kor3k · kor3k · May 17, 2023 · Nov 4, 2022
diff --git a/Dbal/AclProvider.php b/Dbal/AclProvider.php
@@ -26,6 +26,8 @@
 use Symfony\Component\Security\Acl\Model\AclProviderInterface;
 use Symfony\Component\Security\Acl\Model\ObjectIdentityInterface;
 use Symfony\Component\Security\Acl\Model\PermissionGrantingStrategyInterface;
+use Symfony\Component\Security\Acl\Model\SecurityIdentityInterface;
+use Symfony\Component\Security\Core\Role\Role;
 
 /**
  * An ACL provider implementation.
@@ -37,6 +39,7 @@
 class AclProvider implements AclProviderInterface
 {
     public const MAX_BATCH_SIZE = 30;
+    private const TOKEN_FILTER_PREFIX = 'IS_AUTHENTICATED_';
 
     /**
      * @var AclCacheInterface|null
@@ -219,9 +222,12 @@ public function findAcls(array $oids, array $sids = [])
      *
      * @return string
      */
-    protected function getLookupSql(array $ancestorIds)
+    protected function getLookupSql(array $ancestorIds/*, array $identityIds = []*/)
     {
-        // FIXME: add support for filtering by sids (right now we select all sids)
+        $identityIds = [];
+        if (\func_num_args() > 1) {
+            $identityIds = \func_get_arg(1);
+        }
 
         $sql = <<<SELECTCLAUSE
             SELECT
@@ -255,6 +261,9 @@ protected function getLookupSql(array $ancestorIds)
 SELECTCLAUSE;
 
         $sql .= implode(' OR o.id = ', $ancestorIds).')';
+        if ($identityIds !== []) {
+            $sql .= ' AND (s.identifier = "' . implode('" OR s.identifier = "', $identityIds) . '")';
+        }
 
         return $sql;
     }
@@ -445,6 +454,8 @@ private function doUpdateAceIdentityMap(array &$aces)
      * This method is called for object identities which could not be retrieved
      * from the cache, and for which thus a database query is required.
      *
+     * @param array<SecurityIdentityInterface> $sids
+     *
      * @return \SplObjectStorage<ObjectIdentityInterface,AclInterface> mapping object identities to ACL instances
      *
      * @throws AclNotFoundException
@@ -456,7 +467,7 @@ private function lookupObjectIdentities(array $batch, array $sids, array $oidLoo
             throw new AclNotFoundException('There is no ACL for the given object identity.');
         }
 
-        $sql = $this->getLookupSql($ancestorIds);
+        $sql = $this->getLookupSql($ancestorIds, $this->getIdentityIds($sids));
         $stmt = $this->connection->executeQuery($sql);
 
         return $this->hydrateObjectIdentities($stmt, $oidLookup, $sids);
@@ -669,4 +680,23 @@ private function hydrateObjectIdentities(Result $stmt, array $oidLookup, array $
 
         return $result;
     }
+
+
+    /**
+     * Retrieves all the security identity ids which need to be queried from the database
+     *
+     * @param array<SecurityIdentityInterface> $sids
+     *
+     * @return array<string|Role>
+     */
+    private function getIdentityIds(array $sids)
+    {
+        $filteredSids = \array_filter($sids, function ($sid) {
+                    return false === \strpos($sid->getRole(), self::TOKEN_FILTER_PREFIX);
+        });
+
+        return \array_map(function ($sid) {
+               return $sid->getRole();
+        }, $filteredSids);
+    }
 }
diff --git a/Dbal/MutableAclProvider.php b/Dbal/MutableAclProvider.php
@@ -839,9 +839,7 @@ private function updateNewFieldAceProperty($name, array $changes)
         $sids = new \SplObjectStorage();
         $classIds = new \SplObjectStorage();
         foreach ($changes[1] as $field => $new) {
-            for ($i = 0, $c = \count($new); $i < $c; ++$i) {
-                $ace = $new[$i];
-
+            foreach ($new as $i => $ace) {
                 if (null === $ace->getId()) {
                     if ($sids->contains($ace->getSecurityIdentity())) {
                         $sid = $sids->offsetGet($ace->getSecurityIdentity());
@@ -879,19 +877,15 @@ private function updateOldFieldAceProperty($name, array $changes)
     {
         $currentIds = [];
         foreach ($changes[1] as $field => $new) {
-            for ($i = 0, $c = \count($new); $i < $c; ++$i) {
-                $ace = $new[$i];
-
+            foreach($new as $ace) {
                 if (null !== $ace->getId()) {
                     $currentIds[$ace->getId()] = true;
                 }
             }
         }
 
         foreach ($changes[0] as $old) {
-            for ($i = 0, $c = \count($old); $i < $c; ++$i) {
-                $ace = $old[$i];
-
+            foreach($old as $ace) {
                 if (!isset($currentIds[$ace->getId()])) {
                     $this->connection->executeStatement($this->getDeleteAccessControlEntrySql($ace->getId()));
                     unset($this->loadedAces[$ace->getId()]);
@@ -911,8 +905,7 @@ private function updateNewAceProperty($name, array $changes)
 
         $sids = new \SplObjectStorage();
         $classIds = new \SplObjectStorage();
-        for ($i = 0, $c = \count($new); $i < $c; ++$i) {
-            $ace = $new[$i];
+        foreach ($new as $i =>  $ace) {
 
             if (null === $ace->getId()) {
                 if ($sids->contains($ace->getSecurityIdentity())) {
@@ -951,17 +944,13 @@ private function updateOldAceProperty($name, array $changes)
         [$old, $new] = $changes;
         $currentIds = [];
 
-        for ($i = 0, $c = \count($new); $i < $c; ++$i) {
-            $ace = $new[$i];
-
+        foreach ($new as $ace) {
             if (null !== $ace->getId()) {
                 $currentIds[$ace->getId()] = true;
             }
         }
 
-        for ($i = 0, $c = \count($old); $i < $c; ++$i) {
-            $ace = $old[$i];
-
+        foreach($old as $ace) {
             if (!isset($currentIds[$ace->getId()])) {
                 $this->connection->executeStatement($this->getDeleteAccessControlEntrySql($ace->getId()));
                 unset($this->loadedAces[$ace->getId()]);