Best way to manage user/group object permissions with Symfony2

Question

I\'d like to hear some thoughts on the best way to optimize our schema to achieve the following.

We have a number of objects/db entries (events, venues, etc) some of wh

Answer 1

From how I understand it, the ACL is used to give access to a specific object to a specific person for special scenarios. What you are describing is more generic, but it just deviates from what Symfony2 outlines for security (this person has an "admin" role, but only for the objects contained in a particular group).

ACLs should not be used to store a bunch of stuff, as checking it can get expensive if it gets too large. So, throwing a bunch of stuff in here by default when new users are added, or even when new objects are added under a group (if using the ACL, you would have to add an entry to each person in the group whenever you create a new object), is going to be taxing on performance after a while...

I am currently researching the possibility of using Symfony2 for a web app, but I am hitting a wall with this security stuff too, as we have a similar need. I'm no expert on Symfony2, but from what I have looked in to, you might have a few options:

1. Create a Voter to handle this. Voters allow you to check authorization tokens and return whether access is granted or denied based on how you process it. So, you could make a custom Voter that checks a user's group and tries to match it up with the group the object is under. If so, return ACCESS_GRANTED, otherwise ACCESS_DENIED, or ACCESS_ABSTAIN if the Voter is not valid for the current check. EDIT: Here is a link to the Symfony2 cookbook for Voters: http://symfony.com/doc/current/cookbook/security/voters.html

2. Might also want to research the SecurityContext interface. This provides the "isGranted()" method that deals with determining access to objects. If Voters are not simply enough, you might have to go the route of creating a new SecurityContext class; I think that this would be a bit more involved though.

Like I said, I am no pro, and don't have a solution; these are just some directions I am researching to try to solve (what I feel is) a similar problem. Hope this helps somewhat.