Symfony2: creating a new SecurityIdentity - symfony

I'm using ACL in Symfony 2.1, and I need to create a new SecurityIdentity, so that my ACL can be set in function of some sort of groups.
Picture the following situation: there are groups with users (with different roles) that each have user information. In group 1, users with the ROLE_ADMIN can't edit other users from the same group's information, but in group 2, users with ROLE_ADMIN can edit others information.
So basically my ACL will vary in function of what group the user is in.
I thought I'd start solving this problem with the creation of a new "GroupSecurityIdentity". However the class itself doesn't suffice, as I get this exception when I use it:
$sid must either be an instance of UserSecurityIdentity, or RoleSecurityIdentity.
My question is: how do I "register" my new SecurityIdentity so I can use it as RoleSecurityIdentity and UserSecurityIdentity?
What better ways are there to implement a system similar to this I want to do?

2 years ago I went down that path, it turned out to be a bad decision. Modifying the ACL system is difficult and might cause problems when updating Symfony. There are at least 2 better solutions. I'll list them all so you can decide which best suits your needs.
New security identity
I'm using the GroupInterface from FOSUserBundle, but I guess you could use your own too. The following files need to be added:
AclProvider.php
The method to change is private - the whole file has to be copied, but the only change has to be made to hydrateObjectIdentities
GroupSecurityIdentity.php
MutableAclProvider.php
We have to duplicate the whole file as it must extend AclProvider, but we're using a custom one and can't therefore extend the stock MutableAclProvider. The methods changed are getInsertSecurityIdentitySql and getSelectSecurityIdentityIdSql.
SecurityIdentityRetrievalStrategy.php
Next up: rewire the dependency injection container by providing the following parameters:
<parameter key="security.acl.dbal.provider.class">
Acme\Bundle\DemoBundle\Security\Acl\Dbal\MutableAclProvider
</parameter>
<parameter key="security.acl.security_identity_retrieval_strategy.class">
Acme\Bundle\DemoBundle\Security\Acl\Domain\SecurityIdentityRetrievalStrategy
</parameter>
Time to cross fingers and see whether it works. Since this is old code I might have forgotten something.
Use roles for groups
The idea is to have group names correspond to roles.
A simple way is to have your User entity re-implement UserInterface::getRoles:
public function getRoles()
{
$roles = parent::getRoles();
// This can be cached should there be any performance issues
// which I highly doubt there would be.
foreach ($this->getGroups() as $group) {
// GroupInterface::getRole() would probably have to use its
// canonical name to get something like `ROLE_GROUP_NAME_OF_GROUP`
$roles[] = $group->getRole();
}
return $roles;
}
A possible implementation of GroupInterface::getRole():
public function getRole()
{
$name = $this->getNameCanonical();
return 'ROLE_GROUP_'.mb_convert_case($name, MB_CASE_UPPER, 'UTF-8');
}
It's now just a matter of creating the required ACE-s as written in the cookbook article.
Create a voter
Finally, you could use custom voters that check for the presence of specific groups and whether the user has access to said object. A possible implementation:
<?php
namespace Acme\Bundle\DemoBundle\Authorization\Voter;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
class MySecureObjectVoter implements VoterInterface
{
/**
* {#inheritDoc}
*/
public function supportsAttribute($attribute)
{
$supported = array('VIEW');
return in_array($attribute, $supported);
}
/**
* {#inheritDoc}
*/
public function supportsClass($class)
{
return $class instanceof GroupableInterface;
}
/**
* {#inheritDoc}
*/
public function vote(TokenInterface $token, $object, array $attributes)
{
$result = VoterInterface::ACCESS_ABSTAIN;
if (!$object instanceof MySecureObject) {
return VoterInterface::ACCESS_ABSTAIN;
}
foreach ($attributes as $attribute) {
if (!$this->supportsAttribute($attribute)) {
continue;
}
// Access is granted, if the user and object have at least 1
// group in common.
if ('VIEW' === $attribute) {
$objGroups = $object->getGroups();
$userGroups = $token->getUser()->getGroups();
foreach ($userGroups as $userGroup) {
foreach ($objGroups as $objGroup) {
if ($userGroup->equals($objGroup)) {
return VoterInterface::ACCESS_GRANTED;
}
}
}
return voterInterface::ACCESS_DENIED;
}
}
}
}
For more details on voters please refer to the cookbook example.
I would avoid creating a custom security identity. Use the two other methods provided. The second solution works best, if you will be having lots of records and each of them must have different access settings. Voters could be used for setting up simple access granting logic (which most smaller systems seem to fall under) or when flexibility is necessary.

