vendor/symfony/security-acl/Dbal/AclProvider.php line 59

Open in your IDE?
  1. <?php
  3. /*
  4. * This file is part of the Symfony package.
  5. *
  6. * (c) Fabien Potencier <fabien@symfony.com>
  7. *
  8. * For the full copyright and license information, please view the LICENSE
  9. * file that was distributed with this source code.
  10. */
  12. namespace Symfony\Component\Security\Acl\Dbal;
  14. use Doctrine\DBAL\Connection;
  15. use Doctrine\DBAL\Result;
  16. use Symfony\Component\Security\Acl\Domain\Acl;
  17. use Symfony\Component\Security\Acl\Domain\Entry;
  18. use Symfony\Component\Security\Acl\Domain\FieldEntry;
  19. use Symfony\Component\Security\Acl\Domain\ObjectIdentity;
  20. use Symfony\Component\Security\Acl\Domain\RoleSecurityIdentity;
  21. use Symfony\Component\Security\Acl\Domain\UserSecurityIdentity;
  22. use Symfony\Component\Security\Acl\Exception\AclNotFoundException;
  23. use Symfony\Component\Security\Acl\Exception\NotAllAclsFoundException;
  24. use Symfony\Component\Security\Acl\Model\AclCacheInterface;
  25. use Symfony\Component\Security\Acl\Model\AclInterface;
  26. use Symfony\Component\Security\Acl\Model\AclProviderInterface;
  27. use Symfony\Component\Security\Acl\Model\ObjectIdentityInterface;
  28. use Symfony\Component\Security\Acl\Model\PermissionGrantingStrategyInterface;
  30. /**
  31. * An ACL provider implementation.
  32. *
  33. * This provider assumes that all ACLs share the same PermissionGrantingStrategy.
  34. *
  35. * @author Johannes M. Schmitt <schmittjoh@gmail.com>
  36. */
  37. class AclProvider implements AclProviderInterface
  38. {
  39. public const MAX_BATCH_SIZE = 30;
  41. /**
  42. * @var AclCacheInterface|null
  43. */
  44. protected $cache;
  46. /**
  47. * @var Connection
  48. */
  49. protected $connection;
  50. protected $loadedAces = [];
  51. protected $loadedAcls = [];
  52. protected $options;
  54. /**
  55. * @var PermissionGrantingStrategyInterface
  56. */
  57. private $permissionGrantingStrategy;
  59. public function __construct(Connection $connection, PermissionGrantingStrategyInterface $permissionGrantingStrategy, array $options, AclCacheInterface $cache = null)
  60. {
  61. $this->cache = $cache;
  62. $this->connection = $connection;
  63. $this->options = $options;
  64. $this->permissionGrantingStrategy = $permissionGrantingStrategy;
  65. }
  67. /**
  68. * {@inheritdoc}
  69. */
  70. public function findChildren(ObjectIdentityInterface $parentOid, $directChildrenOnly = false)
  71. {
  72. $sql = $this->getFindChildrenSql($parentOid, $directChildrenOnly);
  74. $children = [];
  75. foreach ($this->connection->executeQuery($sql)->fetchAllAssociative() as $data) {
  76. $children[] = new ObjectIdentity($data['object_identifier'], $data['class_type']);
  77. }
  79. return $children;
  80. }
  82. /**
  83. * {@inheritdoc}
  84. */
  85. public function findAcl(ObjectIdentityInterface $oid, array $sids = [])
  86. {
  87. return $this->findAcls([$oid], $sids)->offsetGet($oid);
  88. }
  90. /**
  91. * {@inheritdoc}
  92. */
  93. public function findAcls(array $oids, array $sids = [])
  94. {
  95. /** @var \SplObjectStorage<ObjectIdentityInterface,AclInterface> */
  96. $result = new \SplObjectStorage();
  97. $currentBatch = [];
  98. $oidLookup = [];
  100. for ($i = 0, $c = \count($oids); $i < $c; ++$i) {
  101. $oid = $oids[$i];
  102. $oidLookupKey = $oid->getIdentifier().$oid->getType();
  103. $oidLookup[$oidLookupKey] = $oid;
  104. $aclFound = false;
  106. // check if result already contains an ACL
  107. if ($result->contains($oid)) {
  108. $aclFound = true;
  109. }
  111. // check if this ACL has already been hydrated
