add class-scope ACL to object to allow custom ACL inheritance + updated setup-acl command

Admin/Admin.php

@@ -517,7 +517,7 @@ abstract class Admin implements AdminInterface, DomainObjectInterface
         $this->prePersist($object);
         $this->getModelManager()->create($object);
         $this->postPersist($object);
-        $this->createObjectOwner($object);
+        $this->createObjectSecurity($object);
     }
 
     public function delete($object)
@@ -525,6 +525,7 @@ abstract class Admin implements AdminInterface, DomainObjectInterface
         $this->preRemove($object);
         $this->getModelManager()->delete($object);
         $this->postRemove($object);
+        $this->getSecurityHandler()->deleteObjectSecurity($this, $object);
     }
 
     public function preUpdate($object)
@@ -2097,7 +2098,7 @@ abstract class Admin implements AdminInterface, DomainObjectInterface
     /**
      * Return the roles and permissions per role
      * - different permissions per role for the acl handler
-     * - one permission that has the same name as the role for the role handler 
+     * - one permission that has the same name as the role for the role handler
      * This should be used by experimented users
      *
      * @return array [role] => array([permission], [permission])
@@ -2140,13 +2141,13 @@ abstract class Admin implements AdminInterface, DomainObjectInterface
     }
 
     /**
-     * Create security object owner
+     * Add object security, fe. make the current user owner of the object
      *
      * @param $object
      */
-    public function createObjectOwner($object)
+    public function createObjectSecurity($object)
     {
-        $this->getSecurityHandler()->createObjectOwner($this, $object);
+        $this->getSecurityHandler()->createObjectSecurity($this, $object);
     }
 
     /**

Admin/AdminInterface.php

@@ -397,5 +397,5 @@ interface AdminInterface
 
     function showIn($context);
 
-    function createObjectOwner($object);
+    function createObjectSecurity($object);
 }

Command/SetupAclCommand.php

@@ -12,6 +12,8 @@
 namespace Sonata\AdminBundle\Command;
 
 
+use Symfony\Component\Security\Acl\Model\MutableAclProviderInterface;
+
 use Symfony\Bundle\FrameworkBundle\Command\ContainerAwareCommand;
 use Symfony\Component\Console\Input\InputArgument;
 use Symfony\Component\Console\Input\InputOption;
@@ -21,10 +23,12 @@ use Symfony\Component\Console\Output\Output;
 
 use Symfony\Component\Security\Acl\Model\AclInterface;
 use Symfony\Component\Security\Acl\Domain\RoleSecurityIdentity;
-use Sonata\AdminBundle\Security\Acl\Permission\MaskBuilder;
 use Symfony\Component\Security\Acl\Exception\AclAlreadyExistsException;
 use Symfony\Component\Security\Acl\Exception\AclNotFoundException;
 use Symfony\Component\Security\Acl\Domain\ObjectIdentity;
+
+use Sonata\AdminBundle\Admin\AdminInterface;
+use Sonata\AdminBundle\Security\Handler\SecurityHandlerInterface;
 use Sonata\AdminBundle\Security\Handler\AclSecurityHandler;
 
 class SetupAclCommand extends ContainerAwareCommand
@@ -41,9 +45,7 @@ class SetupAclCommand extends ContainerAwareCommand
 
         $output->writeln('Starting ACL AdminBundle configuration');
 
-        $builder = new MaskBuilder();
         foreach ($this->getContainer()->get('sonata.admin.pool')->getAdminServiceIds() as $id) {
-            $output->writeln(sprintf(' > install ACL for %s', $id));
 
             try {
                 $admin = $this->getContainer()->get($id);
@@ -60,32 +62,24 @@ class SetupAclCommand extends ContainerAwareCommand
             }
 
             $objectIdentity = ObjectIdentity::fromDomainObject($admin);
+            $newAcl = false;
             try {
                 $acl = $aclProvider->findAcl($objectIdentity);
             } catch(AclNotFoundException $e) {
                 $acl = $aclProvider->createAcl($objectIdentity);
+                $newAcl = true;
             }
 
