From 99632bcb3b5aa3a87414a1fad09cc3659a694463 Mon Sep 17 00:00:00 2001
From: st_koegel <stefan.koegel@little-bird.de>
Date: Wed, 15 Mar 2017 08:45:04 +0100
Subject: [PATCH 1/9] add support for filtering by sids

---
 Dbal/AclProvider.php | 49 +++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 44 insertions(+), 5 deletions(-)

diff --git a/Dbal/AclProvider.php b/Dbal/AclProvider.php
index 64102d2..3b22360 100644
--- a/Dbal/AclProvider.php
+++ b/Dbal/AclProvider.php
@@ -26,6 +26,7 @@
 use Symfony\Component\Security\Acl\Model\AclProviderInterface;
 use Symfony\Component\Security\Acl\Model\ObjectIdentityInterface;
 use Symfony\Component\Security\Acl\Model\PermissionGrantingStrategyInterface;
+use Symfony\Component\Security\Acl\Model\SecurityIdentityInterface;
 
 /**
  * An ACL provider implementation.
@@ -37,6 +38,7 @@
 class AclProvider implements AclProviderInterface
 {
     const MAX_BATCH_SIZE = 30;
+    const TOKEN_FILTER_PREFIX = 'IS_AUTHENTICATED_';
 
     /**
      * @var AclCacheInterface|null
@@ -225,13 +227,12 @@ public function findAcls(array $oids, array $sids = array())
      * ACEs, and security identities.
      *
      * @param array $ancestorIds
+     * @param array $identityIds
      *
      * @return string
      */
-    protected function getLookupSql(array $ancestorIds)
+    protected function getLookupSql(array $ancestorIds, array $identityIds)
     {
-        // FIXME: add support for filtering by sids (right now we select all sids)
-
         $sql = <<<SELECTCLAUSE
             SELECT
                 o.id as acl_id,
@@ -264,6 +265,9 @@ protected function getLookupSql(array $ancestorIds)
 SELECTCLAUSE;
 
         $sql .= implode(' OR o.id = ', $ancestorIds).')';
+        if (!empty($identityIds)) {
+            $sql .= ' AND (s.identifier = "' . implode('" OR s.identifier = "', $identityIds) . '")';
+        }
 
         return $sql;
     }
@@ -466,7 +470,7 @@ private function doUpdateAceIdentityMap(array &$aces)
      * from the cache, and for which thus a database query is required.
      *
      * @param array $batch
-     * @param array $sids
+     * @param SecurityIdentityInterface[] $sids
      * @param array $oidLookup
      *
      * @return \SplObjectStorage mapping object identities to ACL instances
@@ -480,7 +484,7 @@ private function lookupObjectIdentities(array $batch, array $sids, array $oidLoo
             throw new AclNotFoundException('There is no ACL for the given object identity.');
         }
 
-        $sql = $this->getLookupSql($ancestorIds);
+        $sql = $this->getLookupSql($ancestorIds, $this->getIdentityIds($sids));
         $stmt = $this->connection->executeQuery($sql);
 
         return $this->hydrateObjectIdentities($stmt, $oidLookup, $sids);
@@ -692,4 +696,39 @@ private function hydrateObjectIdentities(Statement $stmt, array $oidLookup, arra
 
         return $result;
     }
+
+    /**
+     * Retrieves all the security identity ids which need to be queried from the database
+     *
+     * @param SecurityIdentityInterface[] $sids
+     *
+     * @return array
+     */
+    private function getIdentityIds(array $sids) {
+
+        $identityIds = [];
+
+        foreach ($sids as $sid) {
+            /**
+             * @var RoleSecurityIdentity $sid
+             */
+            if ($this->filterToken($sid)) {
+                $identityIds[] = $sid->getRole();
+            }
+        }
+
+        return $identityIds;
+    }
+
+    /**
+     * check if token contains a security identity id
+     *
+     * @param RoleSecurityIdentity $sid
+     *
+     * @return bool
+     */
+    private function filterToken($sid)
+    {
+        return strpos($sid->getRole(), self::TOKEN_FILTER_PREFIX) === false;
+    }
 }

From 09c41a2e175c356d320977c682d5873d5b34d57d Mon Sep 17 00:00:00 2001
From: Thomas Rothe <thomas.rothe@little-bird.de>
Date: Wed, 15 Mar 2017 10:06:44 +0100
Subject: [PATCH 2/9] added replace

---
 composer.json | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/composer.json b/composer.json
index 9276632..f094ce3 100644
--- a/composer.json
+++ b/composer.json
@@ -1,5 +1,8 @@
 {
-    "name": "symfony/security-acl",
+    "name": "littlebird/security-acl",
+    "replace": {
+	"symfony/security-acl":"self.version"
+    },
     "type": "library",
     "description": "Symfony Security Component - ACL (Access Control List)",
     "keywords": [],

From 163849106c8626c619242c52a34fc3019b5e4b1b Mon Sep 17 00:00:00 2001
From: st_koegel <stefan.koegel@little-bird.de>
Date: Wed, 15 Mar 2017 17:25:43 +0100
Subject: [PATCH 3/9] existing acl entries are not always numbered
 consecutively