  112. if (!$aclFound && isset($this->loadedAcls[$oid->getType()][$oid->getIdentifier()])) {
  113. $acl = $this->loadedAcls[$oid->getType()][$oid->getIdentifier()];
  115. if (!$acl->isSidLoaded($sids)) {
  116. // FIXME: we need to load ACEs for the missing SIDs. This is never
  117. // reached by the default implementation, since we do not
  118. // filter by SID
  119. throw new \RuntimeException('This is not supported by the default implementation.');
  120. } else {
  121. $result->attach($oid, $acl);
  122. $aclFound = true;
  123. }
  124. }
  126. // check if we can locate the ACL in the cache
  127. if (!$aclFound && null !== $this->cache) {
  128. $acl = $this->cache->getFromCacheByIdentity($oid);
  130. if (null !== $acl) {
  131. if ($acl->isSidLoaded($sids)) {
  132. // check if any of the parents has been loaded since we need to
  133. // ensure that there is only ever one ACL per object identity
  134. $parentAcl = $acl->getParentAcl();
  135. while (null !== $parentAcl) {
  136. $parentOid = $parentAcl->getObjectIdentity();
  138. if (isset($this->loadedAcls[$parentOid->getType()][$parentOid->getIdentifier()])) {
  139. $acl->setParentAcl($this->loadedAcls[$parentOid->getType()][$parentOid->getIdentifier()]);
  140. break;
  141. } else {
  142. $this->loadedAcls[$parentOid->getType()][$parentOid->getIdentifier()] = $parentAcl;
  143. $this->updateAceIdentityMap($parentAcl);
  144. }
  146. $parentAcl = $parentAcl->getParentAcl();
  147. }
  149. $this->loadedAcls[$oid->getType()][$oid->getIdentifier()] = $acl;
  150. $this->updateAceIdentityMap($acl);
  151. $result->attach($oid, $acl);
  152. $aclFound = true;
  153. } else {
  154. $this->cache->evictFromCacheByIdentity($oid);
  156. foreach ($this->findChildren($oid) as $childOid) {
  157. $this->cache->evictFromCacheByIdentity($childOid);
  158. }
  159. }
  160. }
  161. }
  163. // looks like we have to load the ACL from the database
  164. if (!$aclFound) {
  165. $currentBatch[] = $oid;
  166. }
  168. // Is it time to load the current batch?
  169. $currentBatchesCount = \count($currentBatch);
  170. if ($currentBatchesCount > 0 && (self::MAX_BATCH_SIZE === $currentBatchesCount || ($i + 1) === $c)) {
  171. try {
  172. $loadedBatch = $this->lookupObjectIdentities($currentBatch, $sids, $oidLookup);
  173. } catch (AclNotFoundException $e) {
  174. if ($result->count()) {
  175. $partialResultException = new NotAllAclsFoundException('The provider could not find ACLs for all object identities.');
  176. $partialResultException->setPartialResult($result);
  177. throw $partialResultException;
  178. } else {
  179. throw $e;
  180. }
  181. }
  182. foreach ($loadedBatch as $loadedOid) {
  183. $loadedAcl = $loadedBatch->offsetGet($loadedOid);
  185. if (null !== $this->cache) {
  186. $this->cache->putInCache($loadedAcl);
  187. }
  189. if (isset($oidLookup[$loadedOid->getIdentifier().$loadedOid->getType()])) {
  190. $result->attach($loadedOid, $loadedAcl);
  191. }
  192. }
  194. $currentBatch = [];
  195. }
  196. }
  198. // check that we got ACLs for all the identities
  199. foreach ($oids as $oid) {
  200. if (!$result->contains($oid)) {
  201. if (1 === \count($oids)) {
  202. $objectName = method_exists($oid, '__toString') ? $oid : \get_class($oid);
  203. throw new AclNotFoundException(sprintf('No ACL found for %s.', $objectName));
  204. }
  206. $partialResultException = new NotAllAclsFoundException('The provider could not find ACLs for all object identities.');
  207. $partialResultException->setPartialResult($result);
  209. throw $partialResultException;
  210. }
  211. }
  213. return $result;
  214. }
  216. /**
  217. * Constructs the query used for looking up object identities and associated
  218. * ACEs, and security identities.