-            // create admin ACL, fe.
-            // Comment admin ACL
-            $this->configureACL($output, $acl, $builder, $securityHandler->buildSecurityInformation($admin));
-
-            $aclProvider->updateAcl($acl);
-        }
-    }
+            // create admin ACL
+            $output->writeln(sprintf(' > install ACL for %s', $id));
+            $configResult = $securityHandler->addAdminClassAces($acl, $securityHandler->buildSecurityInformation($admin), $output);
 
-    public function configureACL(OutputInterface $output, AclInterface $acl, MaskBuilder $builder, array $aclInformations = array())
-    {
-        foreach ($aclInformations as $role => $permissions) {
-            foreach ($permissions as $permission) {
-                $builder->add($permission);
+            if ($configResult) {
+                $aclProvider->updateAcl($acl);
+            } elseif ($aclProvider instanceof MutableAclProviderInterface) {
+                $output->writeln(sprintf('   - %s , no roles and permissions found', ($newAcl ? 'skip' : 'removed')));
+                $aclProvider->deleteAcl($objectIdentity);
             }
-
-            $acl->insertClassAce(new RoleSecurityIdentity($role), $builder->get());
-
-            $output->writeln(sprintf('   - add role: %s, permissions: %s', $role, json_encode($permissions)));
-
-            $builder->reset();
         }
     }
 }

DependencyInjection/Configuration.php

@@ -56,7 +56,11 @@ class Configuration implements ConfigurationInterface
                             ->end()
                         ->end()
                         ->arrayNode('admin_permissions')
-                            ->defaultValue(array('CREATE', 'LIST'))
+                            ->defaultValue(array('CREATE', 'LIST', 'DELETE', 'UNDELETE', 'OPERATOR', 'MASTER'))
+                            ->prototype('scalar')->end()
+                        ->end()
+                        ->arrayNode('object_permissions')
+                            ->defaultValue(array('VIEW', 'EDIT', 'DELETE', 'UNDELETE', 'OPERATOR', 'MASTER', 'OWNER'))
                             ->prototype('scalar')->end()
                         ->end()
                     ->end()

DependencyInjection/SonataAdminExtension.php

@@ -92,6 +92,7 @@ class SonataAdminExtension extends Extension
                 break;
             case 'sonata.admin.security.handler.acl':
                 $container->setParameter('sonata.admin.configuration.security.admin_permissions', $config['security']['admin_permissions']);
+                $container->setParameter('sonata.admin.configuration.security.object_permissions', $config['security']['object_permissions']);
                 $loader->load('security_acl.xml');
 
                 if (count($config['security']['information']) === 0) {

Resources/config/security_acl.xml

@@ -6,17 +6,22 @@
 
     <parameters>
         <parameter key="sonata.admin.security.handler.acl.class" >Sonata\AdminBundle\Security\Handler\AclSecurityHandler</parameter>
+        <parameter key="sonata.admin.security.mask.builder.class" >Sonata\AdminBundle\Security\Acl\Permission\MaskBuilder</parameter>
     </parameters>
 
     <services>
         <service id="sonata.admin.security.handler.acl" class="%sonata.admin.security.handler.acl.class%">
             <argument type="service" id="security.context" on-invalid="null" />
             <argument type="service" id="security.acl.provider" on-invalid="null" />
+            <argument>%sonata.admin.security.mask.builder.class%</argument>
             <argument type="collection">
                 <argument>ROLE_SUPER_ADMIN</argument>
             </argument>
             <call method="setAdminPermissions">
                 <argument>%sonata.admin.configuration.security.admin_permissions%</argument>
+            </call>
+            <call method="setObjectPermissions">
+                <argument>%sonata.admin.configuration.security.object_permissions%</argument>
             </call>            
         </service>
     </services>    

Security/Handler/AclSecurityHandler.php

@@ -11,13 +11,15 @@
 
 namespace Sonata\AdminBundle\Security\Handler;
 