---
 Dbal/MutableAclProvider.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Dbal/MutableAclProvider.php b/Dbal/MutableAclProvider.php
index bf08f60..3603049 100644
--- a/Dbal/MutableAclProvider.php
+++ b/Dbal/MutableAclProvider.php
@@ -977,8 +977,8 @@ private function updateOldAceProperty($name, array $changes)
             }
         }
 
-        for ($i = 0, $c = count($old); $i < $c; ++$i) {
-            $ace = $old[$i];
+        foreach($old as $oldEntry) {
+            $ace = $oldEntry;
 
             if (!isset($currentIds[$ace->getId()])) {
                 $this->connection->executeQuery($this->getDeleteAccessControlEntrySql($ace->getId()));

From 38741fae9108644e84b8cde835dc21d3b0909b83 Mon Sep 17 00:00:00 2001
From: Thomas Rothe <thomas.rothe@little-bird.de>
Date: Thu, 16 Mar 2017 18:25:08 +0100
Subject: [PATCH 4/9] removed replace

---
 composer.json | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/composer.json b/composer.json
index f094ce3..9276632 100644
--- a/composer.json
+++ b/composer.json
@@ -1,8 +1,5 @@
 {
-    "name": "littlebird/security-acl",
-    "replace": {
-	"symfony/security-acl":"self.version"
-    },
+    "name": "symfony/security-acl",
     "type": "library",
     "description": "Symfony Security Component - ACL (Access Control List)",
     "keywords": [],

From 82c23577017270cb9cc8f3df1d7a041a52f88393 Mon Sep 17 00:00:00 2001
From: st_koegel <stefan.koegel@little-bird.de>
Date: Wed, 15 Mar 2017 17:25:43 +0100
Subject: [PATCH 5/9] existing acl entries are not always numbered
 consecutively

---
 Dbal/MutableAclProvider.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Dbal/MutableAclProvider.php b/Dbal/MutableAclProvider.php
index bf08f60..3603049 100644
--- a/Dbal/MutableAclProvider.php
+++ b/Dbal/MutableAclProvider.php
@@ -977,8 +977,8 @@ private function updateOldAceProperty($name, array $changes)
             }
         }
 
-        for ($i = 0, $c = count($old); $i < $c; ++$i) {
-            $ace = $old[$i];
+        foreach($old as $oldEntry) {
+            $ace = $oldEntry;
 
             if (!isset($currentIds[$ace->getId()])) {
                 $this->connection->executeQuery($this->getDeleteAccessControlEntrySql($ace->getId()));

From 2d6a94bdf8b83b952070f0c08c1b29667c99de91 Mon Sep 17 00:00:00 2001
From: st_koegel <stefan.koegel@little-bird.de>
Date: Mon, 27 Mar 2017 22:06:31 +0200
Subject: [PATCH 6/9] existing acl entries are not always numbered
 consecutively

---
 Dbal/MutableAclProvider.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/Dbal/MutableAclProvider.php b/Dbal/MutableAclProvider.php
index 3603049..98a40e1 100644
--- a/Dbal/MutableAclProvider.php
+++ b/Dbal/MutableAclProvider.php
@@ -895,8 +895,8 @@ private function updateOldFieldAceProperty($name, array $changes)
     {
         $currentIds = array();
         foreach ($changes[1] as $field => $new) {
-            for ($i = 0, $c = count($new); $i < $c; ++$i) {
-                $ace = $new[$i];
+            foreach($new as $newEntry) {
+                $ace = $newEntry;
 
                 if (null !== $ace->getId()) {
                     $currentIds[$ace->getId()] = true;
@@ -905,8 +905,8 @@ private function updateOldFieldAceProperty($name, array $changes)
         }
 
         foreach ($changes[0] as $old) {
-            for ($i = 0, $c = count($old); $i < $c; ++$i) {
-                $ace = $old[$i];
+            foreach($old as $oldEntry) {
+                $ace = $oldEntry;
 
                 if (!isset($currentIds[$ace->getId()])) {
                     $this->connection->executeQuery($this->getDeleteAccessControlEntrySql($ace->getId()));

From a8b2509d3b2ea48df1bbf95d6989149acfbf3d64 Mon Sep 17 00:00:00 2001
From: st_koegel <stefan.koegel@little-bird.de>
Date: Tue, 28 Mar 2017 09:35:39 +0200
Subject: [PATCH 7/9] existing acl entries are not always numbered
 consecutively - part 3

---
 Dbal/MutableAclProvider.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/Dbal/MutableAclProvider.php b/Dbal/MutableAclProvider.php
index 98a40e1..0241477 100644
--- a/Dbal/MutableAclProvider.php
+++ b/Dbal/MutableAclProvider.php
@@ -854,8 +854,8 @@ private function updateNewFieldAceProperty($name, array $changes)
         $sids = new \SplObjectStorage();
         $classIds = new \SplObjectStorage();
         foreach ($changes[1] as $field => $new) {
-            for ($i = 0, $c = count($new); $i < $c; ++$i) {
-                $ace = $new[$i];
+            foreach($new as $aceOrder => $newEntry) {
+                $ace = $newEntry;
 
                 if (null === $ace->getId()) {
                     if ($sids->contains($ace->getSecurityIdentity())) {
@@ -873,8 +873,8 @@ private function updateNewFieldAceProperty($name, array $changes)
 
