Login/Register
FOSUserBundle and ACL Business Role
Asked Answered
symfonyyiiaclfosuserbundle
V

1

6

I started to learn Symfony 2 this weekend. I faced no problem, as the framework is well documented in my opinion.

I'm using FOSUserBundle package for ACL. I'm wondering if it's possible to make it similar to Yii framework:

$bizRule='return Yii::app()->user->id==$params["post"]->authID;';
$task=$auth->createTask('updateOwnPost','update a post by author himself',$bizRule);
$task->addChild('updatePost');

You may see all details on the snippet above.

How can I achieve something similar with Symfony 2? Is this possible?

Villada answered 9/8, 2011 at 20:36 Comment(2)
If I understand correctly, you want to be able to restrict editing/updating of a post to the author of that post? I'm not familiar with Yii, so I'm kind of taking a shot in the dark here.Hurlee
@Hurlee - Exactly. Yii ACL approach allows you to provide a business rule (as shown in the snippet in my question). It checks automatically if logged user id equals authID - or any other column - of the post that is selected from database). Do you know about similar functionality in Symfony 2?Villada
H
22

Symfony2 has an ACL system out of the box that will do this. I'm including the relevant code for the sake of completeness (modified for Post instead of Comment as is in the documentation):

public function addPostAction()
{
    $post = new Post();

    // setup $form, and bind data
    // ...

    if ($form->isValid()) {
        $entityManager = $this->get('doctrine.orm.default_entity_manager');
        $entityManager->persist($post);
        $entityManager->flush();

        // creating the ACL
        $aclProvider = $this->get('security.acl.provider');
        $objectIdentity = ObjectIdentity::fromDomainObject($post);
        $acl = $aclProvider->createAcl($objectIdentity);

        // retrieving the security identity of the currently logged-in user
        $securityContext = $this->get('security.context');
        $user = $securityContext->getToken()->getUser();
        $securityIdentity = UserSecurityIdentity::fromAccount($user);

        // grant owner access
        $acl->insertObjectAce($securityIdentity, MaskBuilder::MASK_OWNER);
        $aclProvider->updateAcl($acl);
    }
}

Essentially, you're giving the currently logged in user ownership of the Post entity (which includes edit permissions). And then to check if the current user has permission to edit:

public function editPostAction(Post $post)
{
    $securityContext = $this->get('security.context');

    // check for edit access
    if (false === $securityContext->isGranted('EDIT', $post))
    {
        throw new AccessDeniedException();
    }

    // retrieve actual post object, and do your editing here
    // ...
}

I highly recommend that you read through both the Access Control List and Advanced ACL Concepts cookbook recipes for more information. The actual creation of ACLs as shown above is extremely verbose, and I have been working on an open-source ACL manager to ease the pain... it "kind of works;" it's early beta and needs a lot of love, so use at your own risk.

Hurlee answered 10/8, 2011 at 16:11 Comment(1)
If my answer has helped you, please feel free to upvote and accept it using the arrows and checkmark near the top of the answer. Thanks.Hurlee

© 2022 - 2024 — McMap. All rights reserved.