I write my answer here to keep a track of this error message.
I implemented group support with ACL and i had to hack a bit the symfony core "MutableAclProvider.php"
protected function getSelectSecurityIdentityIdSql(SecurityIdentityInterface $sid)
{
if ($sid instanceof UserSecurityIdentity) {
$identifier = $sid->getClass().'-'.$sid->getUsername();
$username = true;
} elseif ($sid instanceof RoleSecurityIdentity) {
$identifier = $sid->getRole();
$username = false;
}else {
//throw new \InvalidArgumentException('$sid must either be an instance of UserSecurityIdentity, or RoleSecurityIdentity.');
$identifier = $sid->getClass().'-'.$sid->getGroupname();
$username = true;
}
return sprintf(
'SELECT id FROM %s WHERE identifier = %s AND username = %s',
$this->options['sid_table_name'],
$this->connection->quote($identifier),
$this->connection->getDatabasePlatform()->convertBooleans($username)
);
}
Even if the provided object is not an instance of UserSecurityIdentity or RoleSecurityIdentity it return a value. So now i can use a custom "GroupSecurityIdentity"
It's not easy to put in place but was much adapted to my system.

Related

Symfony 4 - Compare two objects before persisting?

I've a Symfony 4 project.
In my controller, I've an action to edit an object in my database :
/**
* Editer un groupe
*
* #Route("/admin/validation/{id}", name="admin_validation_edit")
*
* #param GroupeValidateurs $groupeValidateurs
* #return void
*/
public function edit(GroupeValidateurs $groupeValidateurs, Request $request)
{
$form = $this->createForm(GroupeValidateursType::class, $groupeValidateurs);
$form->handleRequest($request);
if ($form->isSubmitted() && $form->isValid()) {
//persist and flush in database
}
But when my form is submitted, I would like to compare my old and my new object, to make some actions.
For that, I used a session vairable :
$session = $this->get('session');
if (!$session->has('groupe')) {
$session->set('groupe', $groupeValidateurs);
}
And I remove it when the form is submitted and valid.
It works, but it's not correct, because, if I go on an edit page with some groupeValidateur, and just after, I go on another edit page with another groupeValidateur, My session variable will contains my previous groupeValidateur.
Which solution can I use please ?
before $form->handleRequest($request) your object $groupeValidateurs is still the original.
If you want to keep some information there are several options, amongst those the very easy and straightforward:
handle outside object and outside the form component:
if I understood you correctly, you only want to prevent certain users to be added/removed. Since I don't know your entity, I will assume, that your object has a method getUsers(), that returns the current users.
$oldUsers = $groupeValidateurs->getUsers(); // I assume $oldUsers is an ARRAY***
$form = $this->createForm(...)
//...
if($form->isSubmitted() && $form->isValid()) {
$newUsers = $groupeValidateurs->getUsers();
// do whatever ...
}
***) if this is a OneToMany or ManyToMany relation, make sure to return the array instead of the collection:
public function getUsers() {
return $this->users instanceof \Doctrine\Common\Collections\Collection
? $this->users->toArray()
: $this->users;
}
if you manage to keep $this->users as a Collection always, you can just return $this->users->toArray();
other options:
add event listeners to the form, that capture the data before edits come in, add this to a constraint that gets an additional list of users to prevent from being added/removed
IF there is a property on the user which makes it clear, the user shall not be removed ever, you can bake this into your add/removeUser function:
function removeUser($user) {
if($user->isAdmin()) {
return;
}
$this->users->removeElement($user); // I assume users to be a doctrine Collection
}
function setUsers($users) {
foreach($this->users as $user) {
if($user->isAdmin() && !in_array($users)) {
$users[] = $user; // add user;
}
}
$this->users = $users;
}
note: depending on your form, you might have to set by_reference to false. which imho is not a real problem if a) your getUsers() returns the array instead of the collection (how it should be) or b) if you implement addUser/removeUser.
also, this approach has the obvious caveat, that nobody can remove that user without removing the admin privilege, so maybe this is overkill ;o)
setup a doctrine event listener for updates on your entity type that checks for removed users and re-add them accordingly. for this to work, you either have to check the changesets somehow (this is quite the overkill probably)
upon changing the users of an object, store the old version (if add/remove implementation, take care not to overwrite the backup) of user list
implement clone on your entity properly and actually produce a copy of your object before getting it changed (by handleRequest). compare at will.
get the original entity as Andrea Manzi described and compare with that.
In edit "action" try using:
if ($form->isSubmitted() && $form->isValid()) {
$currentdata = $form->getData();
/**/
}
to get current data submitted
Or write an "update" action like this:
public function update(Request $request, $id)
{
/* #var $em EntityManager */
$em = $this->getDoctrine()->getManager();
$entity = $em->getRepository(Entity::class)->find($id); //your GroupeValidateurs entity class
$form = $this->createForm(GroupeValidateursType::class, $groupeValidateurs);
$form->handleRequest($request);
if ($form->isSubmitted() && $form->isValid()) {
//persist and flush in database
$currentdata = $form->getData();
$beforedata = $em->getUnitOfWork()->getOriginalEntityData($entity);
/*....*/
}
Clone object to $cloneGroupeValidateurs. Set entity to form. Next submitting your form and compare with previously cloned variable.

