问题
I'm working on a CRM which will feature advanced authorization and the management of users in groups that have a specific role in the system.
Basically, what I'd like to do is this:
- Manage Dynamic Authorization for (Domain) Models / Controllers / Action
- Manage Dynamic Authorization For Objects and Fields.
I know about ROLE_xxxx in the security.yml file but I'd rather not hardcode the roles.
For example, I'd like to have a sort of matrix/grid where a super administrator can create custom authorization roles.
One of those roles could be: "Team Leader" can view the and edit the email address of an employee but can't see or edit the Employee_Wage field.
Another use case would be where a user in the user group "Accounting" can call the action generateInvoiceAction() but he can't access the action createNewEmployeeAction().
Another use case would be where a PROJECT LEADER can add a project using the newProjectAction() but certain fields/attributes of the PROJECT object are not visible/accessible by the group PROJECT LEADER
I understand that you can set these in the security and routing but I'd rather not hardcode these roles. For example, if the company decides that they want to create a new group with specific roles they should be able to.
My (pseudo)-solution
Go over every domain model, action/function and object/field and create a role for the CRUD, so for example create EMPLOYEE_FIRSTNAME_READ, EMPLOYEE_FIRSTNAME_UPDATE, EMPLOYEE_CREATE, EMPLOYEE_EDIT, EMPLOYEE_DELETE etc...
Create a Database object "Group" with a Title Field which has an array of combinations of all the roles.
Put a user in a group
Is this the way to go or are there better ways to achieve this in Symfony2?
Basically: create a group that has specific roles based on domain models, object, fields, etc... that can be configured using an administrator backend.
I hope I'm explaining this correctly, feel free to reply and ask for more information.
(I remember something like this from the older versions of Invision Power Board where you could configure a permission mask grid and attach it to a group)
回答1:
From what you said here I think the way to go is to use ACL
.
http://symfony.com/doc/master/cookbook/security/acl.html
However you will have to check permission yourself starting every secure method with something like this:
$securityContext = $this->get('security.context');
$comment = ... // load using Doctrine?
if (false === $securityContext->isGranted('EDIT', $comment))
{
throw new AccessDeniedException();
}
If you are extending Symfony's Controller
class, I strongly suggest to add one more class in between which will implement common security logic in order to minimize as much as possible mistakes...
When working with services, on the other hand, where you can supply an object as parameter you could rely on @SecureParam
annotaion from JMSSecurityExtraBundle
(I assume you use it) to check relevant domain object permissions.
http://jmsyst.com/bundles/JMSSecurityExtraBundle/master/annotations
Hope this helps a bit...
回答2:
I'm just facing the same issue, and after many search and reference to the exists bundles (FOSUserBundle, SonataUserBundle) resolve it like this:
Create your own user entity extends UserInterface and then custom the function getRoles(); http://symfony.com/doc/current/cookbook/security/custom_provider.html 1. Inside this function you can query the user belong to which group, from the group got all the roles. You can refer to the FOSUserBundle's user model and user entity file for more details. https://github.com/FriendsOfSymfony/FOSUserBundle/blob/master/Model/User.php Line 247
Then you can manager the group and entity in the backend as the normal entity and add the user to the groups
Use the ACL but change the user identity to the role identity. http://symfony.com/doc/current/cookbook/security/acl_advanced.html
来源:https://stackoverflow.com/questions/13847592/symfony2-dynamic-role-management