+use Symfony\Component\Security\Acl\Model\ObjectIdentityInterface;
+
 use Symfony\Component\Security\Core\SecurityContextInterface;
 use Symfony\Component\Security\Core\Exception\AuthenticationCredentialsNotFoundException;
 use Symfony\Component\Security\Acl\Model\AclProviderInterface;
 use Symfony\Component\Security\Acl\Model\AclInterface;
 use Symfony\Component\Security\Acl\Domain\ObjectIdentity;
 use Symfony\Component\Security\Acl\Domain\UserSecurityIdentity;
-use Symfony\Component\Security\Acl\Permission\MaskBuilder;
+use Symfony\Component\Security\Acl\Domain\RoleSecurityIdentity;
 use Sonata\AdminBundle\Admin\AdminInterface;
 
 class AclSecurityHandler implements SecurityHandlerInterface
@@ -26,15 +28,20 @@ class AclSecurityHandler implements SecurityHandlerInterface
     protected $aclProvider;
     protected $superAdminRoles;
     protected $adminPermissions;
+    protected $objectPermissions;
+    protected $maskBuilderClass;
 
     /**
-     * @param \Symfony\Component\Security\Core\SecurityContextInterface $securityContext
+     * @param SecurityContextInterface $securityContext
+     * @param AclProviderInterface $aclProvider
+     * @param string $maskBuilderClass
      * @param array $superAdminRoles
      */
-    public function __construct(SecurityContextInterface $securityContext, AclProviderInterface $aclProvider, array $superAdminRoles)
+    public function __construct(SecurityContextInterface $securityContext, AclProviderInterface $aclProvider, $maskBuilderClass, array $superAdminRoles)
     {
         $this->securityContext = $securityContext;
         $this->aclProvider = $aclProvider;
+        $this->maskBuilderClass = $maskBuilderClass;
         $this->superAdminRoles = $superAdminRoles;
     }
 
@@ -58,6 +65,26 @@ class AclSecurityHandler implements SecurityHandlerInterface
         return $this->adminPermissions;
     }
 
+    /**
+     * Set the permissions related to an object instance
+     *
+     * @param array $permissions
+     */
+    public function setObjectPermissions(array $permissions)
+    {
+        $this->objectPermissions = $permissions;
+    }
+
+    /**
+     * Return the permissions related to an object instance
+     *
+     * @return array
+     */
+    public function getObjectPermissions()
+    {
+        return $this->objectPermissions;
+    }
+
     /**
      * {@inheritDoc}
      */
@@ -102,48 +129,222 @@ class AclSecurityHandler implements SecurityHandlerInterface
     /**
      * {@inheritDoc}
      */
-    public function createObjectOwner(AdminInterface $admin, $object)
+    public function createObjectSecurity(AdminInterface $admin, $object)
     {
-        $acl = $this->getNewObjectOwnerAcl($admin, $object);
+        $acl = $this->getNewObjectOwnerAcl($object);
+        $this->addObjectClassAces($acl, $this->buildSecurityInformation($admin));
         $this->updateAcl($acl);
     }
 
+    /**
+     * {@inheritDoc}
+     */
+    public function deleteObjectSecurity(AdminInterface $admin, $object)
+    {
+        $objectIdentity = ObjectIdentity::fromDomainObject($object);
+        if (!is_null($acl = $this->getObjectAcl($objectIdentity)))
+        {
+            $this->deleteAcl($acl);
+        }
+    }
+
+    /**
+     * Get the ACL for the object
+     *
+     * @param ObjectIdentityInterface $objectIdentity
+     * @return \Symfony\Component\Security\Acl\Model\AclInterface
+     */
+    public function getObjectAcl(ObjectIdentityInterface $objectIdentity)
+    {
+        try {
+            $acl = $aclProvider->findAcl($objectIdentity);
+        } catch(AclNotFoundException $e) {
+            return null;
+        }
+
+        return $acl;
+    }
+
     /**
      * Get a new ACL with an object ACE where the currently logged in user is set as owner
      *
-     * @param AdminInterface $admin
      * @param object $object
      * @return Symfony\Component\Security\Acl\Model\AclInterface
      */
-    public function getNewObjectOwnerAcl(AdminInterface $admin, $object)
+    public function getNewObjectOwnerAcl($object)
     {
-        // creating the ACL, fe.
-        // Comment 1 ACL
+        // creating the object ACL, fe. Comment 1 ACL
         $objectIdentity = ObjectIdentity::fromDomainObject($object);
         $acl = $this->aclProvider->createAcl($objectIdentity);
 
