[SecurityBundle] added acl:set command #9990
Conversation
| @@ -70,6 +70,7 @@ | |||
| "doctrine/data-fixtures": "1.0.*", | |||
| "doctrine/dbal": "~2.2", | |||
| "doctrine/orm": "~2.2,>=2.2.3", | |||
| "doctrine/doctrine-bundle": "~1.2", | |||
There was a problem hiding this comment.
A soft dependency could be better.
You can play with class_exist and Command::IsEnable method
There was a problem hiding this comment.
@lyrixx doctrine-bundle is only needed to run the tests. It's a require-dev dependency.
Making it a soft dependency is awkward because all functional tests on the ACL system will be skipped by default.
If someone clone the repository, start hacking, run phpunit and make a PR, he can silently broke the ACL system.
It will also require tweaking .travis.yml (to make Travis install doctrine-bundle before running the tests) and update the doc to explain that tests should be run with doctrine-bundle installed.
If it's really annoying to have doctrine-bundle as a development dependency, I prefer registering the DBAL connection directly in the test app's kernel.
There was a problem hiding this comment.
Let me know which solution is better.
There was a problem hiding this comment.
Sorry. I did not see it was a dev deps ;)
|
If any, could you please describe risks or security implications that might result from the ability to set the ACL directly from the command line? |
|
@ErichHartmann I think there is no specific security risk or implication for this command. If an attacker get a shell on your server, it's over. Even without this command. He can access to database's credentials through |
|
Is this PR ready to be merged? Can I start working on the PR in the doc? |
| <info>php %command.full_name%</info> | ||
|
|
||
| The ACL system must have been initialized with the <info>init:acl</info> command. | ||
| EOF |
There was a problem hiding this comment.
The Help should be expanded to explain the main use cases (probably using the defined options).
|
@dunglas There is no need to document the command in the docs, but the help message should be expanded instead. |
|
the |
| ->addOption('security-class', 'sc', InputOption::VALUE_OPTIONAL, 'The user security class') | ||
| ->addOption('security-username', 'su', InputOption::VALUE_OPTIONAL | InputOption::VALUE_IS_ARRAY, 'The user security username') | ||
| ->addOption('role', 'r', InputOption::VALUE_OPTIONAL | InputOption::VALUE_IS_ARRAY, 'A list of roles') | ||
| ->addOption('class-scope', 'cs', InputOption::VALUE_OPTIONAL, 'Use class-scope entries', false) |
This PR was submitted for the 2.3-dev branch but it was merged into the 2.3 branch instead (closes #10497). Discussion ---------- [SecurityBundle] Fixed doc of InitAclCommand | Q | A | ------------- | --- | Bug fix? | no | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | no | License | MIT | Doc PR | n/a Use {@inheritdoc}. Consistency with #9990 (diff). Commits ------- aa49009 [SecurityBundle] Fixed doc of InitAclCommand
| ) | ||
| ->addArgument('object-class', InputArgument::REQUIRED, 'The object class name') | ||
| ->addOption('object-id', null, InputOption::VALUE_REQUIRED | InputOption::VALUE_IS_ARRAY, 'The object ID') | ||
| ->addOption('security-class', null, InputOption::VALUE_OPTIONAL, 'The user security class') |
There was a problem hiding this comment.
VALUE_OPTIONAL means that you don't need to pass a value when using this option, so --security-class is valid; which looks wrong to me. Again, any required value should probably be an argument and not an option.
There was a problem hiding this comment.
This is not required to pass a security class. You must pass at least a security class and a security username OR a role.
This is checked lines 104 to 108.
There was a problem hiding this comment.
But when using the --security-class, you must pass a class name, right? If that's the case, you must use VALUE_REQUIRED. VALUE_OPTIONAL means that the value for the option is optional, not the option itself. An option is always optional by definition.
There was a problem hiding this comment.
Ok I got it. For required values, how to handle several arrays as arguments?
Object IDs and permissions are required and are arrays.
