Best practice to allow access to owner user and admins only?

Question

I\'m programming a site in Symfony2, using FOSUserBundle for managing user access. I have an entity called \"Site\" which can have many Users. Only the related users and the

Answer 1

If you want to restrict access per user at the object level, then you're looking for ACLs. ProblematicAclManagerBundle is a nice wrapper to simplify ACL usage in controllers.

Otherwise, if you want to limit access per role, then you can use routes and roles defined in security.yml

Here's a sample of what it should look like:

access_control:
  - { path: ^/admin/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
  - { path: ^/admin, role: ROLE_ADMIN }
  - { path: ^/.*, role: [IS_AUTHENTICATED_ANONYMOUSLY] }

In your controller, you can also use:

use JMS\SecurityExtraBundle\Annotation\Secure;

/**
 * @Route("/home", name="home") 
 * @Secure(roles="ROLE_USER")
 */
public function indexAction()
{
    ...
}