-        // inherit class ACE's from the admin ACL, fe.
-        // Comment admin ACL
-        //  - Comment 1 ACL
-        $parentOid = ObjectIdentity::fromDomainObject($admin);
-        $parentAcl = $this->aclProvider->findAcl($parentOid);
-        $acl->setParentAcl($parentAcl);
-
         // retrieving the security identity of the currently logged-in user
         $user = $this->securityContext->getToken()->getUser();
         $securityIdentity = UserSecurityIdentity::fromAccount($user);
 
         // grant owner access
-        $acl->insertObjectAce($securityIdentity, MaskBuilder::MASK_OWNER);
+        $this->addObjectOwnwer($acl, $securityIdentity);
 
         return $acl;
     }
 
+    /**
+     * Add an object owner ACE to the object ACL
+     *
+     * @param AclInterface $acl
+     * @param UserSecurityIdentity $securityIdentity
+     */
+    public function addObjectOwnwer(AclInterface $acl, UserSecurityIdentity $securityIdentity = null)
+    {
+        if (false === $this->findClassAceIndexByUsername($acl, $securityIdentity->getUsername())) {
+            // only add if not already exists
+            $acl->insertObjectAce($securityIdentity, constant("$this->maskBuilderClass::MASK_OWNER"));
+        }
+    }
+
+    /**
+     * Add the object class ACE's to the object ACL
+     *
+     * @param AclInterface $acl
+     * @param array $roleInformation
+     * @return void
+     */
+    public function addObjectClassAces(AclInterface $acl, array $roleInformation = array())
+    {
+        $builder = new $this->maskBuilderClass();
+
+        foreach ($roleInformation as $role => $permissions) {
+            $aceIndex = $this->findClassAceIndexByRole($acl, $role);
+            $hasRole = false;
+
+            foreach ($permissions as $permission) {
+                // add only the object permissions
+                if (in_array($permission, $this->getObjectPermissions())) {
+                    $builder->add($permission);
+                    $hasRole = true;
+                }
+            }
+
+            if ($hasRole) {
+                if ($aceIndex === false) {
+                    $acl->insertClassAce(new RoleSecurityIdentity($role), $builder->get());
+                } else {
+                    $acl->updateClassAce($aceIndex, $builder->get());
+                }
+
+                $builder->reset();
+            } elseif ($aceIndex !== false) {
+                $acl->deleteClassAce($aceIndex);
+            }
+        }
+    }
+
+    /**
+     * Add the class ACE's to the admin ACL
+     *
+     * @param AclInterface $acl
+     * @param array $roleInformation
+     * @param Symfony\Component\Console\Output\OutputInterface $output
+     * @return boolean TRUE if admin class ACEs are added, FALSE if not
+     */
+    public function addAdminClassAces(AclInterface $acl, array $roleInformation = array(), \Symfony\Component\Console\Output\OutputInterface $output = null)
+    {
+        if (count($this->getAdminPermissions()) > 0 ) {
+            $builder = new $this->maskBuilderClass();
+
+            foreach ($roleInformation as $role => $permissions) {
+                $aceIndex = $this->findClassAceIndexByRole($acl, $role);
+                $roleAdminPermissions = array();
+
+                foreach ($permissions as $permission) {
+                    // add only the admin permissions
+                    if (in_array($permission, $this->getAdminPermissions())) {
+                        $builder->add($permission);
+                        $roleAdminPermissions[] = $permission;
+                    }
+                }
+
+                if (count($roleAdminPermissions) > 0) {
+                    if ($aceIndex === false) {
+                        $acl->insertClassAce(new RoleSecurityIdentity($role), $builder->get());
+                        $action = 'add';
+                    } else {
+                        $acl->updateClassAce($aceIndex, $builder->get());
+                        $action = 'update';
+                    }
+
+                    if (!is_null($output)) {
+                        $output->writeln(sprintf('   - %s role: %s, permissions: %s', $action, $role, json_encode($roleAdminPermissions)));
+                    }
+
+                    $builder->reset();
+                } elseif ($aceIndex !== false) {
+                    $acl->deleteClassAce($aceIndex);
+
+                    if (!is_null($output)) {
+                        $output->writeln(sprintf('   - remove role: %s', $action, $role));
+                    }
+                }
+            }
+
+            return true;
+        } else {
+            return false;
+        }
+    }
+
     /**
      * Update the ACL
+     *
+     * @param AclInterface $acl
+     * @return void
      */
     public function updateAcl(AclInterface $acl)
     {
         $this->aclProvider->updateAcl($acl);
     }
+
+    /**
+     * Delete the ACL
+     *
+     * @param AclInterface $acl
+     * @return void
+     */
+    public function deleteAcl(AclInterface $acl)
+    {
+        $this->aclProvider->deleteAcl($acl);
+    }
+
+    /**
+     * Helper method to find the index of a class ACE for a role
+     *
+     * @param AclInterface $acl
+     * @param string $role
+     */
+    protected function findClassAceIndexByRole(AclInterface $acl, $role)
+    {
+        foreach ($acl->getClassAces() as $index => $entry) {
+            if ($entry->getSecurityIdentity() instanceof RoleSecurityIdentity && $entry->getSecurityIdentity()->getRole() === $role) {
+                return $index;
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * Helper method to find the index of a class ACE for a username
+     *
+     * @param AclInterface $acl
+     * @param string $username
+     */
+    protected function findClassAceIndexByUsername(AclInterface $acl, $username)
+    {
+        foreach ($acl->getClassAces() as $index => $entry) {
+            if ($entry->getSecurityIdentity() instanceof UserSecurityIdentity && $entry->getSecurityIdentity()->getUsername() === $username) {
+                return $index;
+            }
+        }
+
+        return false;
+    }
 }

