I am currently working on a system using symfony (with FOSUserBundle), and i have multiple roles within the role_hierarchy, which i would like to utilize inheritance.
I have the role_hierarchy of:
role_hierarchy:
ROLE_MEMBER: ROLE_USER
ROLE_MONITOR: ROLE_MEMBER
ROLE_SUPERVISOR: ROLE_MONITOR
ROLE_MANAGER: ROLE_SUPERVISOR
ROLE_ADMIN: ROLE_MEMBER
ROLE_SUPER_ADMIN: [ROLE_MANAGER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
If the user i am logged in as has ROLE_SUPERVISOR and i call:
$this->get('security.context')->isGranted('ROLE_MONITOR')
I would expect this to return true, but it currently returns false.
Without adding every role to each user, is it possible to inherit roles so that if i called isGranted, it would check all other "related roles" within the hierarchy? and if so, how?
You need to put [] around your roles. This works as expected for me:
role_hierarchy:
ROLE_USER: []
ROLE_STAFF: [ROLE_USER]
ROLE_SCORE_ENTRY: [ROLE_USER, ROLE_STAFF]
ROLE_SCORE_ADMIN: [ROLE_USER, ROLE_STAFF, ROLE_SCORE_ENTRY]
ROLE_ASSIGNOR: [ROLE_STAFF]
ROLE_ASSIGNOR_KAC: [ROLE_ASSIGNOR]
ROLE_ASSIGNOR_CORE: [ROLE_ASSIGNOR]
ROLE_ASSIGNOR_EXTRA: [ROLE_ASSIGNOR]
ROLE_ASSIGNOR_ADMIN:
- ROLE_ASSIGNOR
- ROLE_ASSIGNOR_KAC
- ROLE_ASSIGNOR_CORE
- ROLE_ASSIGNOR_EXTRA
ROLE_DEVELOPER: [ROLE_USER]
ROLE_ADMIN:
- ROLE_STAFF
- ROLE_ASSIGNOR_ADMIN
- ROLE_SCORE_ADMIN
- ROLE_ALLOWED_TO_SWITCH
ROLE_SUPER_ADMIN:
- ROLE_ADMIN
- ROLE_DEVELOPER
- ROLE_ALLOWED_TO_SWITCH
Related
I am pretty new to symfony and try to handle that framework.
Use symfony 2.8 with sonata admin 2.3 and user bundle 2.2.5
Got some interesting situation with ACL roles adding.
I have 2 roles in my project(user and admin) and needed to add one more(manager), but got stuck on situation with total ignore of any of that new role.
I am allowed to log in with the no problems but no dashboard is loaded to the admin_pool.
It's a part of my security.yml with allowed roles.
acl:
connection: default
providers:
fos_userbundle:
id: fos_user.user_manager
role_hierarchy:
ROLE_USER: [VIEW, LIST]
ROLE_ADMIN: [ROLE_USER, ROLE_SONATA_ADMIN]
ROLE_DIVISION_MANAGER: [OPERATOR, EXPORT, MASTER, OWNER]
ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
and a part of my config.yml
where roles should be influence dashboard view.
dashboard:
blocks:
-
position: left
type: sonata.admin.block.admin_list
settings:
groups: [sonata_divison]
groups:
grower.management:
label: "Grower Management"
roles: [ADMIN]
sonata_user:
label: "Users"
roles: [ADMIN]
sonata_divison:
label: "Division Management"
roles: [ROLE_DIVISION_MANAGER, DIVISION_MANAGER]
items:
- admin.grower
- sonata.user.admin.user
security:
handler: sonata.admin.security.handler.acl
# acl security information
information:
OPERATOR: OPERATOR
EXPORT: EXPORT
LIST: LIST
VIEW: VIEW
USER: [VIEW, LIST]
DIVISION_MANAGER: [OPERATOR, EXPORT]
ADMIN: [MASTER, OWNER]
Are there any thoughts why dashboard is blank for division manager?
I have quite extensive config .yml files and I'd like to refer to various settings there:
security:
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_USER: ROLE_ADMIN
easy_admin:
entities:
Group:
form:
fields:
-
property: 'roles'
type: choice
type_options:
expanded: true
multiple: true
choices: "%security.role_hierarchy%"
Of course the last line doesn't work because %security.role_hierarchy% refers to parameters.security.role_hierarchy. Is there any valid way to reference security.role_hierarchy in easy_admin section?
