I have an application with many users.
Each user is associated with one and only one profile.
The profile has many global rights on many entities.
For example,
The role "writer" has access to write, read and edit for my entity "Blog".
Roles are dynamic, I can add role in my back office.
I think I must use Symfony Voter but I don't know how I can control if my user has the right to edit for example, an article.
Do you have an example to make this architecture for my constraint?
Thank you.
In Symfony documentation there is nice article about voters: user is able to edit his own article only.
For deeper understanding, check this presentation - Drop ACE, use voters.
Related
I try to find a way that allows me to recover the strongest role from the list I defined in the security file Symfony security.yml
Suppose I have the following hierarchy :
ROLE_A: [ROLE_B,ROLE_C]
ROLE_B: [ROLE_D]
In a method that I have to develop, I am supposed to pass a role list (A, B and C) in this case and recover the strongest role (A).
Can you come up with ideas?
I had the same issue. Out of luck, I had to have the role hierarchical logic in User Entity like in an associative array.
Then create a method as getParentRole() to return desired parent ROLE.
OR
If you are using FOSUserBundle and your Application needs a group level classification of User entity, Consider using Group feature available in FOSUserBundle
Hope this helps!
I'm looking for a solutions where I can do the following in my Sonata backend:
In my database I have the following tables:
roles
id
name
role
is_super_admin
weight
permissions
name
permissions
description
role_permission (many to many)
role_id
permission_id
So I would like to save relations in my table role_permission. But I'm a bit stuck on how to do this in Sonata admin. Can I do this in the list view? And if yes, can you help me on my way?
Not sure if OP wants to implement custom roles or use existing features. However I would recommend using a single role system. Sonata already has handlers for security so in my opinion it would be best to use those instead of creating your own.
On the sonata site, there is a section in the admin bundle about security. Which explains how to setup certain types of role management. I would either go for the Role or ACL handler depending on what you need.
When enabling the role handler you can create groups of roles. These groups would serve as your "Role 1". For example I could create a group called "Beta Testers" and give them the ROLES (permissions) ROLE_CHECK_BETA_CONTENT and ROLE_BETA_FEEDBACK_FORM. Now if you want normal users to not have these rights you could create a normal user group and assign every other role (permission).
I am a teacher and I want to write my own system for our school to manage all the stuff.
For this I need to register first my school (in the future there will perhaps other schools which want to use our system).
Then I want to be able to register new teachers, pupils, parents and other workers like the household personal and so on...
My question now is: is it enough for this usage to get the users different roles or should I create different user classes for every different kind of user? For example Appbundle/Entity/User/teachers.php
Perhaps there are other solutions like ACL or voters which I don't really know much about.
I would use:
a User entity with basic data and authentication credentials
an Activity entity that link a User to a School with a type enum field (e.g. "teacher", "parent", "pupil", ...)
a custom voter based on the Activity of the logged in User in the School he/she try to access to.
I think it's future proof: a teacher in a school may be a parent in an other one :)
personally I would use a single user entity that can assume multiple role, unless the different roles will have wildly varying attributes.
A good example can be found on this page: http://symfony.com/doc/current/book/security.html
I want to provide specified actions for different role in Symfony 1.4 project.
Project contains several database tables which values can be modified only by certain roles.
For example, an administrator gains access to CRUDs for all models.
Another role (let it be a consultant) can only retrieve (not modify or remove) results from specified models (not all).
How can I support such a feature in symfony?
I assume that roles for the project will be specified in advance.
One solution I was thinking about is creating modules and actions for each role separately (crud panels + one logging interface), but it sounds like a huge job.
Just wondering what the smarter way is.
I think the best way to achieve that is definitively credentials (it is for sf1.2 but ok for 1.4).
I recommend you to use sfGuardDoctrine to use some groups with associated permissions (which are credentials). You define a group admin, consultant, etc .. You associate some credentials, like modifiy, remove, create, edit, etc ..
And then, every time a user will log in, it will automatically have defined credentials (associated to him or by his group).
After, you have to check for every action if the user has can perform it:
if($this->getUser()->hasCredential('modify'))
{
// authorized action
}
Here is some more documentation for sfGuard (related to sf1.0 but it is good to understand how it works).
I am doing new project in symfony1.4. Now this project requires users to log-in and browse, and as any project of this type requires a way of restricting users based on roles.
I don't want to implement this in obvious way, i.e to have roles attribute for each user and have pre-defined roles and assign these to users. The problem with this is it's not very flexible as more roles get defined later.
I was thinking on the lines of using an EAV model here, (not sure I can do that in symfony). What you guys think, do you have any better suggestions to make user roles much more flexible when they get added or deleted.
Also, what is the best way to display the page based on user roles, as I want some elements to be hidden according to the roles. Should I compare the role in each page and hide elements on every page? Is there a better solution?
Please shed some light on these.
Thanks
The sfDoctrineGuard plugin (http://www.symfony-project.org/plugins/sfDoctrineGuardPlugin) is a pretty comprehensive way of handling user authentication, groups and credentials. Users can be set permissions either individually or as a group, and access to specific page sections or entire actions can be restricted based on those permissions. You can set new user credentials in the controller code itself, e.g.
<?php
$this->getUser()->setCredential('editor');
?>
And verify that a user has particular permissions in views:
<?php
if ($sf_user->hasCredential('editor')) {
// stuff only for editors
}
?>
This page has lots of extra info on the plugin not covered by the readme file - http://trac.symfony-project.org/wiki/sfGuardPluginExtraDocumentation (although it refers to Propel rather than Doctrine). Also the following series of short tutorials is pretty useful:
http://www.finalconcept.com.au/article/view/symfony-user-management-sfdoctrineguard-installation
http://www.finalconcept.com.au/article/view/symfony-user-management-sfdoctrineguard-administration
http://www.finalconcept.com.au/article/view/symfony-user-management-sfdoctrineguard-securing-actions
And the Symfony tutorial page on users:
http://www.symfony-project.org/jobeet/1_4/Doctrine/en/13