protected function doRevokePermission(MutableAclInterface $acl, PermissionContextInterface $context) { $type = $context->getPermissionType(); $field = $context->getField(); if (is_null($field)) { $aceCollection = $this->getAceCollection($acl, $type); } else { $aceCollection = $this->getFieldAceCollection($acl, $type, $field); } $found = false; $size = count($aceCollection) - 1; reset($aceCollection); for ($i = $size; $i >= 0; $i--) { //@todo: probably not working if multiple ACEs or different bit mask // but that include these permissions. if ($context->equals($aceCollection[$i])) { if (is_null($field)) { $acl->{"delete{$type}Ace"}($i); } else { $acl->{"delete{$type}FieldAce"}($i, $field); } $found = true; } } if (!$found) { // create a non-granting ACE for this permission $newContext = $this->doCreatePermissionContext($context->getPermissionType(), $field, $context->getSecurityIdentity(), $context->getMask(), false); $this->doApplyPermission($acl, $newContext); } }