The only valid way to do that in YAML is using the standard feature anchors and aliases. Anchors (that what is going to be referenced) are indicated by &<name> and alias (one or more points where the anchor is referenced) are indicated by '*`:
security:
role_hierarchy: &hr1
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_USER: ROLE_ADMIN
easy_admin:
entities:
Group:
form:
fields:
-
property: 'roles'
type: choice
type_options:
expanded: true
multiple: true
choices: *hr1
The value for the mapping entry choices, when retrieved will be the mapping:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_USER: ROLE_ADMIN
(translated to the hash or dictionary like object of the programming language the YAML parser is written in), and is the same entity as the value for the key role_hierarchy.
I can't get my firewall rule working correctly. I have a user that has the role D-COMPLIANCEDIALOG, and a firewall rule, that grants access to that rule: - { path: ^/ , roles: D-COMPLIANCEDIALOG }. I still get an access denied (Access denied, the user is neither anonymous, nor remember-me.).
#security.yml
security:
encoders:
Symfony\Component\Security\Core\User\User: plaintext
providers:
reddot:
id: reddot_user_provider
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
secured_area:
pattern: ^/
anonymous: ~
http_basic: ~
simple_form:
authenticator: reddot_authenticator
check_path: login_check
login_path: login
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/ , roles: D-COMPLIANCEDIALOG }
User data from symfony profiler:
Username admin
Authenticated? yes
Roles [D-COMPLIANCEDIALOG]
Inherited Roles { }
Token class Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken
What I checked:
The controller has no own security settings
The role name does not seem to have a typo
It is really the last line in the firewall rule, if I remove it, I do have access.
The role name is incorrect. Please check the documentation Security - Roles
All roles you assign to a user must begin with the ROLE_ prefix. Otherwise, they won't be handled by Symfony's security system in the normal way (i.e. unless you're doing something advanced, assigning a role like FOO to a user and then checking for FOO as described below will not work).
I have faced the same issue when entered 'incorrect' role name and was confused by the error message too.
Although Symfony suggest prefixing the roles with ROLE_.. You can still use your custom roles via Securing by an Expression like:
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/ , allow_if: "has_role('D-COMPLIANCEDIALOG')"}
How can I split my security.yml into multiple files?
I know about the imports statement, but I need to import the role_hierarchy.
For example
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_USER:
//IMPORT FROM USER.YML
ROLE_SELLER:
//IMPORT FROM ANOTHER SELLER.YML
ROLE_ADMIN:
//IMPORT FROM ADMIN.YML
ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
I need this because I want to define the roles for sonata admin's, and I don't want to store them in the database.
Thank you.
You could create the roles as config parameters:
// user_roles.yml
parameters:
seller_roles: [ROLE_A, ROLE_B, ROLE_C]
And use them in the security config:
// security.yml
imports:
- { resource: user_roles.yml }
security:
role_hierarchy:
ROLE_SELLER: %seller_roles%
I do not know how can delete the default block of UserBundle, MediaBundle (just one of them...).
This is my config.yml:
dashboard:
blocks:
# display a dashboard block
- { position: left, type: sonata.admin.block.admin_list }
# groups:
# sonata_page:
# label: Taules
# items:
# - sonata.admin.collection
# - sonata.admin.gender
# - sonata.admin.family
# - sonata.admin.color
# - sonata.admin.size
# - sonata.admin.article
And my security.yml:
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_SONATA_READER:
- ROLE_SONATA_ADMIN_LIST
- ROLE_SONATA_ADMIN_VIEW
ROLE_SONATA_EDITOR:
- ROLE_SONATA_ADMIN_CREATE
- ROLE_SONATA_ADMIN_EDIT
ROLE_SONATA_ADMIN:
- ROLE_SONATA_ADMIN_DELETE
- ROLE_SONATA_ADMIN_EXPORT
ROLE_STAFF: [ROLE_USER, ROLE_SONATA_READER]
ROLE_ADMIN: [ROLE_STAFF ,ROLE_SONATA_EDITOR, ROLE_SONATA_ADMIN]
ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
You can use the Sonata AdminBundle security option to use the Role Handler, to let only one group the access to these administrations.
sonata_admin:
security:
handler: sonata.admin.security.handler.role