                     $objectIdentityId = $name === 'classFieldAces' ? null : $ace->getAcl()->getId();
 
-                    $this->connection->executeQuery($this->getInsertAccessControlEntrySql($classId, $objectIdentityId, $field, $i, $sid, $ace->getStrategy(), $ace->getMask(), $ace->isGranting(), $ace->isAuditSuccess(), $ace->isAuditFailure()));
-                    $aceId = $this->connection->executeQuery($this->getSelectAccessControlEntryIdSql($classId, $objectIdentityId, $field, $i))->fetchColumn();
+                    $this->connection->executeQuery($this->getInsertAccessControlEntrySql($classId, $objectIdentityId, $field, $aceOrder, $sid, $ace->getStrategy(), $ace->getMask(), $ace->isGranting(), $ace->isAuditSuccess(), $ace->isAuditFailure()));
+                    $aceId = $this->connection->executeQuery($this->getSelectAccessControlEntryIdSql($classId, $objectIdentityId, $field, $aceOrder))->fetchColumn();
                     $this->loadedAces[$aceId] = $ace;
 
                     $aceIdProperty = new \ReflectionProperty('Symfony\Component\Security\Acl\Domain\Entry', 'id');

From 9514e120039c19792a51f682b1e3d7de16957cbe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stefan=20K=C3=B6gel?= <stefan.koegel@little-bird.de>
Date: Thu, 19 Sep 2019 08:19:25 +0200
Subject: [PATCH 8/9] rework for pull request comments

---
 Dbal/AclProvider.php | 37 ++++++++++---------------------------
 1 file changed, 10 insertions(+), 27 deletions(-)

diff --git a/Dbal/AclProvider.php b/Dbal/AclProvider.php
index 3b22360..946381a 100644
--- a/Dbal/AclProvider.php
+++ b/Dbal/AclProvider.php
@@ -227,12 +227,16 @@ public function findAcls(array $oids, array $sids = array())
      * ACEs, and security identities.
      *
      * @param array $ancestorIds
-     * @param array $identityIds
      *
      * @return string
      */
-    protected function getLookupSql(array $ancestorIds, array $identityIds)
+    protected function getLookupSql(array $ancestorIds/*, array $identityIds = []*/)
     {
+        $identityIds = [];
+        if (\func_num_args() > 1) {
+            $identityIds = \func_get_arg(1);
+        }
+
         $sql = <<<SELECTCLAUSE
             SELECT
                 o.id as acl_id,
@@ -704,31 +708,10 @@ private function hydrateObjectIdentities(Statement $stmt, array $oidLookup, arra
      *
      * @return array
      */
-    private function getIdentityIds(array $sids) {
-
-        $identityIds = [];
-
-        foreach ($sids as $sid) {
-            /**
-             * @var RoleSecurityIdentity $sid
-             */
-            if ($this->filterToken($sid)) {
-                $identityIds[] = $sid->getRole();
-            }
-        }
-
-        return $identityIds;
-    }
-
-    /**
-     * check if token contains a security identity id
-     *
-     * @param RoleSecurityIdentity $sid
-     *
-     * @return bool
-     */
-    private function filterToken($sid)
+    private function getIdentityIds(array $sids)
     {
-        return strpos($sid->getRole(), self::TOKEN_FILTER_PREFIX) === false;
+        return \array_filter($sids, function ($sid) {
+            return false === \strpos($sid->getRole(), self::TOKEN_FILTER_PREFIX);
+        });
     }
 }

From 123021248b824b0e141ab9eb7ea49775b4ac1387 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stefan=20K=C3=B6gel?= <stefan.koegel@little-bird.de>
Date: Thu, 19 Sep 2019 14:28:54 +0200
Subject: [PATCH 9/9] add back mapping to role

---
 Dbal/AclProvider.php | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/Dbal/AclProvider.php b/Dbal/AclProvider.php
index 946381a..83f8943 100644
--- a/Dbal/AclProvider.php
+++ b/Dbal/AclProvider.php
@@ -710,8 +710,12 @@ private function hydrateObjectIdentities(Statement $stmt, array $oidLookup, arra
      */
     private function getIdentityIds(array $sids)
     {
-        return \array_filter($sids, function ($sid) {
-            return false === \strpos($sid->getRole(), self::TOKEN_FILTER_PREFIX);
+        $filteredSids = \array_filter($sids, function ($sid) {
+                return false === \strpos($sid->getRole(), self::TOKEN_FILTER_PREFIX);
         });
+
+        return \array_map(function ($sid) {
+            return $sid->getRole();
+        }, $filteredSids);
     }
 }