I have lack of knowledge how Symfony ACL works, especially using Sonata...
Sonata has some permissions like:
LIST - view the list of objects
VIEW - view the detail of one object
CREATE - create a new object
EDIT - update an existing object
DELETE - delete an existing object
EXPORT - (for the native Sonata export links)
ALL- grants LIST, VIEW, CREATE, EDIT, DELETE and EXPORT
I also assigned my own created permissions for my own custom actions:
protected $accessMapping = array(
'VERIFY' => 'EDIT',
'UNVALIDATE' => 'EDIT',
'CLOSE' => 'EDIT'
);
As I understand I just need to grant user EDIT permission to be able to VERIFY, UNVALIDATE and CLOSE.
Admin users can have 3 roles:
security:
role_hierarchy:
ROLE_ADMIN: ROLE_SONATA_ADMIN
ROLE_SUPER_ADMIN: ROLE_ADMIN
Now depending on a role user should be able to have certain permissions.
E.g. ROLE_ADMIN should have LIST, VIEW, EDIT, EXPORT and ROLE_SUPER_ADMIN should be granted ALL.
How could I manage it?
P.S. I am NOT using SonataUserBundle!
What i usually do it just use SecurityVoters
http://www.branchbit.be/blog/using-custom-voters-in-sonata-admin
This gives you a simple way of checking roles, permissions, and object properties, and decide if a specific action, is allowed on a specififc object, by a specific user.
Related
I am trying to build a system where some user groups are allowed to switch to a certain number of users, and the admin group can switch to ANY user. My user manager is provided by FOSUserBundle I have set up security voters to achieve this, to check the user roles after the switch has occurred. I created a new voter attribute called 'IMPERSONATION' and called denyAccessUnlessGranted on the first line of the main (homepage) controller that is run after the user switching.
Inside my voter, I first get the user objects for both the impersonated and impersonator users. I try to get the impersonator user by doing the following (as described here).
foreach ($tokenStorage->getToken()->getRoles() as $role) {
if ($role instanceof SwitchUserRole) {
$impersonatorUser = $role->getSource()->getUser();
break;
}
Then, I want to return true (grant access) if the $impersonatorUser is a super admin:
if ($impersonatorUser->isSuperAdmin()) { return true; }
// ..
// ... other voter logic
However, when I try to switch user from a user that has the ROLE_SUPER_ADMIN role to a user that has a non-admin role, this line is never executed. When I do a var_dump, I found that $impersonatorUser->isSuperAdmin() returns false, and $impersonatorUser->getRoles shows that the user only has the ROLE_USER role. And since the logic after this line returns false, the voter denies access and the switch results in Access Denied error.
The user seems to have lost the ROLE_SUPER_ADMIN role after switching. Is this a bug with FosUserBundle?
My role hierarchies are set as follows:
role_hierarchy:
ROLE_ADMIN: ROLE_MENTOR
ROLE_SUPER_ADMIN: ROLE_ADMIN
The user switching option is set as follows:
switch_user: { role: ROLE_MENTOR }
How can I check for the roles of the user before switching, so I can control who can switch users?
FOSUserBundle only provides a user management system, it has nothing to do with Symfony Security and access management.
If you use symfony switch user feature to impersonate user, then you'll have an extra role ROLE_PREVIOUS_ADMIN on your impersonated user, which can be checked (see documentation)
I don't know the best solution to implement your feature, but perhaps this could help (Allow switching/impersonating only to particular users in Symfony2)
I have my roles defined as follows:
security:
role_hierarchy:
ROLE_PROFESSIONAL_SERVICES_MANAGER: [ROLE_USER, ROLE_SONATA_ADMIN, ROLE_BRANCH_ASSISTANT]
When I try to check for permissions in my controller as below:
if($securityContext->isGranted('ROLE_PROFESSIONAL_SERVICES_MANAGER'))
The returns false because the in the profiler, the permissions appear to have been saved as shown below therefore:
"ROLE_PROFESSIONAL_SERVICES_MANAGER: ROLE_USER, ROLE_SONATA_ADMIN, ROLE_BRANCH_ASSISTANT"
Anyone know how I can resolve this?
Roles are for users not the app.
With your code you are defining that a user with role ROLE_PROFFESSIONAL_SERVICES_MANAGER will have the roles ROLE_USER, ROLE_SONATA_ADMIN and ROLE_BRANCH_ASSISTANT.
But now you need to assign that role to a user and sign that user in.