  219. *
  220. * @return string
  221. */
  222. protected function getLookupSql(array $ancestorIds)
  223. {
  224. // FIXME: add support for filtering by sids (right now we select all sids)
  226. $sql = <<<SELECTCLAUSE
  227. SELECT
  228. o.id as acl_id,
  229. o.object_identifier,
  230. o.parent_object_identity_id,
  231. o.entries_inheriting,
  232. c.class_type,
  233. e.id as ace_id,
  234. e.object_identity_id,
  235. e.field_name,
  236. e.ace_order,
  237. e.mask,
  238. e.granting,
  239. e.granting_strategy,
  240. e.audit_success,
  241. e.audit_failure,
  242. s.username,
  243. s.identifier as security_identifier
  244. FROM
  245. {$this->options['oid_table_name']} o
  246. INNER JOIN {$this->options['class_table_name']} c ON c.id = o.class_id
  247. LEFT JOIN {$this->options['entry_table_name']} e ON (
  248. e.class_id = o.class_id AND (e.object_identity_id = o.id OR e.object_identity_id IS NULL)
  249. )
  250. LEFT JOIN {$this->options['sid_table_name']} s ON (
  251. s.id = e.security_identity_id
  252. )
  254. WHERE (o.id =
  255. SELECTCLAUSE;
  257. $sql .= implode(' OR o.id = ', $ancestorIds).')';
  259. return $sql;
  260. }
  262. protected function getAncestorLookupSql(array $batch)
  263. {
  264. $sql = <<<SELECTCLAUSE
  265. SELECT a.ancestor_id
  266. FROM
  267. {$this->options['oid_table_name']} o
  268. INNER JOIN {$this->options['class_table_name']} c ON c.id = o.class_id
  269. INNER JOIN {$this->options['oid_ancestors_table_name']} a ON a.object_identity_id = o.id
  270. WHERE (
  271. SELECTCLAUSE;
  273. $types = [];
  274. $count = \count($batch);
  275. for ($i = 0; $i < $count; ++$i) {
  276. if (!isset($types[$batch[$i]->getType()])) {
  277. $types[$batch[$i]->getType()] = true;
  279. // if there is more than one type we can safely break out of the
  280. // loop, because it is the differentiator factor on whether to
  281. // query for only one or more class types
  282. if (\count($types) > 1) {
  283. break;
  284. }
  285. }
  286. }
  288. if (1 === \count($types)) {
  289. $ids = [];
  290. for ($i = 0; $i < $count; ++$i) {
  291. $identifier = (string) $batch[$i]->getIdentifier();
  292. $ids[] = $this->connection->quote($identifier);
  293. }
  295. $sql .= sprintf(
  296. '(o.object_identifier IN (%s) AND c.class_type = %s)',
  297. implode(',', $ids),
  298. $this->connection->quote($batch[0]->getType())
  299. );
  300. } else {
  301. $where = '(o.object_identifier = %s AND c.class_type = %s)';
  302. for ($i = 0; $i < $count; ++$i) {
  303. $sql .= sprintf(
  304. $where,
  305. $this->connection->quote($batch[$i]->getIdentifier()),
  306. $this->connection->quote($batch[$i]->getType())
  307. );
  309. if ($i + 1 < $count) {
  310. $sql .= ' OR ';
  311. }
  312. }
  313. }
  315. $sql .= ')';
  317. return $sql;
  318. }
  320. /**
  321. * Constructs the SQL for retrieving child object identities for the given
  322. * object identities.
  323. *
  324. * @param bool $directChildrenOnly
  325. *
  326. * @return string
  327. */
  328. protected function getFindChildrenSql(ObjectIdentityInterface $oid, $directChildrenOnly)
  329. {
  330. if (false === $directChildrenOnly) {
  331. $query = <<<FINDCHILDREN
  332. SELECT o.object_identifier, c.class_type
  333. FROM
  334. {$this->options['oid_table_name']} o
  335. INNER JOIN {$this->options['class_table_name']} c ON c.id = o.class_id
  336. INNER JOIN {$this->options['oid_ancestors_table_name']} a ON a.object_identity_id = o.id
  337. WHERE
  338. a.ancestor_id = %d AND a.object_identity_id != a.ancestor_id
  339. FINDCHILDREN;
  340. } else {
  341. $query = <<<FINDCHILDREN
  342. SELECT o.object_identifier, c.class_type
  343. FROM {$this->options['oid_table_name']} o
  344. INNER JOIN {$this->options['class_table_name']} c ON c.id = o.class_id
  345. WHERE o.parent_object_identity_id = %d
  346. FINDCHILDREN;
  347. }
  349. return sprintf($query, $this->retrieveObjectIdentityPrimaryKey($oid));
  350. }
  352. /**
  353. * Constructs the SQL for retrieving the primary key of the given object
  354. * identity.
