I use Symfony 2.8, I have read the cookbook about voters and advanced ACL.
But now, I can't find how to save these config roles(or voters's attributes) to database.
I also don't want hard code the permission in every controller.I want these dynamic via web page.
Symfony permission works through Voter. Whether you use ACL or not, you must integrate voter to work along with permissions.
Your voter class can also have the logic of permission stored, and you can create number of Voter classes as per your need / architecture.
So, As you asked, to store the permission logic in the database. ACL comes into picture. See the document on how to integrate Advanced ACL. Its bit complicated with custom permission mappings as I have used them.
if you too find it complicated to integrate with current requirement, you can build your own permission entities and fetch with the help of cache and use in voter to detect the authentication.
Hope this helps!
Related
So i'm working in a big project with symfony 3, But when we wanted to add the users and role managemet and access rights, we had no idea what is the best and optimized procedure to use.
So i have this Management project and i want to add user and roles so that some users can access some actions and the others not. I have more than 10 profiles and each profile has a specific access rights.
So i thought maybe you can help me by telling me what are the methods and bundles avalaibale in symfony, so that i can pick one after a benchmarking. thanks a lot
I think you should read this article about Access Control Lists. It explains how to decide access by user and domain object. As stated in the article, it is not trivial, so an alternative is to use Voters. Here is a snippet on using Voters:
A voter is passed the object being voted on, which you can use to make
complex decisions and effectively implement your own ACL. Enforcing
authorization (e.g. the isGranted() part) will look similar to what
you see in this entry, but your voter class will handle the logic
behind the scenes, instead of the ACL system.
I would urge you to consider this path instead of searching for a bundle as it is fairly easy to set up and gives you a pretty good control over access rights.
I'm trying to create a pretty simple application: I'm using FOS user bundle and ACL.
I have an entitie called Site, the users can create sites. When they do so I assign the use as owner of the site.
Now I'd like to have a page where I list the domains the users owns or he has read permissions. I've been searching but I couldn't find anything to solve it.
Why don't you set up a normal entity relation between user and site? Then you just do $user->getSites() or write a custom query and there you get all of this user's sites.
Then for security you can use voters, as stated in the comment above, or you can also just use a security annotation with an expression like #Security("user.getSites().contains(site)").
I'm working on a Symfony app that will have some basic roles that can be assigned to users. Note, I'm not using the FOSUserBundle because I don't need more than half the features in it.
I have my users defined in the database, but I'd like to keep the role definitions out of the database. But several examples and other tutorials I've found keep the roles in the database, and use a ManyToMany relationship to assign them to users. This seems odd to me, since the actual use of the roles is hardcoded into the app.
For example, if I have a custom role ROLE_EDITOR, I have several routes and controllers that I may restrict to ROLE_EDITOR. Why would I "define" this role in the database? That means when developing my application and I add a new user role, I have to either write a script to programmatically insert a new role into the DB or do it manually, before the code is deployed that makes use of the role. I don't want admins to be able to add/edit/delete roles. It should be a design decision done programmatically.
In Drupal, there's a concept of Roles and Permissions. You define permissions in code and check against those, and then roles are defined in the database and are assigned permissions. But it seems that Symfony just has the concept of Roles.
I'm hoping someone can fill in a missing piece of information for me or something. How can I implement a system where the role assignments are done in the database, but the roles themselves are managed via code only?
My instinct is to just create a single entity that relates to User and has a string field for the ROLE_NAME. But this seems to go against the paradigm of having a real Role entity.
So I'm delevoping an application with multiple clients. Users could access more than one client with different roles in each case. For instance, User A has ROLE_XX for Client C1, but ROLE_YY for Client C2.
As far as I know, FosUserBundle stores the roles for a user in the column roles (default table fos_user), so this structure is not suitable for my needs.
I've read the documentation realated with roles management, but there is nothing related, so I guess it's a feature beyond the scope of FosUserBundle?.
So I was thinking about creating an addional table which relates them (client, user, role), but since I'm no FOS expert at all, I really don't know if this is the correct way to go. Or maybe I'm missing something. Any tip is appreciated!
Your requirements exceed what Symfony's security roles system provides. You will need to either maintain an ACL or encapsulate your access control logic in a custom security voter. I recently wrote about the latter approach here:
http://kriswallsmith.net/post/15994931191/symfony2-security-voters
I'm in need of a RoleProvider with the following functionality:
Dynamic Assignment of Roles to Tasks
Authentication / Authorizaiton of IPrincipals based on the dynamically allocated tasks in the system they have privilege to access
Reporting showing who is currently logged in, and other common usage statistics.
I'm pretty sure I'm going to have to roll my own, but wanted to make sure I didn't miss out on something OSS or even from MS.
I'm also using ASP.NET MVC and so my basic plan is to write a custom attribute like: [Authorize(Task=Tasks.DeleteClient)]
and place it over the methods that need authorization.
Rather than authorizing against the Role, I'll authorize the task against the role based on whatever settings the user has configured in the DB.
Thoughts?
You might want to check out NetSqlAzMan. It allows you to define tasks and assign them to roles and then authenticate and authorise your IPrincipal objects.
You may need to roll your own security attribute but NetSqlAzMan should help make that a reasonably easy task.
We had a similar issue with one of our systems. The first thing I'd do is create more AuthorizeAttribute classes for your specific tasks - e.g. DeleteClientAuthorize etc. You can then add specific logic into your classes.
As long as you can access the routines that trigger the change of roles for the current user you should be OK. Just call Membership.DeleteCookie() and this will force the next authorisation request to re-query your data store. It's at that point that you can determine what roles are required now.