When you call $securityContext->isGranted() what it does is get the token from your current logged in user (wich you can see in the profiler) and check the roles of that user from the token.
So you need to have a user with the proper role assigned signed in.
If your already using SonatAUserBundle or FOSUserBundle use that command to create a user easily: bin/console fos:user:create
Then assign it the proper roles:
app/console fos:user:promote nameOfYourUser ROLE_PROFFESSIONAL_SERVICES_MANAGER
If your app has no user management system have a look here: https://sonata-project.org/bundles/admin/master/doc/reference/security.html#user-management
I am building a database seeder to create a random number of users with different roles. My application has two user roles: 'admin' and 'employee'.
I have managed to create a method and put it on the server side to seed the database with a random number of employees and one admin. I am trying to have a button that deletes all the users in the 'employee' role but not the 'admin' role.
I have used alanning:roles to define user roles. How can I achieve that?
I used this function
Meteor.users.remove({ "roles" : [ "patron" ] });
I'm beginning to use Symfony2 and I'm really enjoying it!
I have some questions for sure that you will help me easily!
When we use the security layer, the file security.yml we set the property access_control, usually something like this:
{Path: ^ / admin roles: ROLE_ADMIN}
Traditionally using php, my rule of access to the system I use 3 tables:
User - Users Table
Role - Roles Table
Resource - Resource Table
Permission - Grant Tables
Where, User has a role, and a permission is related to a role and a resource. To check whether the user has access to a resource, check the table permission.
Bringing Symfony2, the property "path" would be a resource and ROLE_ADMIN would be the role of the user.
How to do that security.yml, load the settings from the database. I searched the official documentation and found nothing.
For now, thanks
Actually, the way to "read" the path (in the security.yml file) is:
- { path: ^/this/(path|regex|here)$, roles: {CAN_BE_ACCESED_ONLY, BY_THESE_ROLES} }
now, from where do you know which user has which role?
From wherever you load your users.
e.g.:
public function getRoles()
{
return array('ROLE_USER');
}
Maybe you will find your answers here. It descripes how to load users from Database:
How to Load Security Users from the Database (the Entity Provider)
I would recommend to use FOSUserBundle. It is very easy to handle and helps you managing your Security in Symfony2
FOSUserBundle
Regards!
I'm using Sonata Admin for a project and i have a problem.
I'm using FosUserBundle and i have several type of users, ex Admin and Superviser.
I have two entities User and Document.
An account type Admin can manage Document and User, but I want a Superviser can only manage Document.
How can I do that ?
When I connect with a Superviser, I don't want to have the choice to create edit etc... a user
Thanks !
Sonata Admin Docs - Security
Looks like your situation can be handled with Roles:
Incorporate FOSUserBundle into Sonata Admin with SonataUserBundle (you may already have done this)
Set up appropriate roles in security.yml. These are standard Symfony Roles, but following a special Sonata Admin naming convention, e.g. (adapted from docs with your Entities):
app/config/security.yml
security:
...
role_hierarchy:
#collect specific Sonata permissions together for convenience
ROLE_SONATA_USER:
- ROLE_SONATA_ADMIN_DEMO_USER_LIST
- ROLE_SONATA_ADMIN_DEMO_USER_VIEW
- ROLE_SONATA_ADMIN_DEMO_USER_CREATE
- ROLE_SONATA_ADMIN_DEMO_USER_EDIT
- ROLE_SONATA_ADMIN_DEMO_USER_DELETE
ROLE_SONATA_DOCUMENT:
- ROLE_SONATA_ADMIN_DEMO_DOCUMENT_LIST
- ROLE_SONATA_ADMIN_DEMO_DOCUMENT_VIEW
- ROLE_SONATA_ADMIN_DEMO_DOCUMENT_CREATE
- ROLE_SONATA_ADMIN_DEMO_DOCUMENT_EDIT
- ROLE_SONATA_ADMIN_DEMO_DOCUMENT_DELETE
#roles actually assigned to users
ROLE_SUPERVISER: [ROLE_USER, ROLE_SONATA_DOCUMENT]
ROLE_ADMIN: [ROLE_USER, ROLE_SONATA_DOCUMENT, ROLE_SONATA_USER]
Assign ROLE_SUPERVISER and ROLE_ADMIN to users (via FOSUserBundle commands or $user->addRole)
These are then used by Sonata to limit access to functions, and e.g. to show which panels are appropriate on the main dashboard, and you yourself can test them to customised your own views etc