我刚开始使用 Symfony 的 ACL 系统,想知道为什么要UserSecurityIdentity使用User 对象username而不是idUser 对象来确定它的身份?
$user = new User();
$user->setId(new \MongoId());
$user->setUsername("frodo");
$dm->persist($user);
$uid = UserSecurityIdentity::fromAccount($user); // uses "frodo"
我们的系统允许用户更改他们的用户名,因此使用更永久的东西(如 ID)来确定用户的身份对我来说似乎更合适。为什么 ACL 系统实施为使用用户名而不是 ID?这里有任何安全考虑吗?
这个问题已经在这里讨论过:
https://github.com/symfony/symfony/issues/5787
并已在此提交中解决:
https://github.com/symfony/symfony/commit/8d39213f4cca19466f84a5656a199eee98602ab1
因此,现在,每当用户更改其用户名时,您都可以更新其安全身份。我使用监听器来做到这一点:
public function preUpdate(PreUpdateEventArgs $eventArgs)
{
/** Update user security identity in case nick is changed * */
if ($entity instanceof \Acme\UserBundle\Entity\User && $eventArgs->hasChangedField('username')) {
$aclProvider = $this->container->get('security.acl.provider');
$securityId = UserSecurityIdentity::fromAccount($entity);
$aclProvider->updateUserSecurityIdentity($securityId, $eventArgs->getOldValue('username'));
}
}
This is implementation of fromAccount() method from Symfony\Component\Security\Acl\Domain\UserSecurityIdentity class:
public static function fromAccount(UserInterface $user)
{
return new self($user->getUsername(), ClassUtils::getRealClass($user));
}
I think it is answer on your question.