  355. *
  356. * @return string
  357. */
  358. protected function getSelectObjectIdentityIdSql(ObjectIdentityInterface $oid)
  359. {
  360. $query = <<<QUERY
  361. SELECT o.id
  362. FROM %s o
  363. INNER JOIN %s c ON c.id = o.class_id
  364. WHERE o.object_identifier = %s AND c.class_type = %s
  365. QUERY;
  367. return sprintf(
  368. $query,
  369. $this->options['oid_table_name'],
  370. $this->options['class_table_name'],
  371. $this->connection->quote((string) $oid->getIdentifier()),
  372. $this->connection->quote((string) $oid->getType())
  373. );
  374. }
  376. /**
  377. * Returns the primary key of the passed object identity.
  378. *
  379. * @return int
  380. */
  381. final protected function retrieveObjectIdentityPrimaryKey(ObjectIdentityInterface $oid)
  382. {
  383. return $this->connection->executeQuery($this->getSelectObjectIdentityIdSql($oid))->fetchOne();
  384. }
  386. /**
  387. * This method is called when an ACL instance is retrieved from the cache.
  388. */
  389. private function updateAceIdentityMap(AclInterface $acl)
  390. {
  391. foreach (['classAces', 'classFieldAces', 'objectAces', 'objectFieldAces'] as $property) {
  392. $reflection = new \ReflectionProperty($acl, $property);
  393. $reflection->setAccessible(true);
  394. $value = $reflection->getValue($acl);
  396. if ('classAces' === $property || 'objectAces' === $property) {
  397. $this->doUpdateAceIdentityMap($value);
  398. } else {
  399. foreach ($value as $field => $aces) {
  400. $this->doUpdateAceIdentityMap($value[$field]);
  401. }
  402. }
  404. $reflection->setValue($acl, $value);
  405. $reflection->setAccessible(false);
  406. }
  407. }
  409. /**
  410. * Retrieves all the ids which need to be queried from the database
  411. * including the ids of parent ACLs.
  412. *
  413. * @return array
  414. */
  415. private function getAncestorIds(array $batch)
  416. {
  417. $sql = $this->getAncestorLookupSql($batch);
  419. $ancestorIds = [];
  420. foreach ($this->connection->executeQuery($sql)->fetchAllAssociative() as $data) {
  421. // FIXME: skip ancestors which are cached
  422. // Fix: Oracle returns keys in uppercase
  423. $ancestorIds[] = reset($data);
  424. }
  426. return $ancestorIds;
  427. }
  429. /**
  430. * Does either overwrite the passed ACE, or saves it in the global identity
  431. * map to ensure every ACE only gets instantiated once.
  432. */
  433. private function doUpdateAceIdentityMap(array &$aces)
  434. {
  435. foreach ($aces as $index => $ace) {
  436. if (isset($this->loadedAces[$ace->getId()])) {
  437. $aces[$index] = $this->loadedAces[$ace->getId()];
  438. } else {
  439. $this->loadedAces[$ace->getId()] = $ace;
  440. }
  441. }
  442. }
  444. /**
  445. * This method is called for object identities which could not be retrieved
  446. * from the cache, and for which thus a database query is required.
  447. *
  448. * @return \SplObjectStorage<ObjectIdentityInterface,AclInterface> mapping object identities to ACL instances
  449. *
  450. * @throws AclNotFoundException
  451. */
  452. private function lookupObjectIdentities(array $batch, array $sids, array $oidLookup)
  453. {
  454. $ancestorIds = $this->getAncestorIds($batch);
  455. if (!$ancestorIds) {
  456. throw new AclNotFoundException('There is no ACL for the given object identity.');
  457. }
  459. $sql = $this->getLookupSql($ancestorIds);
  460. $stmt = $this->connection->executeQuery($sql);
  462. return $this->hydrateObjectIdentities($stmt, $oidLookup, $sids);
  463. }
  465. /**
  466. * This method is called to hydrate ACLs and ACEs.
  467. *
  468. * This method was designed for performance; thus, a lot of code has been
  469. * inlined at the cost of readability, and maintainability.
  470. *
  471. * Keep in mind that changes to this method might severely reduce the
  472. * performance of the entire ACL system.
