Let SQLFilters know the query type it is being applied to

Details

Type: Improvement
Status: Reopened
Priority: Major
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: None
Component/s: ORM
Security Level: All
Labels:
None

Description

I'm making an access control system and would like to automatically filter all queries based current user, targetEntity type and query type. Query type is relevant as different permissions are needed by the user for SELECT, UPDATE, DELETE and INSERT queries.

I can access the first two things in my filter easily enough, but I cannot find a way to have the filter know what type of query the filter is being applied to.

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Benjamin Eberlei added a comment - 13/Jul/12 9:42 AM

The Filter API only makes sense for SELECT clauses. Doctrine itself does not use DQL to do updates internally, so you need to use other mechanisms (EventListener) to prevent this operations if they are not allowed for a user.

Show

Benjamin Eberlei added a comment - 13/Jul/12 9:42 AM The Filter API only makes sense for SELECT clauses. Doctrine itself does not use DQL to do updates internally, so you need to use other mechanisms (EventListener) to prevent this operations if they are not allowed for a user.

Benjamin Eberlei made changes - 13/Jul/12 9:42 AM

Field	Original Value	New Value
Status	Open [ 1 ]	Resolved [ 5 ]
Resolution		Invalid [ 6 ]

Hide

Permalink

Jan Knudsen added a comment - 13/Jul/12 9:51 AM - edited

But I can make custom DQL to update rows and would like to automatically filter this too.

e.g. $em->createQuery("UPDATE SomeEntity se SET se.field = "updated!")->execute();

The lifecycle events preUpdate etc. are not called when doing custom DQL queries.

Maybe it is bad practice and discouraged to do updates, inserts and deletes as custom DQL queries, but I would like to ensure that the other people in my organization can't accidentally bypass the Access Control, even if they make use of such bad practice.

And if the filter API only makes sense for Select statements, why are filters applied to update/delete/etc. statements too?

Show

Jan Knudsen added a comment - 13/Jul/12 9:51 AM - edited But I can make custom DQL to update rows and would like to automatically filter this too. e.g. $em->createQuery("UPDATE SomeEntity se SET se.field = "updated!")->execute(); The lifecycle events preUpdate etc. are not called when doing custom DQL queries. Maybe it is bad practice and discouraged to do updates, inserts and deletes as custom DQL queries, but I would like to ensure that the other people in my organization can't accidentally bypass the Access Control, even if they make use of such bad practice. And if the filter API only makes sense for Select statements, why are filters applied to update/delete/etc. statements too?

Hide

Permalink

Benjamin Eberlei added a comment - 13/Jul/12 10:41 AM

Well, they are applied to DQL UPDATE/DELETE. But not not UPDATE/DELETE that works through the internals of Doctrine. So yes, you can use it to filter DQL DELETE/UPDATE, but doctrine does not do that internally.

So you have to have two strategies, a DQL/SQL Filter - and Lifecycle events.

Show

Benjamin Eberlei added a comment - 13/Jul/12 10:41 AM Well, they are applied to DQL UPDATE/DELETE. But not not UPDATE/DELETE that works through the internals of Doctrine. So yes, you can use it to filter DQL DELETE/UPDATE, but doctrine does not do that internally. So you have to have two strategies, a DQL/SQL Filter - and Lifecycle events.

Hide

Permalink

Jan Knudsen added a comment - 13/Jul/12 10:59 AM

Which is fine by me. I already implemented the checks using lifecycle events before opening this issue. The access control is automatically handled when using the entitymanager and not custom DQL.

Now I would also like to filter the custom DQL, but currently I can't, because as originally stated, the filter needs to know which type of query it is being applied to.

Show

Jan Knudsen added a comment - 13/Jul/12 10:59 AM Which is fine by me. I already implemented the checks using lifecycle events before opening this issue. The access control is automatically handled when using the entitymanager and not custom DQL. Now I would also like to filter the custom DQL, but currently I can't, because as originally stated, the filter needs to know which type of query it is being applied to.

Jan Knudsen made changes - 13/Jul/12 10:59 AM

Resolution	Invalid [ 6 ]
Status	Resolved [ 5 ]	Reopened [ 4 ]

This list may be incomplete, as errors occurred whilst retrieving source from linked applications:

Request to http://www.doctrine-project.org/fisheye/ failed: Error in remote call to 'FishEye 0 (http://www.doctrine-project.org/fisheye/)' (http://www.doctrine-project.org/fisheye) [AbstractRestCommand{path='/rest-service-fe/search-v1/crossRepositoryQuery', params={query=DDC-1924, expand=changesets[-21:-1].revisions[0:29],reviews}, methodType=GET}] : Received status code 503 (Service Temporarily Unavailable)

People

Assignee:

Benjamin Eberlei

Reporter:

Jan Knudsen

Vote (0)

Watch (2)

Dates

Created:

13/Jul/12 9:23 AM

Updated:

13/Jul/12 10:59 AM