Out of range Ids in Symfony route

I have a common structure for Symfony controller (using FOSRestBundle)
/**
* #Route\Get("users/{id}", requirements={"userId" = "(\d+)"})
*/
public function getUserAction(User $user)
{
}
Now if I request http://localhost/users/1 everything is fine. But if I request http://localhost/users/11111111111111111 I get 500 error and Exception
ERROR: value \"11111111111111111\" is out of range for type integer"
Is there a way to check id before it is transferred to database?
As a solution I can specify length of id
/**
* #Route\Get("users/{id}", requirements={"userId" = "(\d{,10})"})
*/
but then Symfony will say that there is no such route, instead of showing that the id is incorrect.
By telling Symfony that the getUserAction() argument is a User instance, it will take for granted that the {id} url parameter must be matched to the as primary key, handing it over to the Doctrine ParamConverter to fetch the corresponding User.
There are at least two workarounds.
1. Use the ParamConverter repository_method config
In the controller function's comment, we can add the #ParamConverter annotation and tell it to use the repository_method option.
This way Symfony will hand the url parameter to a function in our entity repository, from which we'll be able to check the integrity of the url parameter.
In UserRepository, let's create a function getting an entity by primary key, checking first the integrity of the argument. That is, $id must not be larger than the largest integer that PHP can handle (the PHP_INT_MAX constant).
Please note: $id is a string, so it's safe to compare it to PHP_INT_MAX, because PHP will automatically typecast PHP_INT_MAX to a string and compare it to $id. If it were an integer, the test would always fail (by design, all integers are less than or equal to PHP_INT_MAX).
// ...
use Symfony\Component\Form\Exception\OutOfBoundsException;
class UserRepository extends ...
{
// ...
public function findSafeById($id) {
if ($id > PHP_INT_MAX) {
throw new OutOfBoundsException($id . " is too large to fit in an integer");
}
return $this->find($id);
}
}
This is only an example: we can do anything we like before throwing the exception (for example logging the failed attempt).
Then, in our controller, let's include the ParamConverter annotation:
use Sensio\Bundle\FrameworkExtraBundle\Configuration\ParamConverter;
and modify the function comment adding the annotation:
#ParamConverter("id", class="App:User", options={"repository_method" = "findSafeById"})
Our controller function should look like:
/**
* #Get("users/{id}")
* #ParamConverter("id", class="App:User", options={"repository_method" = "findSafeById"})
*/
public function getUserAction(User $user) {
// Return a "OK" response with the content you like
}
This technique allows customizing the exception, but does not give you control over the response - you'll still get a 500 error in production.
Documentation: see here.
2. Parse the route "the old way"
This way was the only viable one up to Symfony 3, and gives you a more fine-grained control over the generated response.
Let's change the action prototype like this:
/**
* #Route\Get("users/{id}", requirements={"id" = "(\d+)"})
*/
public function getUserAction($id)
{
}
Now, in the action we'll receive the requested $id and we'll be able to check whether it's ok. If not, we throw an exception and/or return some error response (we can choose the HTTP status code, the format and anything else).
Below you find a sample implementation of this procedure.
use FOS\RestBundle\Controller\Annotations\Get;
use FOS\RestBundle\Controller\FOSRestController;
use Symfony\Component\Form\Exception\OutOfBoundsException;
use Symfony\Component\HttpFoundation\JsonResponse;
class MyRestController extends FOSRestController {
/**
* #Get("users/{id}", requirements={"id" = "(\d+)"})
*/
public function getUserAction($id) {
try {
if ($id > PHP_INT_MAX) {
throw new OutOfBoundsException($id . " is too large to fit in an integer");
}
// Replace App\Entity\User with your actual Entity alias
$user = $this->getDoctrine()->getRepository('App\Entity\User')->find($id);
if (!$user) {
throw new \Doctrine\ORM\NoResultException("User not found");
}
// Return a "OK" response with the content you like
return new JsonResponse(['key' => 123]);
} catch (Exception $e) {
return new JsonResponse(['message' => $e->getMessage()], 400);
}
}