Should I use an argument for one of them (which) and leave the other as a (required) option?
|
Fixed options types. |
| protected function execute(InputInterface $input, OutputInterface $output) | ||
| { | ||
| $objectClassName = strtr($input->getArgument('object-class'), '/', '\\'); | ||
| $objectIds = $input->getOption('object-id'); |
There was a problem hiding this comment.
What if the user did not provide a --object-id option? You're going to get null here. That's why I said that all required information must be managed via arguments, not options. To avoid getting too many of them, you can maybe have some conventions like class:id.
|
@fabpot use arguments when required. Simplified and enhanced CLI. |
|
Looks good to me for 2.6. Thanks. |
| return false; | ||
| } | ||
|
|
||
| $router = $this->getContainer()->get('security.acl.provider'); |
|
Renamed weird variable. |
|
Thank you @dunglas. |
This PR was merged into the 2.6-dev branch. Discussion ---------- [SecurityBundle] added acl:set command | Q | A | ------------- | --- | Bug fix? | no | New feature? | yes | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | no | License | MIT | Doc PR | n/a This new command allows to set ACL directly from the command line. This useful to quickly set up an environment and for debugging / maintenance purpose. This PR also includes a functional test system for the ACL component. As an example, it is used to test the `acl:set` command. The provided entity class is not mandatory (tests will still be green without it) but can be useful to test other ACL related things. I can remove it if necessary. The instantiation of the `MaskBuilder` object is done in a separate method to be easily overridable to use a custom one (e.g. the SonataAdmin one). Commits ------- a702124 [SecurityBundle] added acl:set command
|
|
||
| To set permissions at the class scope, use the <info>--class-scope</info> option: | ||
|
|
||
| <info>php %command.full_name% --class-scope --user=Symfony/Component/Security/Core/User/User:anne OWNER Acme/MyClass:42</info> |
There was a problem hiding this comment.
Hi @dunglas, I'm redacting a "New in Symfony 2.6" blog post about the new acl:set and I wonder if this help message is correct. If you are using the --class-scope, you are granting access to all the objects of the same class, so the trailing object id (42 in this case) should be removed, right?
Original help message:
<info>php %command.full_name% --class-scope --user=Symfony/Component/Security/Core/User/User:anne OWNER Acme/MyClass:42</info>
Proposed help message:
<info>php %command.full_name% --class-scope --user=Symfony/Component/Security/Core/User/User:anne OWNER Acme/MyClass</info>
There was a problem hiding this comment.
Hi @javiereguiluz. This help message is correct. It should not be modified. This how the underlying ACL system works (and I agree that this is far from perfect).
The class scope can be set only is you precise an object identity (otherwise an error will be thrown). Technically, it will not grant access to all objects of the same class but only to all objects of this class present in the ACL table.
e.g:
- You have three objects: Untitled #1, Renaming "Entities" to "Entity" #2 and Untitled #3.
- ACL are initialized for Untitled #1 and Untitled #3 but not for Renaming "Entities" to "Entity" #2.
- You grant access to an user with the class scope.
- Access will be granted for Untitled #1 and Untitled #3 but not for Renaming "Entities" to "Entity" #2.
There was a problem hiding this comment.
@dunglas thanks for your reply. I now understand that everything is correct. However, I find this behavior amazingly counterintuitive. Moreover, in the scopes for access control entries section of the documentation it says:
Class-Scope: These entries apply to all objects with the same class.
This is quite different from what you have said. @wouterj don't you think that the documentation should better explain this strange behavior?
|
This also should get documented in |
This new command allows to set ACL directly from the command line. This useful to quickly set up an environment and for debugging / maintenance purpose.
This PR also includes a functional test system for the ACL component. As an example, it is used to test the
acl:setcommand.The provided entity class is not mandatory (tests will still be green without it) but can be useful to test other ACL related things. I can remove it if necessary.
The instantiation of the
MaskBuilderobject is done in a separate method to be easily overridable to use a custom one (e.g. the SonataAdmin one).