Persistence ACL feature walkthrough
Edit on GitHubWith the Persistence ACL feature, you can manage authorization at the database entity level, or even within a set of entities or segments. This feature enables a flexible system of inheritance of rights, simplifying the configuration of access.
Persistence ACL runs in the Persistence layer, as its name suggests.
Limitations
The module is based on the Propel ORM (namely Propel Behavior and Propel Hooks). If you are not using PropelOrm to interact with data in your system, this module will not work.
Module dependency graph
The following module dependency graph and table list the main modules of the Persistence ACL feature and their interaction.
| MODULE | DESCRIPTION |
|---|---|
| Acl | \Spryker\Zed\Acl\Business\AclFacade::getUserRoles() is used to get logged in user AclRoles. |
| AclExtension | Spryker\Zed\AclExtension\Dependency\Plugin\AclRolePostSavePluginInterface is used to save AclEntityRules for AclRole. |
| AclEntityDataImport | AclEntityRule and AclEntitySegment are used to import data. |
| AclEntityExtension | In /Spryker/Zed/AclEntityExtension/Dependency/Plugin/AclEntityDisablerPluginInterface, AclEntityDisablerPluginInterface determines whether the feature is enabled. \Spryker\Zed\AclEntityExtension\Dependency\Plugin\AclEntityMetadataConfigExpanderPluginInterface is used in \Spryker\Zed\AclEntity\Business\AclEntityFacade::getAclEntityMetadataConfig() to expand the module configuration. |
| PropelOrm | The module is used as a container for Propel library. |
| User | \Spryker\Zed\User\Business\UserFacade::hasCurrentUser() is used to check if the user is logged in. \Spryker\Zed\User\Business\UserFacade::getCurrentUser() is used to determine which AclEntityRules should be considered during query processing. |
Domain model
The following schema illustrates the Persistence ACL domain model:
How it works
Persistence ACL supports permission checks both when executing queries and when performing actions on Active Record models. Upon installation and configuration, code is injected into the Active Record model and Query classes that check the user’s permissions for the appropriate actions. This module uses Propel hooks.
If you execute queries outside of Propel API, they WILL NOT be handled by Persistence ACL.
During model operations, the following hooks are used:
-
preInsert -
preUpdate -
preDelete
Query execution is performed using the following hooks:
-
preSelectQuery -
preUpdateQuery -
preDeleteQuery
A query sent to the database is intercepted and modified with additional joins to limit the results of the query to only those records available to the current user. If the user attempts to perform a restricted action on an Active Record model (such as updating, deleting, or creating), then \Spryker\Zed\AclEntity\Persistence\Exception\OperationNotAuthorizedException is thrown.
Learn more
Related Developer documents
| INSTALLATION GUIDES | REFERENCES | HOWTOS |
|---|---|---|
| Install the ACL feature | Persistence ACL feature configuration | HowTo: Split products by stores |
| Execution flow | ||
| Rules and scopes | ||
| Global scope | ||
| Segment scope | ||
| Inherited scope | ||
| Composite entity |
Thank you!
For submitting the form