Codestin Search App

dunglas · 2014-01-10T01:20:02Z

Q	A
Bug fix?	no
New feature?	yes
BC breaks?	no
Deprecations?	no
Tests pass?	yes
Fixed tickets	no
License	MIT
Doc PR	n/a

This new command allows to set ACL directly from the command line. This useful to quickly set up an environment and for debugging / maintenance purpose.

This PR also includes a functional test system for the ACL component. As an example, it is used to test the acl:set command.
The provided entity class is not mandatory (tests will still be green without it) but can be useful to test other ACL related things. I can remove it if necessary.

The instantiation of the MaskBuilder object is done in a separate method to be easily overridable to use a custom one (e.g. the SonataAdmin one).

lyrixx · 2014-01-12T14:49:27Z

A soft dependency could be better.

You can play with class_exist and Command::IsEnable method

@lyrixx doctrine-bundle is only needed to run the tests. It's a require-dev dependency.
Making it a soft dependency is awkward because all functional tests on the ACL system will be skipped by default.
If someone clone the repository, start hacking, run phpunit and make a PR, he can silently broke the ACL system.

It will also require tweaking .travis.yml (to make Travis install doctrine-bundle before running the tests) and update the doc to explain that tests should be run with doctrine-bundle installed.

If it's really annoying to have doctrine-bundle as a development dependency, I prefer registering the DBAL connection directly in the test app's kernel.

Let me know which solution is better.

Sorry. I did not see it was a dev deps ;)

You're welcome.

ErichHartmann · 2014-01-16T19:17:05Z

If any, could you please describe risks or security implications that might result from the ability to set the ACL directly from the command line?

dunglas · 2014-01-16T19:55:27Z

@ErichHartmann I think there is no specific security risk or implication for this command. If an attacker get a shell on your server, it's over. Even without this command.

He can access to database's credentials through app/config/parameters.yml, run any SQL query (including an ACL related one) with doctrine:query:sql, run arbitrary PHP code with php -a and do even worse with the shell itself (rm -Rf /).

dunglas · 2014-02-11T09:49:59Z

Is this PR ready to be merged? Can I start working on the PR in the doc?

fabpot · 2014-03-03T17:35:09Z

The Help should be expanded to explain the main use cases (probably using the defined options).

fabpot · 2014-03-03T17:38:15Z

@dunglas There is no need to document the command in the docs, but the help message should be expanded instead.

stof · 2014-03-04T21:08:52Z

the isEnabled method should be overwritten so that the command is available only when the ACL system is enabled. See the router:debug command for an example of usage

stof · 2014-03-04T21:10:18Z

This should be VALUE_NONE IMO

dunglas · 2014-03-04T22:35:18Z

@fabpot @stof thanks for the review. I'll be very busy next week but I'll make needed changes when I'll be back.

dunglas · 2014-03-19T20:40:11Z

@fabpot @stof Fixed reported issues and added the ability to use / as a namespace delimiter. Added a more precise (but still rude) help message.

@inheritdoc

This PR was submitted for the 2.3-dev branch but it was merged into the 2.3 branch instead (closes #10497). Discussion ---------- [SecurityBundle] Fixed doc of InitAclCommand | Q | A | ------------- | --- | Bug fix? | no | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | no | License | MIT | Doc PR | n/a Use {@inheritdoc}. Consistency with #9990 (diff). Commits ------- aa49009 [SecurityBundle] Fixed doc of InitAclCommand

fabpot · 2014-03-26T09:24:30Z

VALUE_OPTIONAL means that you don't need to pass a value when using this option, so --security-class is valid; which looks wrong to me. Again, any required value should probably be an argument and not an option.

This is not required to pass a security class. You must pass at least a security class and a security username OR a role.

This is checked lines 104 to 108.

But when using the --security-class, you must pass a class name, right? If that's the case, you must use VALUE_REQUIRED. VALUE_OPTIONAL means that the value for the option is optional, not the option itself. An option is always optional by definition.

Ok I got it. For required values, how to handle several arrays as arguments?
Object IDs and permissions are required and are arrays.

Should I use an argument for one of them (which) and leave the other as a (required) option?

dunglas · 2014-04-09T22:18:23Z

Fixed options types.

fabpot · 2014-04-15T20:42:43Z

What if the user did not provide a --object-id option? You're going to get null here. That's why I said that all required information must be managed via arguments, not options. To avoid getting too many of them, you can maybe have some conventions like class:id.

dunglas · 2014-04-21T12:33:08Z

@fabpot use arguments when required. Simplified and enhanced CLI.

fabpot · 2014-04-22T07:26:25Z

Looks good to me for 2.6. Thanks.

inso · 2014-04-22T13:20:17Z

weird variable name

dunglas · 2014-04-25T16:43:58Z

Renamed weird variable.

lyrixx reviewed Jan 12, 2014
View reviewed changes

jakzal added the SecurityBundle label Feb 11, 2014

fabpot reviewed Mar 3, 2014
View reviewed changes

stof reviewed Mar 4, 2014
View reviewed changes

Comment thread src/Symfony/Bundle/SecurityBundle/Command/SetAclCommand.php Outdated

Copy link
Copy Markdown

Member

stof Mar 4, 2014

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be VALUE_NONE IMO

dunglas mentioned this pull request Mar 19, 2014

[SecurityBundle] Fixed doc of InitAclCommand #10497

Closed

fabpot reviewed Mar 26, 2014
View reviewed changes

fabpot reviewed Apr 15, 2014
View reviewed changes

inso reviewed Apr 22, 2014
View reviewed changes

[SecurityBundle] added acl:set command

a702124

fabpot added Acl and removed Security labels Apr 28, 2014

Uh oh!

Conversation

dunglas commented Jan 10, 2014

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

ErichHartmann commented Jan 16, 2014

Uh oh!

dunglas commented Jan 16, 2014

Uh oh!

dunglas commented Feb 11, 2014

Uh oh!

Choose a reason for hiding this comment

Uh oh!

fabpot commented Mar 3, 2014

Uh oh!

stof commented Mar 4, 2014

Uh oh!

Choose a reason for hiding this comment

Uh oh!

dunglas commented Mar 4, 2014

Uh oh!

dunglas commented Mar 19, 2014

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

dunglas commented Apr 9, 2014

Uh oh!

Choose a reason for hiding this comment

Uh oh!

dunglas commented Apr 21, 2014

Uh oh!

fabpot commented Apr 22, 2014

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

dunglas commented Apr 25, 2014

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

9 participants