I'm posting this solution so that others can see my final code but here are the pitfalls I found when implementing a Voter as Problematic suggested.
supportsAttribute: It appears that when you call the isGranted
method on the SecurityContext
that it doesn't actually check this method before delegating a vote
call to a VoterInterface
so inside your vote
method you actually have to check the attributes yourself.
supportsClass: In problematic's answer above it seemed like this method could be a key for a Factory based selection of which VoterInterface
s can vote but actually the symfony2 documentation reads:
The supportsClass() method is used to check if the voter supports the current user token class.
Therefore it actually seems to pertain to whether or not the Voter
supports the token type. To make matters worse the PHP Doc seems vague:
Checks if the voter supports the given class.
At any rate the main problem is that this method is never checked by the SecurityContext
before delegating the call to the vote
method of any voter - even if this method is hardcoded to return false
vote
will still be called!
So basically the moral of the story appeared to be: check the $attributes
and $object
coming in on the vote
method manually.
My Code:
services.yml
parameters:
comment_voter.class: Acme\Bundle\CommentBundle\Security\Authorization\Voter\CommentVoter
services:
comment_voter:
class: %comment_voter.class%
arguments: [@service_container]
public: false
tags:
- { name: security.voter }
and the voter class:
<?php
namespace Acme\Bundle\CommentBundle\Security\Authorization\Voter;
use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Acme\Bundle\CommentBundle\Entity\Comment;
use Symfony\Component\Security\Core\User\UserInterface;
/**
* A class to check editing privileges for Comments.
*/
class CommentVoter implements VoterInterface {
const AUTHOR_EDIT_TIME_LIMIT = 300;
private $container;
public function __construct($container) {
$this->container = $container;
}
public function supportsAttribute($attribute) {
return $attribute === 'EDIT';
}
public function supportsClass($class) {
return true;
}
/**
* Checks whether or not the current user can edit a comment.
*
* Users with the role ROLE_COMMENT_MODERATOR may always edit.
* A comment's author can only edit within 5 minutes of it being posted.
*
* {@inheritdoc}
*/
public function vote(TokenInterface $token, $object, array $attributes) {
if ( !($object instanceof Comment) ) {
return VoterInterface::ACCESS_ABSTAIN;
}
// Only supports 'EDIT' for now.
if ( !$this->supportsAttribute($attributes[0]) ) {
return VoterInterface::ACCESS_ABSTAIN;
}
$user = $token->getUser();
if ( !($user instanceof UserInterface) ) {
return VoterInterface::ACCESS_DENIED;
}
// Is the token a comment moderator?
if ( $this->container->get('security.context')->isGranted('ROLE_COMMENT_MODERATOR') ) {
return VoterInterface::ACCESS_GRANTED;
}
// Is the token the author of the post and within the edit window.
$originalRevision = $object->getOriginalRevision();
if ( $originalRevision->getAuthor()->equals($user) ) {
if (
(time() - $originalRevision->getCreationDate()->getTimestamp())
<= self::AUTHOR_EDIT_TIME_LIMIT
) {
return VoterInterface::ACCESS_GRANTED;
}
}
return VoterInterface::ACCESS_DENIED;
}
}
and finally template:
{% if is_granted('EDIT', comment) %}<a href="#">Edit</a>{% endif %}
I hope this helps someone else in the future and a big thanks to Problematic for pointing me in the direction of Voters.