I have a simple project which does not require complicated ACL. Created a custom action in my custom controller that extends CRUDController, there I check the access like this:
$this->admin->checkAccess('verify', $object);
In templates I check access like:
{% if admin.isGranted('VERIFY', object) %}
My Admin user can have roles: ADMIN or SUPER_ADMIN.
Wouldn't it be better just to check the role instead:
$authorizationChecker->isGranted('SUPER_ADMIN');
{% is_granted('SUPER_ADMIN') %}
What's the big deal about using admin for access control? For me just checking if user is ADMIN or SUPER_ADMIN seems much easier.
The reason you want it to go via the 'admin' and not straight to the AuthorizationChecker is the following:
Sonata will take into account its settings, as you can change the security strategy used by sonata (noop, vs roles, vs acl, vs custom), without having to make changes to where you 'check' access.
does this explanation make sense?
Related
I'm trying to create a pretty simple application: I'm using FOS user bundle and ACL.
I have an entitie called Site, the users can create sites. When they do so I assign the use as owner of the site.
Now I'd like to have a page where I list the domains the users owns or he has read permissions. I've been searching but I couldn't find anything to solve it.
Why don't you set up a normal entity relation between user and site? Then you just do $user->getSites() or write a custom query and there you get all of this user's sites.
Then for security you can use voters, as stated in the comment above, or you can also just use a security annotation with an expression like #Security("user.getSites().contains(site)").
I'm working in a project using Symphony 2. It is complex project and requires a lot security elements. I'm trying to create ACL to give or to revoke permission to the user but I have a problem: I don't know how I can obtain the permissions for a user. I need a best way to manage ACL permissions.
I need the permission level from modules to fields in the database and retrieve this permissions in the security module.
Now I have the system in 2 different databases and on one database I can't change anything, the other database contains all of my security tables and other things but I need to give permissions in those databases.
I was thinking of creating an external interface to manage the ACL but this would be the same as creating a replicate Symphony 2 ACL.
What is the best way to permissions management in the System using Symphony 2?
And
How I can check the permission to the field in the entity because the method isGranted in twig I think isn't the best way because it would query database for every field?
You need to set roles to users, it is all described here : http://symfony.com/doc/current/book/security.html#roles
Once your roles are defined, you can use them in your access control list, or in any controller/template with the isGranted method. This is a SF2 best practice, and as far as I know there is no performance issue with the isGranted method.
You can do this with multiple way, inside an action in a controller:
public function helloAction($name)
{
if (!$this->get('security.authorization_checker')->isGranted('IS_AUTHENTICATED_FULLY')) {
throw $this->createAccessDeniedException();
}
// ...
}
Inside Twig:
{% if is_granted('ROLE_ADMIN') %}
Delete
{% endif %}
I am new to symfony,i am using FosUserBundle for user management now i want to do role management (managing role with separate table) with FosUserBundle and need to give access to user as per role assigned to him/her. Please suggest some good solution to achieve this functionality?
You can use user groups for set needed role for users. And check it with isGranted('ROLE') method in controller or in twig templates
You can check the documentation for the configuration of security.yml :
https://github.com/FriendsOfSymfony/FOSUserBundle/blob/master/Resources/doc/index.md
Then after specifying your ROLES there in the hierarchy you can start giving access to specific roles in the access_control part of the security.yml configuration.
For some reasons you will want to check in the twig or in the controller there are also some function which allow you to check if the user is granted this or that Role with :
$this->container->get('security.context')->isGranted('YOUR_CUSTOM_ROLE');
or twig :
{%if is_granted('YOUR_CUSTOM_ROLE')%} /* show some custom data */ {%endif%}
You can add or remove roles from Users also using :
$user->removeRole('ROLE_ADMIN');
$user->addRole('YOUR_CUSTOM_ROLE');
$em->persist($user);
$em->flush();
This is mostly what you will need the roles for in general, access_control configuration, Twig checks, Controller Checks and Add/Remove Roles.
In my dexterity form, I have a field "author" for anonymous to fill in, and without logged-in user.
I define a permission called "isAnonymous", and grant "isAnonymous" to Anonymous user,
I use dexterity.write_permission(author='isAnonymous'), like this:
dexterity.write_permission(author='isAnonymous')
author=schema.TextLine(
title=_(u'Author'),
)
but, this method fails, even logged-in user can see this field.
In this page
http://docs.plone.org/develop/plone/security/standard_permissions.html
have a note:
if a permission is granted to Anonymous, it is effectively granted to
everyone. It is not possible to grant permissions to non-logged in
users without also granting them to logged in ones.
so, have any suggestion?
Afaik you cannot solve your problem with the security system. But you can customise the Dexterity add/edit form
Then you have the full power :-) and you can implement a condition, which shows your field or not.
Dexterity forms are based on z3c.forms and, so they features several methods, which you can override (super call and do your stuff).
In your case the code may look like this.
...
# I would recommend to use the `updateWidgets` method.
def updateWidgets(self):
super(CustomAddEditView, self).updateWidgets()
from plone import api
if not api.user.is_anonymous():
from z3c.form.interfaces import HIDDEN_MODE
self.widgets['author'].mode = HIDDEN_MODE
...
More about hiding fields in the z3c.form Docu.
I have an entity "Vehicles" which has ManyToOne connection with another entity - "Department". I could set "department" property to a user. I would like this user (who has ROLE_DEPARTMENT_MANAGER role), to be able to see (list, create, delete, etc.) only the vehicles from his own department.
When using Roles I could restrict access to specific actions. I think I should use ACL, but I am not sure how to do it and how Sonata Admin will behave.
I found similar question here, but nobody had answer it: Sonata Admin Bundle filter show entity from role user
Would you tell me how to do it in Sonata Admin Bundle.
You can customize the query used to generate the list in your VehicleAdmin class:
http://sonata-project.org/bundles/admin/master/doc/reference/action_list.html#customizing-the-query-used-to-generate-the-list