OroPlatform Forums

Covering OroPlatform topics, including community updates and company announcements.

Forums Forums OroPlatform OroPlatform – Security ACL and multi roles

This topic contains 1 reply, has 2 voices, and was last updated by  Yurii Muratov 5 years, 3 months ago.

Starting from March 1, 2020 the forum has been switched to the read-only mode. Please head to StackOverflow for support.

  • Creator
  • #35513


    I have got some users with many roles to access the platform. i want to give them access to a ressource as soon as one of the roles give them access.

    I found in symfony that we can choose the access_decision_manager strategy, and that there is one (the affirmative) who define the behavior i want.

    So i update the security.yml file with this:

    strategy: affirmative

    But i doesn’t work.

    So i inspect the code and i found that the system only check the first role(alphabetic) of my user.
    I ended up falling on what seems to be an issue.

    In the “PermissionGrantingStrategy” file, in hasSufficientPermissions method at line 208.

    protected function hasSufficientPermissions(
    AclInterface $acl,
    array $aces,
    array $masks,
    array $sids,
    ) {
    $triggeredAce = null;
    $triggeredMask = 0;
    $result = false;

    foreach ($sids as $sid) {
    foreach ($aces as $ace) {
    if ($sid->equals($ace->getSecurityIdentity())) {
    foreach ($masks as $requiredMask) {
    if ($this->isAceApplicable($requiredMask, $ace, $acl)) {
    $isGranting = $ace->isGranting();

    // give an additional chance for the appropriate ACL extension to decide
    // whether an access to a domain object is granted or not
    $decisionResult = $this->getContext()->getAclExtension()->decideIsGranting(
    if (!$decisionResult) {
    $isGranting = !$isGranting;

    if ($isGranting) {
    // the access is granted if there is at least one granting ACE
    $triggeredAce = $ace;
    $triggeredMask = $requiredMask;
    $result = true;
    // break all loops when granting ACE was found
    break 3;
    } else {
    // remember the first denying ACE
    if (null === $triggeredAce) {
    $triggeredAce = $ace;
    $triggeredMask = $requiredMask;
    // break for all masks
    break 3; // Here it should be a simple break, only to break the last loop and check all role.

    if ($triggeredAce === null) {
    // ACE was not found
    return null;
    } else {

    if (!$administrativeMode && null !== $this->auditLogger) {
    $this->auditLogger->logIfNeeded($result, $triggeredAce);

    return $result;

    Besides Comments are explicit:
    the first break = // break all loops when granting ACE was found -> so break 3;
    on the second = // break for all masks -> so simple break; to only break the masks loop.

Viewing 1 replies (of 1 total)
  • Author
  • #35514

    Yurii Muratov

    This issue was already fixed.

Viewing 1 replies (of 1 total)

The forum ‘OroPlatform – Security’ is closed to new topics and replies.

Back to top