  473. *
  474. * @return \SplObjectStorage<ObjectIdentityInterface,AclInterface>
  475. *
  476. * @throws \RuntimeException
  477. */
  478. private function hydrateObjectIdentities(Result $stmt, array $oidLookup, array $sids)
  479. {
  480. /** @var \SplObjectStorage<Acl,string> */
  481. $parentIdToFill = new \SplObjectStorage();
  482. $acls = $aces = $emptyArray = [];
  483. $oidCache = $oidLookup;
  484. /** @var \SplObjectStorage<ObjectIdentityInterface,AclInterface> */
  485. $result = new \SplObjectStorage();
  486. $loadedAces = &$this->loadedAces;
  487. $loadedAcls = &$this->loadedAcls;
  488. $permissionGrantingStrategy = $this->permissionGrantingStrategy;
  490. // we need these to set protected properties on hydrated objects
  491. $aclReflection = new \ReflectionClass(Acl::class);
  492. $aclClassAcesProperty = $aclReflection->getProperty('classAces');
  493. $aclClassAcesProperty->setAccessible(true);
  494. $aclClassFieldAcesProperty = $aclReflection->getProperty('classFieldAces');
  495. $aclClassFieldAcesProperty->setAccessible(true);
  496. $aclObjectAcesProperty = $aclReflection->getProperty('objectAces');
  497. $aclObjectAcesProperty->setAccessible(true);
  498. $aclObjectFieldAcesProperty = $aclReflection->getProperty('objectFieldAces');
  499. $aclObjectFieldAcesProperty->setAccessible(true);
  500. $aclParentAclProperty = $aclReflection->getProperty('parentAcl');
  501. $aclParentAclProperty->setAccessible(true);
  503. // fetchAll() consumes more memory than consecutive calls to fetch(),
  504. // but it is faster
  505. foreach ($stmt->fetchAllNumeric() as $data) {
  506. [$aclId,
  507. $objectIdentifier,
  508. $parentObjectIdentityId,
  509. $entriesInheriting,
  510. $classType,
  511. $aceId,
  512. $objectIdentityId,
  513. $fieldName,
  514. $aceOrder,
  515. $mask,
  516. $granting,
  517. $grantingStrategy,
  518. $auditSuccess,
  519. $auditFailure,
  520. $username,
  521. $securityIdentifier] = array_values($data);
  523. // FIX: remove duplicate slashes
  524. $classType = str_replace('\\\\', '\\', $classType);
  526. // has the ACL been hydrated during this hydration cycle?
  527. if (isset($acls[$aclId])) {
  528. $acl = $acls[$aclId];
  529. // has the ACL been hydrated during any previous cycle, or was possibly loaded
  530. // from cache?
  531. } elseif (isset($loadedAcls[$classType][$objectIdentifier])) {
  532. $acl = $loadedAcls[$classType][$objectIdentifier];
  534. // keep reference in local array (saves us some hash calculations)
  535. $acls[$aclId] = $acl;
  537. // attach ACL to the result set; even though we do not enforce that every
  538. // object identity has only one instance, we must make sure to maintain
  539. // referential equality with the oids passed to findAcls()
  540. $oidCacheKey = $objectIdentifier.$classType;
  541. if (!isset($oidCache[$oidCacheKey])) {
  542. $oidCache[$oidCacheKey] = $acl->getObjectIdentity();
  543. }
  544. $result->attach($oidCache[$oidCacheKey], $acl);
  545. // so, this hasn't been hydrated yet
  546. } else {
  547. // create object identity if we haven't done so yet
  548. $oidLookupKey = $objectIdentifier.$classType;
  549. if (!isset($oidCache[$oidLookupKey])) {
  550. $oidCache[$oidLookupKey] = new ObjectIdentity($objectIdentifier, $classType);
  551. }
  553. $acl = new Acl((int) $aclId, $oidCache[$oidLookupKey], $permissionGrantingStrategy, $emptyArray, (bool) $entriesInheriting);
  555. // keep a local, and global reference to this ACL
  556. $loadedAcls[$classType][$objectIdentifier] = $acl;
  557. $acls[$aclId] = $acl;
  559. // try to fill in parent ACL, or defer until all ACLs have been hydrated
  560. if (null !== $parentObjectIdentityId) {
  561. if (isset($acls[$parentObjectIdentityId])) {
  562. $aclParentAclProperty->setValue($acl, $acls[$parentObjectIdentityId]);
  563. } else {
  564. $parentIdToFill->attach($acl, $parentObjectIdentityId);
  565. }
  566. }
  568. $result->attach($oidCache[$oidLookupKey], $acl);
  569. }
  571. // check if this row contains an ACE record
  572. if (null !== $aceId) {
  573. // have we already hydrated ACEs for this ACL?
