $this->loadedAces[$aceId] = $ace; - - $aceIdProperty = new \ReflectionProperty($ace, 'id'); - $aceIdProperty->setAccessible(true); - $aceIdProperty->setValue($ace, (int) $aceId); - } - } - } - - /** - * This processes old entries changes on an ACE related property (classAces, or objectAces). - * - * @param string $name - * @param array $changes - */ - private function updateOldAceProperty($name, array $changes) - { - list($old, $new) = $changes; - $currentIds = array(); - - for ($i = 0, $c = count($new); $i < $c; ++$i) { - $ace = $new[$i]; - - if (null !== $ace->getId()) { - $currentIds[$ace->getId()] = true; - } - } - - for ($i = 0, $c = count($old); $i < $c; ++$i) { - $ace = $old[$i]; - - if (!isset($currentIds[$ace->getId()])) { - $this->connection->executeQuery($this->getDeleteAccessControlEntrySql($ace->getId())); - unset($this->loadedAces[$ace->getId()]); - } - } - } - - /** - * Persists the changes which were made to ACEs to the database. - * - * @param \SplObjectStorage $aces - */ - private function updateAces(\SplObjectStorage $aces) - { - foreach ($aces as $ace) { - $this->updateAce($aces, $ace); - } - } - - private function updateAce(\SplObjectStorage $aces, $ace) - { - $propertyChanges = $aces->offsetGet($ace); - $sets = array(); - - if (isset($propertyChanges['aceOrder']) - && $propertyChanges['aceOrder'][1] > $propertyChanges['aceOrder'][0] - && $propertyChanges == $aces->offsetGet($ace)) { - $aces->next(); - if ($aces->valid()) { - $this->updateAce($aces, $aces->current()); - } - } - - if (isset($propertyChanges['mask'])) { - $sets[] = sprintf('mask = %d', $propertyChanges['mask'][1]); - } - if (isset($propertyChanges['strategy'])) { - $sets[] = sprintf('granting_strategy = %s', $this->connection->quote($propertyChanges['strategy'])); - } - if (isset($propertyChanges['aceOrder'])) { - $sets[] = sprintf('ace_order = %d', $propertyChanges['aceOrder'][1]); - } - if (isset($propertyChanges['auditSuccess'])) { - $sets[] = sprintf('audit_success = %s', $this->connection->getDatabasePlatform()->convertBooleans($propertyChanges['auditSuccess'][1])); - } - if (isset($propertyChanges['auditFailure'])) { - $sets[] = sprintf('audit_failure = %s', $this->connection->getDatabasePlatform()->convertBooleans($propertyChanges['auditFailure'][1])); - } - - $this->connection->executeQuery($this->getUpdateAccessControlEntrySql($ace->getId(), $sets)); - } -} diff --git a/Acl/Dbal/Schema.php b/Acl/Dbal/Schema.php deleted file mode 100644 index ed9327c..0000000 --- a/Acl/Dbal/Schema.php +++ /dev/null @@ -1,154 +0,0 @@ -<?php - -/* - * This file is part of the Symfony package. - * - * (c) Fabien Potencier <fabien@symfony.com> - * - * For the full copyright and license information, please view the LICENSE - * file that was distributed with this source code. - */ - -namespace Symfony\Component\Security\Acl\Dbal; - -use Doctrine\DBAL\Schema\Schema as BaseSchema; -use Doctrine\DBAL\Connection; - -/** - * The schema used for the ACL system. - * - * @author Johannes M. Schmitt <schmittjoh@gmail.com> - */ -final class Schema extends BaseSchema -{ - protected $options; - - /** - * Constructor. - * - * @param array $options the names for tables - * @param Connection $connection - */ - public function __construct(array $options, Connection $connection = null) - { - $schemaConfig = null === $connection ? null : $connection->getSchemaManager()->createSchemaConfig(); - - parent::__construct(array(), array(), $schemaConfig); - - $this->options = $options; - - $this->addClassTable(); - $this->addSecurityIdentitiesTable(); - $this->addObjectIdentitiesTable(); - $this->addObjectIdentityAncestorsTable(); - $this->addEntryTable(); - } - - /** - * Merges ACL schema with the given schema. - * - * @param BaseSchema $schema - */ - public function addToSchema(BaseSchema $schema) - { - foreach ($this->getTables() as $table) { - $schema->_addTable($table); - } - - foreach ($this->getSequences() as $sequence) { - $schema->_addSequence($sequence); - } - } - - /** - * Adds the class table to the schema. - */ - protected function addClassTable() - { - $table = $this->createTable($this->options['class_table_name']); - $table->addColumn('id', 'integer', array('unsigned' => true, 'autoincrement' => 'auto')); - $table->addColumn('class_type', 'string', array('length' => 200)); - $table->setPrimaryKey(array('id')); - $table->addUniqueIndex(array('class_type')); - } - - /** - * Adds the entry table to the schema. - */ - protected function addEntryTable() - { - $table = $this->createTable($this->options['entry_table_name']); - - $table->addColumn('id', 'integer', array('unsigned' => true, 'autoincrement' => 'auto')); - $table->addColumn('class_id', 'integer', array('unsigned' => true)); - $table->addColumn('object_identity_id', 'integer', array('unsigned' => true, 'notnull' => false)); - $table->addColumn('field_name', 'string', array('length' => 50, 'notnull' => false)); - $table->addColumn('ace_order', 'smallint', array('unsigned' => true)); - $table->addColumn('security_identity_id', 'integer', array('unsigned' => true)); - $table->addColumn('mask', 'integer'); - $table->addColumn('granting', 'boolean'); - $table->addColumn('granting_strategy', 'string', array('length' => 30)); - $table->addColumn('audit_success', 'boolean'); - $table->addColumn('audit_failure', 'boolean'); - - $table->setPrimaryKey(array('id')); - $table->addUniqueIndex(array('class_id', 'object_identity_id', 'field_name', 'ace_order')); - $table->addIndex(array('class_id', 'object_identity_id', 'security_identity_id')); - - $table->addForeignKeyConstraint($this->getTable($this->options['class_table_name']), array('class_id'), array('id'), array('onDelete' => 'CASCADE', 'onUpdate' => 'CASCADE')); - $table->addForeignKeyConstraint($this->getTable($this->options['oid_table_name']), array('object_identity_id'), array('id'), array('onDelete' => 'CASCADE', 'onUpdate' => 'CASCADE')); - $table->addForeignKeyConstraint($this->getTable($this->options['sid_table_name']), array('security_identity_id'), array('id'), array('onDelete' => 'CASCADE', 'onUpdate' => 'CASCADE')); - } - - /** - * Adds the object identity table to the schema. - */ - protected function addObjectIdentitiesTable() - { - $table = $this->createTable($this->options['oid_table_name']); - - $table->addColumn('id', 'integer', array('unsigned' => true, 'autoincrement' => 'auto')); - $table->addColumn('class_id', 'integer', array('unsigned' => true)); - $table->addColumn('object_identifier', 'string', array('length' => 100)); - $table->addColumn('parent_object_identity_id', 'integer', array('unsigned' => true, 'notnull' => false)); - $table->addColumn('entries_inheriting', 'boolean'); - - $table->setPrimaryKey(array('id')); - $table->addUniqueIndex(array('object_identifier', 'class_id')); - $table->addIndex(array('parent_object_identity_id')); - - $table->addForeignKeyConstraint($table, array('parent_object_identity_id'), array('id')); - } - - /** - * Adds the object identity relation table to the schema. - */ - protected function addObjectIdentityAncestorsTable() - { - $table = $this->createTable($this->options['oid_ancestors_table_name']); - - $table->addColumn('object_identity_id', 'integer', array('unsigned' => true)); - $table->addColumn('ancestor_id', 'integer', array('unsigned' => true)); - - $table->setPrimaryKey(array('object_identity_id', 'ancestor_id')); - - $oidTable = $this->getTable($this->options['oid_table_name']); - $table->addForeignKeyConstraint($oidTable, array('object_identity_id'), array('id'), array('onDelete' => 'CASCADE', 'onUpdate' => 'CASCADE')); - $table->addForeignKeyConstraint($oidTable, array('ancestor_id'), array('id'), array('onDelete' => 'CASCADE', 'onUpdate' => 'CASCADE')); - } - - /** - * Adds the security identity table to the schema. - */ - protected function addSecurityIdentitiesTable() - { - $table = $this->createTable($this->options['sid_table_name']); - - $table->addColumn('id', 'integer', array('unsigned' => true, 'autoincrement' => 'auto')); - $table->addColumn('identifier', 'string', array('length' => 200)); - $table->addColumn('username', 'boolean'); - - $table->setPrimaryKey(array('id')); - $table->addUniqueIndex(array('identifier', 'username')); - } -} |