Symfony2 Authorization: Voters Vs. ACL

Question

I'm about to start a project that will require several kind of users with different "powers".

To give a bit of context I'm expecting between 1000 and 10000 users.

I have at least 3 "layers": A, B, C

"A" could be "consulting companies", each with different clients "B", each with several projects "C".

One user might need to see an overview of all the projects managed by his company "A". Another just the ones of one of the companies "B". Another just project "A". Some users might be granted more fine grained detail on each level (maybe a user has fine grained level on "B" level but does not see anything on "A" level). Some users might have only read permission, others read and modify, others read, modify and create.

In the end I might end up with 100000 or one million "objects" to which I have to grant read/write/delete/modify permission.

I have to choose between a relatively simple Voters system or a full-fledged ACL. I noticed that ACL is not that well documented, despite seeming pretty powerful. I almost discarded Voters, but then I read this article which made me change my mind. Quote from the article:

This is typically what you think of when you talk about ACL: the ability to say that “this user” has access to “edit” some “object”. In Symfony2, you can leverage a custom voter to use whatever complex business logic you have to determine this.

According to the article you can use Voters for this as:

One other commonly-unknown property of isGranted is that there’s a second argument, which is any type of “object”

So here are my questions considering the context I've exposed:

1) Will the Voters option grant all the flexibility I need?

2) Will be ok performance wise (ACL specifically states that even with millions of objects there is no performance decay, I have doubts on Voters)

3) If I opt for Voters, can I safely use the FOSUserBundle, despite being specified something related with Symfony 1.2?

Answer 1

You probably should use voters in your case. There was quite good talk about it at SymfonyCon in Warsaw at 2013 - https://www.youtube.com/watch?v=e7HfW4TgnUY

1) Voter will grant all the flexbility you need. You register voter as service (link) so you can pass to the voter EntityManager, Doctrine Registry, EntityRepository or any service you want.

2) It is not perfomance wise probably, but you should measure and profile it first somehow (and share in some blog post cause this can be quite interesting)

3) Of course you can. Releated with Symfony 1.2? Do you mean Symfony 2.1? You can see at packagist that FOSUser support all current version of symfony :)