为什么总是打电话给symfony2安全选民?
[英]Why are symfony2 security voters always called?
问题描述
I am using security voters as alternative to symfony's acl system. 
我使用安全选民作为symfony的acl系统的替代品。
example voter: 例子选民:
my voters look similar go the following one. 我的选民看起来很像以下一个。
class FoobarVoter implements VoterInterface
{
public function supportsClass($class)
{
return in_array($class, array(
'Example\FoobarBundle\Entity\Foobar',
));
}
public function supportsAttribute($attribute)
{
return in_array(strtolower($attribute), array('foo', 'bar'));
}
public function vote(TokenInterface $token, $object, array $attributes)
{
$result = VoterInterface::ACCESS_ABSTAIN
if (!$this->supportsClass(get_class($object))) {
return VoterInterface::ACCESS_ABSTAIN;
}
foreach ($attributes as $attribute) {
$attribute = strtolower($attribute);
// skip not supported attributes
if (!$this->supportsAttribute($attribute)) {
continue;
}
[... some logic ...]
}
return $result;
}
}
questions: 问题:
reduce calls to Voter::vote() 减少对Voter :: vote()的调用
my voters are included and called on every page load. 我的选民被包括在内并在每个页面加载时调用。 even if they do not support decisions for a given class. 即使他们不支持给定班级的决定。 FoobarVoter::vote() is always called. 始终调用FoobarVoter::vote() 。 even if FoobarVoter::supportsClass() or FoobarVoter::supportsAttribute return false. 即使FoobarVoter::supportsClass()或FoobarVoter::supportsAttribute返回false。 thus i need to check class and attribute inside FoobarVoter::vote() . 因此我需要检查FoobarVoter::vote()内的类和属性。 is this behaviour standard? 这个行为标准是什么? how can i prevent this unnecessary call. 我该如何防止这种不必要的通话。
limit voters to bundles 限制选民捆绑
some voters are only needed inside specific bundles. 有些选民只需要在特定的捆绑内。 some are only needed to decide about specific classes. 有些人只需要决定具体的课程。 thus some voters are not needed in all parts of my application. 因此,在我的申请的所有部分都不需要一些选民。 is it possible to include voters per bundle/entity dynamically? 是否可以动态地包括每个捆绑/实体的选民? eg only include voters into decision manager chain if a specific bundle or a specific entity is accessed/used? 例如,如果访问/使用特定的捆绑包或特定实体,则只包括选民进入决策管理链?
1 个解决方案
解决方案1
8 已采纳 2013-06-24 15:24:28
Looking through the source code of Symfony, it appears to be because the AccessDecisionManager uses those methods (supportsClass and seupportsAttribute) to roll-up support to itself. 通过查看Symfony的源代码,似乎是因为AccessDecisionManager使用这些方法(supportsClass和seupportsAttribute)来汇总对自身的支持。
What this allows your voter to do is extend the cases when the manager will be applied. 这允许你的选民做的是在申请经理时延长案件。 So you're not detailing the capability of your voter, but of the entire voting process. 所以,你不详细说明您的选民的能力,但整个投票过程。 Whether or not that's what you want is something else... 这是否是你想要的东西......
As far as reducing the un-necessary calls, it's not un-necessary in the general case. 至于减少不必要的呼叫,在一般情况下并不是必需的。 The system is designed using one of three methods: 系统使用以下三种方法之一进行设计:
Allow based (
decideAffirmative).允许基于 ( decideAffirmative)。 This uses an "allow based" voting.这使用“基于允许”的投票。 Which means that if one plugin says "allow" then you're allowed. 这意味着如果一个插件说“允许”,那么你就被允许了。 Concensus Based (
decideConsensus).基于 decideConsensus(decideConsensus)。 This uses a concensus based permission, where if more voters agree to allow than to deny you're allowed...这使用基于共识的许可,如果更多的选民同意允许而不是否认你被允许... Deny Based (
decideUnanimous).拒绝基础 ( decideUnanimous)。 This uses a "deny based" voting.这使用“基于拒绝”的投票。 Which means that if one plugin says "deny", then you're denied. 这意味着如果一个插件说“拒绝”,那么你就被拒绝了。 Otherwise you need at least one grant. 否则,您至少需要一笔拨款。
So considering that all of them rely on the explicit Deny vs Allow, running all of the plugins for every request actually makes sense. 因此,考虑到所有这些都依赖于显式Deny vs Allow,为每个请求运行所有插件实际上都是有意义的。 Because even if you don't specifically support a class, you may want to allow or deny that request. 因为即使您没有专门支持某个类,您也可能希望允许或拒绝该请求。
In short, there's not much to gain by limiting the voters by the supports attributes. 简而言之,通过支持属性限制选民并没有多少收获。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.