Security/Handler/NoopSecurityHandler.php

@@ -42,7 +42,14 @@ class NoopSecurityHandler implements SecurityHandlerInterface
     /**
      * {@inheritDoc}
      */
-    public function createObjectOwner(AdminInterface $admin, $object)
+    public function createObjectSecurity(AdminInterface $admin, $object)
+    {
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    public function deleteObjectSecurity(AdminInterface $admin, $object)
     {
     }
 }

Security/Handler/RoleSecurityHandler.php

@@ -60,7 +60,7 @@ class RoleSecurityHandler implements SecurityHandlerInterface
     {
         return 'ROLE_'.str_replace('.', '_', strtoupper($admin->getCode())).'_%s';
     }
-    
+
     /**
      * {@inheritDoc}
      */
@@ -68,11 +68,18 @@ class RoleSecurityHandler implements SecurityHandlerInterface
     {
         return array();
     }
-    
+
+    /**
+     * {@inheritDoc}
+     */
+    public function createObjectSecurity(AdminInterface $admin, $object)
+    {
+    }
+
     /**
      * {@inheritDoc}
      */
-    public function createObjectOwner(AdminInterface $admin, $object)
+    public function deleteObjectSecurity(AdminInterface $admin, $object)
     {
     }
 }

Security/Handler/SecurityHandlerInterface.php

@@ -40,12 +40,22 @@ interface SecurityHandlerInterface
     function buildSecurityInformation(AdminInterface $admin);
 
     /**
-     * Make the current user owner of the object
+     * Create object security, fe. make the current user owner of the object
      *
      * @abstract
      * @param \Sonata\AdminBundle\Admin\AdminInterface $admin
      * @param object $object
      * @return void
      */
-    function createObjectOwner(AdminInterface $admin, $object);
+    function createObjectSecurity(AdminInterface $admin, $object);
+
+    /**
+     * Remove object security
+     *
+     * @abstract
+     * @param \Sonata\AdminBundle\Admin\AdminInterface $admin
+     * @param object $object
+     * @return void
+     */
+    function deleteObjectSecurity(AdminInterface $admin, $object);
 }