best design to make sure users access only their information

I have a symfony2.7 application with doctrine which has a large amount of entities, many of these entities are dependent of a single entity, let me put an example to clarify
School hasMany Student,
Student hasMany Lesson,
Lesson hasMany Test,
Test hasMany Grade
Please imagine a db design like that but larger and that many schools are allowed. Say you have a role "SCHOOL_DIRECTOR" which can edit any grade in the school using this url /grade/{id}/edit, using symfony security I can make it so that only users with the SCHOOL_DIRECTOR role can access that url, so far so good, but right now my problem is that a SCHOOL_DIRECTOR from one school can, if he puts the correct id in the url, edit grades from another school.
I'm looking for the best way to go, because this happens with many entities, I know I could always make queries which joins back to the school entity but I'm worried about the performance impact because I would be constantly making queries with many joins. I wonder what is the best way to make that school directors can only acces the information on their school.
When you are trying to grant access of specific users/roles to specifics object domains(school,grade,test,...) you should take a look to ACL.
In the simplest way acl allows to do what you want.
Hope it helps
You should take a look at the symfony voter
Example:
app/config/services.yml
app.security.voter.grade:
class: AppBundle\Security\Voter\GradeVoter
tags:
- { name: security.voter }
AppBundle\Security\Voter\GradeVoter
use Symfony\Component\Security\Core\Authorization\Voter\Voter;
class GradeVoter extends Voter
{
const EDIT = 'edit';
const VIEW = 'view';
protected function supports($action, $subject)
{
if(!$subject instanceof Grade) {
return false;
}
if(!in_array($action, $this->supportedActions())) {
return false;
}
return true;
}
protected function voteOnAttribute($action, $grade, TokenInterface $token)
{
/** #var Grade $grade */
switch ($action)
{
case self::VIEW:
return true;
break;
case self::EDIT:
// Do your stuff to return true if the the connected user can edit this grade
$user = $token->getUser();
// From the $user variable (which represent the connected user) you have to decide if he can edit this grade, and return true or false.
return true;
break;
default:
return false;
}
}
public function supportedActions()
{
return [self::EDIT, self::VIEW];
}
}
GradeController
public function editAction(Grade $grade)
{
$this->denyAccessUnlessGranted(GradeVoter::EDIT, $grade, 'You can\'t edit this grade');
// Do your stuff to edit
return new JsonResponse($response, Response::HTTP_OK);
}
$this->denyAccessUnlessGranted(GradeVoter::EDIT, $grade, 'You can\'t edit this grade');
This line do all the magic, Symfony will call your Voter service and do the above verification (in this case the edit switch case just return true)
If the voter return false, symfony will throw an AccessDenied exception, that will be catch and finish in a 403 response
I hope my answer helped you. Ask me if something isn't clear :)

why does doctrine think a existed entity as a new entity?

