dbu/MutableAclProvider.php

## gistfile1.txt
usage:

$ownids = $this->aclProvider->getAllowedEntitiesIds(
            <fully qualified entity class name>,
            $sids,
            (MaskBuilder::MASK_OWNER | MaskBuilder::MASK_LIST),
            false
        );

## MutableAclProvider.php
/**
 * An implementation of the MutableAclProviderInterface using Doctrine DBAL.
 *
 * @author Stefan Paschke <stefan.paschke@liip.ch>
 */
class MutableAclProvider extends BaseMutableAclProvider
{
    /**
     * Get the entities Ids for the className that match the given role & mask
     *
     * @param string $className the model class we are looking for
     * @param SecurityIdentityInterface[] $sids list of security identities
     * @param integer $mask what operations should be allowed to perform
     * @param bool $asString - Return a comma-delimited string with the ids instead of an array
     *
     * @return array|string - array of all entity ids for which the operations specified
     *      in the mask are allowed. if $asString is true, implodes the array with ','.
     *      Empty array/string if no matching entities.
     */
    public function getAllowedEntitiesIds($className, array $sids, $mask, $asString = true)
    {
        // Query the database for ACE's matching the mask for the given roles
        $sql = $this->getEntitiesIdsMatchingRoleMaskSql($className, $sids, $mask);
        $ids = $this->connection->executeQuery($sql)->fetchAll(\PDO::FETCH_COLUMN);

        if ($asString) {
            return implode(',', $ids);
        }

        return $ids;
    }

    public function getEntitiesIdsMatchingRoleMaskSql($className, array $sids, $requiredMask)
    {
        $sidSql = array();
        foreach($sids as $sid) {
            if ($sid instanceof UserSecurityIdentity) {
                $sidSql[] = 's.identifier = '.$this->connection->quote($sid->getClass().'-'.$sid->getUsername());
            } elseif ($sid instanceof RoleSecurityIdentity) {
                $sidSql[] = 's.identifier = '.$this->connection->quote($sid->getRole());
            }
        }

        $rolesSql =  '('.implode(' OR ', $sidSql).')';

        $sql = 'SELECT
            oid.object_identifier
        FROM
            %s e
        JOIN
            %s oid ON (oid.id = e.object_identity_id)
        JOIN
            %s s ON (s.id = e.security_identity_id)
        JOIN
            %s class ON (class.id = e.class_id)
        WHERE
            %s AND
            (e.mask & %d) > 0 AND
            %s AND
            class.class_type = %s
       GROUP BY
            oid.object_identifier';

        return sprintf(
            $sql,
            $this->options['entry_table_name'],
            $this->options['oid_table_name'],
            $this->options['sid_table_name'],
            $this->options['class_table_name'],
            $this->connection->getDatabasePlatform()->getIsNotNullExpression('e.object_identity_id'),
            $requiredMask,
            $rolesSql,
            $this->connection->quote($className)
        );
    }
}
	usage:

	$ownids = $this->aclProvider->getAllowedEntitiesIds(
	<fully qualified entity class name>,
	$sids,
	(MaskBuilder::MASK_OWNER \| MaskBuilder::MASK_LIST),
	false
	);
	/**
	* An implementation of the MutableAclProviderInterface using Doctrine DBAL.
	*
	* @author Stefan Paschke <stefan.paschke@liip.ch>
	*/
	class MutableAclProvider extends BaseMutableAclProvider
	{
	/**
	* Get the entities Ids for the className that match the given role & mask
	*
	* @param string $className the model class we are looking for
	* @param SecurityIdentityInterface[] $sids list of security identities
	* @param integer $mask what operations should be allowed to perform
	* @param bool $asString - Return a comma-delimited string with the ids instead of an array
	*
	* @return array\|string - array of all entity ids for which the operations specified
	* in the mask are allowed. if $asString is true, implodes the array with ','.
	* Empty array/string if no matching entities.
	*/
	public function getAllowedEntitiesIds($className, array $sids, $mask, $asString = true)
	{
	// Query the database for ACE's matching the mask for the given roles
	$sql = $this->getEntitiesIdsMatchingRoleMaskSql($className, $sids, $mask);
	$ids = $this->connection->executeQuery($sql)->fetchAll(\PDO::FETCH_COLUMN);

	if ($asString) {
	return implode(',', $ids);
	}

	return $ids;
	}

	public function getEntitiesIdsMatchingRoleMaskSql($className, array $sids, $requiredMask)
	{
	$sidSql = array();
	foreach($sids as $sid) {
	if ($sid instanceof UserSecurityIdentity) {
	$sidSql[] = 's.identifier = '.$this->connection->quote($sid->getClass().'-'.$sid->getUsername());
	} elseif ($sid instanceof RoleSecurityIdentity) {
	$sidSql[] = 's.identifier = '.$this->connection->quote($sid->getRole());
	}
	}

	$rolesSql = '('.implode(' OR ', $sidSql).')';

	$sql = 'SELECT
	oid.object_identifier
	FROM
	%s e
	JOIN
	%s oid ON (oid.id = e.object_identity_id)
	JOIN
	%s s ON (s.id = e.security_identity_id)
	JOIN
	%s class ON (class.id = e.class_id)
	WHERE
	%s AND
	(e.mask & %d) > 0 AND
	%s AND
	class.class_type = %s
	GROUP BY
	oid.object_identifier';

	return sprintf(
	$sql,
	$this->options['entry_table_name'],
	$this->options['oid_table_name'],
	$this->options['sid_table_name'],
	$this->options['class_table_name'],
	$this->connection->getDatabasePlatform()->getIsNotNullExpression('e.object_identity_id'),
	$requiredMask,
	$rolesSql,
	$this->connection->quote($className)
	);
	}
	}