Where to set ACL: Entity or Controller - symfony

im starting to implement some security features in my application. When initially trying to implement some ACL I came acress two questions I could not figure out:
Where to implement the setting of acl
I could do it in the controller action where my entities are created or on the entity itself with lifecyclecallbacks. For example I have a Group Entity which holds some Userentities. It is easier to set the view or edit access on a lifecyclecallback for all group entities. I would prefer to make my controller as slim as possible. Or is this a bad approach? I would need the security container in my entity. What is your approach to this?
How to check for related entities:
Extending my previous example, I have a Group and this group can hold some appointments. In my actions where the appointments are shown or edited, I only want to check for the group. This is mainly for using the "view" rights. Meaning if someone is in the Group which holds the appointment, the person should also be able to view the appointment. I would like to implement this with JMSExtraSecurityBundle and SecureParam, but I have no Idea how to do that.

Related

Use a repository with JMS serializer

I have a Symfony 3.4 projet with a REST api. I use JMS serializer.
I have a entity User and I have a route /api/user which return the user id, name , ...
I also have a entity badges which has a relation many to many with user (so a user_badge table). Like I read, when the pivot table have extra column (like in my case on user_badge), I need to create two relation many to one to link my user to badges.
In my route /api/user I add the return on my badges with JMS, I return my badge id and the achievement date (the extra column) from user_badge with the method getUserBadges from my entity User.
But now I want to order by the badges using a column from the badge entity.
How can I achieve this ? The fact than my model user can't access the badges without a heavy foreach. I need to make a request to getting all the badges in the correct order and passing this to JMS.
(I don't know which source file I should provide, cause I don't really know how to achieve it)

How to setup authorization on api-platform.com

I'm trying to use api-platform.com as my API infrastructure. And I want to make sure that every user can pull his OWN data and perform actions on his data inly.
How can I do that?
Lets say that I have an entity named 'Organization' and 'Book'.
Book belongs to Organization on book.orgnization_id = organization.id.
In addition, the User entity belongs to organization using the same relation.
How can I do this authorization check?
Thanks!

Could doctrine provide records filtered by user roles, groups or permissions?

I've a project with a huge amount of data. I need to make query based on user role/group/permission. This means that a query like
$fooRepository = $this->getDoctrine()
->getManager()
->getRepository(Foo::class)
->findAll();
should return different records if done by a ROLE_SUPER_ADMIN or by ROLE_USER. Also, I need to filter record based on relations and so on.
I've different solution in mind:
inject user role inside the repository's query
create a role based repository
create a query for each role
Inject user role in repository's query
In this case each repository should be responsible to provide right data. This is a solution similar to this. In that solution record are filtered by tenant.
Create role based repository
In this case I'll need to create different repositories and instantiate them differently. But I don think this can be easy in doctrine? while I am writing, ... I am thinking this is an exaggerated solution.
Create queries for each roles
At the moment I think this is the more natural way to do queries. I just imagine that a repository should contain
+ findAllStuffForGuestRole()
+ findAllStuffForAdminRole()
Each time I need to add a query, I MUST create different queries.
I think Doctrine filters are the cleanest and the simplest way to solve your problem. See the documentation
This is actually very straight forward with Symfony/Doctrine. Here's a great page in the official docs that explains it better than I could: http://symfony.com/doc/current/doctrine/repository.html

CakePHP model behaviors in Symfony2 + Doctrine2?

Is it possible to have behaviors in Symfony 2 entities, like in CakePHP? I'll try to explain what I need:
In some of my entities, I need to store who created or updated the record, when it was created or updated, at which company does it belongs and at which season does it belongs.
All these data is stored in the session, and I want to add it to the entity "magically", without adding these fields in the controller. With CakePHP I can create SeasonBehavior, mark some models/entities as they use the SeasonBehavior and when I persist a record from an entity marked with the SeasonBehavior the seasonId is updated.
Is it possible to do the same with Symfony2 and Doctrine 2? And if it's possible, do you know any tutorial or documentation explaining how to do this?
You need to create listener on your Persist action to do such things. Read the manual here: http://symfony.com/doc/current/cookbook/doctrine/event_listeners_subscribers.html

Symfony2 Mapping Model to Entity

I am currently trying to sort out my user registration in Smyfony2, loosely following their documentation here:
http://symfony.com/doc/current/cookbook/doctrine/registration_form.html
Sadly, their example is a bit simplistic.
My User Entity has a number of fields which only get added to during registration, and can't be changed there after, so I separated those out from my UserType into my RegistrationType.
The problem now, is that Symfony can't find any of the fields, requested for the form, which live within the User Entity, because it is looking for them in the Registration model. How do I get the Registration model to point to User Entity?
In the documenation example, they avoid all this as the "terms and conditions" checkbox doesn't get added to the database.
e.g. they use this:
$builder->add('user', new UserType());
but as I mentioned, that only has the fields I want the user to edit after registration.
I tried the data_class, but it complained about Form\Model\Registration wasn't of type Entity\User.
These seems like a really common issue when you are trying to embed bits of forms for a single entity, yet it doesn't cover it in the documentation.
And no, I don't want to use FoSUserBundle.
Actually, it's possible and really easy to have several form types for the same model class. You can have the RegistrationType with lots of fields and then the UserType with only some of those fields. Both use the same User model.

Resources