  574. if (!isset($aces[$aclId])) {
  575. $aces[$aclId] = [$emptyArray, $emptyArray, $emptyArray, $emptyArray];
  576. }
  578. // has this ACE already been hydrated during a previous cycle, or
  579. // possible been loaded from cache?
  580. // It is important to only ever have one ACE instance per actual row since
  581. // some ACEs are shared between ACL instances
  582. if (!isset($loadedAces[$aceId])) {
  583. if (!isset($sids[$key = ($username ? '1' : '0').$securityIdentifier])) {
  584. if ($username) {
  585. $sids[$key] = new UserSecurityIdentity(
  586. substr($securityIdentifier, 1 + $pos = strpos($securityIdentifier, '-')),
  587. substr($securityIdentifier, 0, $pos)
  588. );
  589. } else {
  590. $sids[$key] = new RoleSecurityIdentity($securityIdentifier);
  591. }
  592. }
  594. if (null === $fieldName) {
  595. $loadedAces[$aceId] = new Entry((int) $aceId, $acl, $sids[$key], $grantingStrategy, (int) $mask, (bool) $granting, (bool) $auditFailure, (bool) $auditSuccess);
  596. } else {
  597. $loadedAces[$aceId] = new FieldEntry((int) $aceId, $acl, $fieldName, $sids[$key], $grantingStrategy, (int) $mask, (bool) $granting, (bool) $auditFailure, (bool) $auditSuccess);
  598. }
  599. }
  600. $ace = $loadedAces[$aceId];
  602. // assign ACE to the correct property
  603. if (null === $objectIdentityId) {
  604. if (null === $fieldName) {
  605. $aces[$aclId][0][$aceOrder] = $ace;
  606. } else {
  607. $aces[$aclId][1][$fieldName][$aceOrder] = $ace;
  608. }
  609. } else {
  610. if (null === $fieldName) {
  611. $aces[$aclId][2][$aceOrder] = $ace;
  612. } else {
  613. $aces[$aclId][3][$fieldName][$aceOrder] = $ace;
  614. }
  615. }
  616. }
  617. }
  619. // We do not sort on database level since we only want certain subsets to be sorted,
  620. // and we are going to read the entire result set anyway.
  621. // Sorting on DB level increases query time by an order of magnitude while it is
  622. // almost negligible when we use PHPs array sort functions.
  623. foreach ($aces as $aclId => $aceData) {
  624. $acl = $acls[$aclId];
  626. ksort($aceData[0]);
  627. $aclClassAcesProperty->setValue($acl, $aceData[0]);
  629. foreach (array_keys($aceData[1]) as $fieldName) {
  630. ksort($aceData[1][$fieldName]);
  631. }
  632. $aclClassFieldAcesProperty->setValue($acl, $aceData[1]);
  634. ksort($aceData[2]);
  635. $aclObjectAcesProperty->setValue($acl, $aceData[2]);
  637. foreach (array_keys($aceData[3]) as $fieldName) {
  638. ksort($aceData[3][$fieldName]);
  639. }
  640. $aclObjectFieldAcesProperty->setValue($acl, $aceData[3]);
  641. }
  643. // fill-in parent ACLs where this hasn't been done yet cause the parent ACL was not
  644. // yet available
  645. $processed = 0;
  646. foreach ($parentIdToFill as $acl) {
  647. $parentId = $parentIdToFill->offsetGet($acl);
  649. // let's see if we have already hydrated this
  650. if (isset($acls[$parentId])) {
  651. $aclParentAclProperty->setValue($acl, $acls[$parentId]);
  652. ++$processed;
  654. continue;
  655. }
  656. }
  658. // reset reflection changes
  659. $aclClassAcesProperty->setAccessible(false);
  660. $aclClassFieldAcesProperty->setAccessible(false);
  661. $aclObjectAcesProperty->setAccessible(false);
  662. $aclObjectFieldAcesProperty->setAccessible(false);
  663. $aclParentAclProperty->setAccessible(false);
  665. // this should never be true if the database integrity hasn't been compromised
  666. if ($processed < \count($parentIdToFill)) {
  667. throw new \RuntimeException('Not all parent ids were populated. This implies an integrity problem.');
  668. }
  670. return $result;
  671. }
  672. }