Sonata Admin: Let users only edit entities they own (ACL)

Asked 30/11, 2012 at 16:12 Answered 23/1, 2015 at 14:9

I have Sonata Admin set up with ACLs. I have different users, groups and permissions which work fine. To achieve this, i followed the Sonata Admin documentation on ACLs.

So here is my question: What is a clean way to ensure that backend (admin) users can only view, edit and delete the entities they created with Symfony's and Sonata Admin's built-in ACL mechanisms? Sonata Admin automatically stores the owner (creator) of the object once it is persisted in the ACL tables (from the Sonata docs):

Owner: when an object is created, the currently logged in user is set as owner for that object and is granted all access for that object;

The same question has already been answered on Stackoverflow, but the answer does not explain in detail how to solve it with ACLs.

Helices answered 30/11, 2012 at 16:12 Comment(1)

@pulzarraider, I saw you already answered this question here, but may I ask you to go into detail about how to implement that with ACLs in Sonata Admin? I don't know how to limit the list of objects in the list view of Sonata Admin to the ones the currently logged-in user owns. – Helices 4/12, 2012 at 9:9

There is a new Symfony bundle doing just that: https://github.com/coopTilleuls/CoopTilleulsAclSonataAdminExtensionBundle

All you need to do is enable ACL in Sonata Admin, install the bundle and activate it. Pretty easy and effective, I use it in my Symfony2 project with Sonata Admin 2.2.

Helices answered 23/1, 2015 at 14:9 Comment(0)

I saw 2 ways to do that:

Create a custom AclVoter
Override your Admin Class' CreateQuery()

I was not able to do any of these for doing the very simple thing that I needed, but I think this is the idea.

Actually this is one of many Symfony things on which I spent many hours and thousands lines of code without big success... Such simple needs should not be as much pain in the arse...

Scarberry answered 10/6, 2013 at 15:1 Comment(1)

The CreateQuery() is used only for the configureListFields public function createQuery($context = 'list') – Floorwalker 6/10, 2015 at 20:31

Don't grant the EDIT permission to the users. They can edit the instances they own but not others' instances.

I use this configuration:

#app/config/config.yml
sonata_admin:
    security:
        information:
            STAFF:    [VIEW, LIST, CREATE]
            EDITOR:   [OPERATOR, EXPORT]
            ADMIN:    [MASTER]

Documentation

Kinser answered 2/1, 2014 at 15:4 Comment(1)

Without the EDIT permission users that can CREATE records can edit AND delete only instances they own. I think the delete part is important :) – Salesin 15/1, 2014 at 18:9

Recommended topics

Hot tags