I have two entities , user and store, they have a many-to-one relationship, before I create a user, I have to make sure a store is existed, it is not allowed to create a store while creating a user ,that means cascade={"persist"} can't be used.
Store class
public function addUser(User $user)
{
if (!$this->users->contains($user))
{
$this->users->add($user);
$user->setStore($this);
}
return $this;
}
before I create a user , I am pretty sure that a store is already existed.these code below is the way I used to create user
$store= $this->get('vmsp.store_provider')->getCurrentStore();
$store->addUser($user);
$userManager->updateUser($user);
code in updateUser method is not special:
$this->entityManager->persist($user);
$this->entityManager->flush();
code in getCurrentStore method:
public function getCurrentStore($throwException=true)
{
if (isset(self::$store)) {
return self::$store;
}
$request = $this->requestStack->getCurrentRequest();
$storeId = $request->attributes->get('storeId', '');
$store = $this->entityRepository->find($storeId);
if ($store === NULL&&$throwException) {
throw new NotFoundHttpException('Store is not found');
}
self::$store = $store;
return $store;
}
this gives me a error:
A new entity was found through the relationship
'VMSP\UserBundle\Entity\User#store' that was not configured to cascade
persist operations for entity: ~ #1. To solve this issue: Either
explicitly call EntityManager#persist() on this unknown entity or
configure cascade persist this association in the mapping for example
#ManyToOne(..,cascade={"persist"})
thing is getting very interesting, why does a existed store become new entity? why does doctrine think that existed store entity as a new entity?
It seems like your Store-entity is detached from the EntityManager somehow. I can't really see where it happens. Finding that out will probably take a few debugging sessions by you.
A quick fix might be to merge the user's store back into the EntityManager using EntityManager::merge($entity), e.g. in your updateUser-method:
public function updateUser(User $user) {
$store = $user->getStore();
$this->entityManager->merge($store);
$this->entityManager->persist($user);
$this->entityManager->flush();
}
You might also want to play around with Doctrine's UnitOfWork especially with getState($entity, $assumedState) to find out whether your store is still managed or not.

get users who have a specific role

I need to get the list of all my users having a specific role, is there any way to do it easily? The solution I figured out for now would be to retrive all users then apply a filter on each using is granted function (which is hardcore)
PS: I don't like using the db request that skims over data and if the user role equals the wanted role it returns it, else it doesn't. Which means that we don't take into account users with super roles.
Because of the role hierarchy, I don't see a way to avoid grabbing all the users and then filtering. You could make a user role table and add all possible user roles but that would get out of date if you changed the hierarchy.
However, once you have all the roles for a given user then you can test if a specific one is supported.
There is a role hierarchy object to help.
use Symfony\Component\Security\Core\Role\Role;
use Symfony\Component\Security\Core\Role\RoleHierarchy;
class RoleChecker
{
protected $roleHeirarchy;
public function __construct(RoleHierarchy $roleHierarchy)
{
$this->roleHierarchy = $roleHierarchy; // serviceId = security.role_hierarchy
}
protected function hasRole($roles,$targetRole)
{
$reachableRoles = $this->roleHierarchy->getReachableRoles($roles);
foreach($reachableRoles as $role)
{
if ($role->getRole() == $targetRole) return true;
}
return false;
}
}
# services.yml
# You need to alias the security.role_hierarchy service
cerad_core__role_hierarchy:
alias: security.role_hierarchy
You need to pass an array of role objects to hasRole. This is basically the same code that the security context object uses. I could not find another Symfony service just for this.
The is also a parameter value called '%security.role_hierarchy.roles%' that comes in handy at times as well.
Symfony 5 answer, it's a little bit easier:
namespace App\Controller;
...
use Symfony\Component\Security\Core\Role\RoleHierarchyInterface;
use Symfony\Component\Security\Core\Role\RoleHierarchy;
class UserController extends AbstractController
{
private $roleHierarchy;
/**
* #Route("/users", name="users")
*/
public function usersIndex(RoleHierarchyInterface $roleHierarchy)
{
$this->roleHierarchy = $roleHierarchy;
// your user service or your Doctrine code here
$users = ...
foreach ($users as $user) {
$roles = $roleHierarchy->getReachableRoleNames($user->getRoles());
\dump($roles);
if ($this->isGranted($user, 'ROLE_SUPER_ADMIN')) {
...
}
}
...
}
private function isGranted(User $user, string $role): bool
{
$reachableRoles = $this->roleHierarchy->getReachableRoleNames($user->getRoles());
foreach ($reachableRoles as $reachableRole) {
if ($reachableRole === $role) {
return true;
}
}
return false;
}
}
Note: I put everything in the controller for the sake of simplicity here, but of course I'd recommend to move the Role Management code into a separate service.

Resources