Symfony2-动态角色管理 [英] Symfony2 - Dynamic Role Management
问题描述
我正在开发CRM,该CRM具有高级授权和对在系统中具有特定角色的组中的用户进行管理.
I'm working on a CRM which will feature advanced authorization and the management of users in groups that have a specific role in the system.
基本上,我想做的是这样:
Basically, what I'd like to do is this:
- 管理(域)模型/控制器/操作的动态授权
- 管理对象和字段的动态授权.
我知道security.yml文件中的ROLE_xxxx,但我不想对这些角色进行硬编码.
I know about ROLE_xxxx in the security.yml file but I'd rather not hardcode the roles.
例如,我想要一种矩阵/网格,超级管理员可以在其中创建自定义授权角色.
For example, I'd like to have a sort of matrix/grid where a super administrator can create custom authorization roles.
其中一个角色可能是:团队负责人"可以查看和编辑员工的电子邮件地址,但看不到或编辑Employee_Wage字段.
One of those roles could be: "Team Leader" can view the and edit the email address of an employee but can't see or edit the Employee_Wage field.
另一种用例是用户组"Accounting"中的用户可以调用操作generateInvoiceAction()但不能访问操作createNewEmployeeAction().
Another use case would be where a user in the user group "Accounting" can call the action generateInvoiceAction() but he can't access the action createNewEmployeeAction().
另一个用例是PROJECT LEADER可以使用newProjectAction()添加项目,但是PROJECT LEADER组不可见/无法访问PROJECT对象的某些字段/属性
Another use case would be where a PROJECT LEADER can add a project using the newProjectAction() but certain fields/attributes of the PROJECT object are not visible/accessible by the group PROJECT LEADER
我知道您可以在安全性和路由中进行设置,但我不希望对这些角色进行硬编码.例如,如果公司决定他们要创建一个具有特定角色的新小组,那么他们应该可以.
I understand that you can set these in the security and routing but I'd rather not hardcode these roles. For example, if the company decides that they want to create a new group with specific roles they should be able to.
我的(伪)解决方案
-
遍历每个域模型,操作/功能和对象/字段,并为CRUD创建角色,例如,创建EMPLOYEE_FIRSTNAME_READ,EMPLOYEE_FIRSTNAME_UPDATE,EMPLOYEE_CREATE,EMPLOYEE_EDIT,EMPLOYEE_DELETE等...
Go over every domain model, action/function and object/field and create a role for the CRUD, so for example create EMPLOYEE_FIRSTNAME_READ, EMPLOYEE_FIRSTNAME_UPDATE, EMPLOYEE_CREATE, EMPLOYEE_EDIT, EMPLOYEE_DELETE etc...
创建一个带有标题字段的数据库对象组",该标题字段包含所有角色的组合数组.
Create a Database object "Group" with a Title Field which has an array of combinations of all the roles.
将用户放入组
这是要走的路吗?还是在Symfony2中有更好的方法来实现这一点?
Is this the way to go or are there better ways to achieve this in Symfony2?
基本上:根据域模型,对象,字段等创建一个具有特定角色的组,可以使用管理员后端对其进行配置.
Basically: create a group that has specific roles based on domain models, object, fields, etc... that can be configured using an administrator backend.
我希望我能正确地解释这一点,随时回复并索取更多信息.
I hope I'm explaining this correctly, feel free to reply and ask for more information.
(我记得较早版本的Invision电源板中的类似内容,您可以在其中配置权限掩码网格并将其附加到组中)
推荐答案
按照您在这里所说的,我认为方法是使用 ACL .
From what you said here I think the way to go is to use ACL.
http://symfony.com/doc/master/cookbook/security/acl.html
但是,您将必须自己检查权限,才能使用以下类似的方法启动每种安全方法:
However you will have to check permission yourself starting every secure method with something like this:
$securityContext = $this->get('security.context');
$comment = ... // load using Doctrine?
if (false === $securityContext->isGranted('EDIT', $comment))
{
throw new AccessDeniedException();
}
如果要扩展Symfony的 Controller 类,我强烈建议在其间添加一个以上的类,该类将实现通用的安全逻辑,以最大程度地减少错误.
If you are extending Symfony's Controller class, I strongly suggest to add one more class in between which will implement common security logic in order to minimize as much as possible mistakes...
另一方面,在使用服务时,您可以在其中提供对象作为参数,您可以依靠 JMSSecurityExtraBundle 的 @SecureParam 注释(我假设您使用了它))以检查相关的域对象权限.
When working with services, on the other hand, where you can supply an object as parameter you could rely on @SecureParam annotaion from JMSSecurityExtraBundle (I assume you use it) to check relevant domain object permissions.
http://jmsyst.com/bundles/JMSSecurityExtraBundle/master/annotations
希望这会有所帮助...
Hope this helps a bit...
这篇关于Symfony2-动态角色管理的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
