Symfony 2 ACL和角色层次结构 [英] Symfony 2 ACL and Role Hierarchy
问题描述
我有点卡住,无法找到答案。
I'm a little stuck and unable to find the answer to this.
在我的应用程序测试中,我创建了两个实体User和Comment都已正确映射。
In my app test I've created two Entities User and Comment both are mapped correctly.
我创建了一个小型控制器,如果创建我的控制器,根据用户的不同,该控制器会将注释和数据添加到 ACL 表中。注释为具有 ROLE_USER关联对象的标准用户,并尝试以具有 ROLE_ADMIN角色的用户身份访问它,但由于访问被拒绝,它似乎完全忽略了security.yml层次结构。
I have created a small controller which depending on the user will add the comment and the data to the ACL tables, if I create my comment as a standard user with the associated for of 'ROLE_USER', and Try to access it as user with the role 'ROLE_ADMIN' I get access denied, it seems to completely ignore the security.yml hierarchy.
我知道这可以通过添加ROLE_USER等而不是userid来实现,但我不想这样做。
I know this works by adding instead of the userid the ROLE_USER etc but I don't want to do it this way.
示例我的代码在下面。
CommentController
<?php
namespace ACL\TestBundle\Controller;
use Symfony\Bundle\FrameworkBundle\Controller\Controller;
use Sensio\Bundle\FrameworkExtraBundle\Configuration\Route;
use Sensio\Bundle\FrameworkExtraBundle\Configuration\Template;
use Symfony\Component\HttpFoundation\Request;
use ACL\TestBundle\Forms\Type\commentType;
use ACL\TestBundle\Entity\Comment;
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
use Symfony\Component\Security\Acl\Domain\ObjectIdentity;
use Symfony\Component\Security\Acl\Domain\UserSecurityIdentity;
use Symfony\Component\Security\Acl\Permission\MaskBuilder;
class DefaultController extends Controller
{
/**
* @Route("/", name="_default")
* @Template()
*/
public function indexAction()
{
die('success');
}
/**
* @Route("/comment/new/")
* @Template()
*/
public function newAction(Request $request)
{
$comment = new Comment();
$form = $this->createForm(new commentType(), $comment);
$form->handleRequest($request);
if ($form->isValid()) {
$comment->setUsers($this->getUser());
$em = $this->getDoctrine()->getManager();
$em->persist($comment);
$em->flush();
// creating the ACL
$aclProvider = $this->get('security.acl.provider');
$objectIdentity = ObjectIdentity::fromDomainObject($comment);
$acl = $aclProvider->createAcl($objectIdentity);
// retrieving the security identity of the currently logged-in user
$securityIdentity = UserSecurityIdentity::fromAccount($this->getUser());
// grant owner access
$acl->insertObjectAce($securityIdentity, MaskBuilder::MASK_OWNER);
$aclProvider->updateAcl($acl);
}
return array(
'form' => $form->createView(),
);
}
/**
* @Route("/comment/{id}/", requirements={"id":"\d+"})
* @Template()
*/
public function editAction(Request $request,$id)
{
$em = $this->getDoctrine()->getManager();
$comment = $em->find('ACLTestBundle:Comment', $id);
$securityContext = $this->get('security.context');
// check for edit access
if (false === $securityContext->isGranted('EDIT',$comment)) {
throw new AccessDeniedException();
}
$form = $this->createForm(new commentType(), $comment);
$form->handleRequest($request);
if($form->isValid()){
$em->persist($comment);
$em->flush();
}
return array('form' => $form->createView());
}
}
security.yml
security:
encoders:
ACL\TestBundle\Entity\User: plaintext
acl:
connection: default
providers:
database:
entity: { class: ACLTestBundle:User }
role_hierarchy:
ROLE_ADMIN: [ROLE_USER, ROLE_ALLOWED_TO_SWITCH]
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
pattern: ^/
provider: database
anonymous: true
logout: true
switch_user: true
form_login:
login_path: _security_login
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, roles: IS_AUTHENTICATED_FULLY }
我感谢任何建议!
推荐答案
问题是您要基于UserIdentity添加ACL,并希望检查基于RoleIdentity的Gran。如果要执行此操作,请根据以下角色更改创建的ACL
The problem is that you are adding adding ACL base on UserIdentity and want to check the gran base on RoleIdentity. If you want to do it Role base change the creating ACL as below
// creating the ACL
$aclProvider = $this->get('security.acl.provider');
$objectIdentity = ObjectIdentity::fromDomainObject($comment);
$acl = $aclProvider->createAcl($objectIdentity);
// retrieving the security identity of the currently logged-in user
$securityIdentity = UserSecurityIdentity::fromAccount($this->getUser());
// grant owner access
$acl->insertObjectAce($securityIdentity, MaskBuilder::MASK_OWNER);
// grant EDIT access to ROLE_ADMIN
$securityIdentity = new RoleSecurityIdentity('ROLE_ADMIN');
$acl->insertObjectAce($securityIdentity, MaskBuilder::MASK_EDIT);
$aclProvider->updateAcl($acl);
您看到我保留了特定用户的所有者访问权限,然后为ROLE_ADMIN添加了编辑访问权限。您可以按原样保留控制器。
As you see I kept the owner access for the specific user then I added Edit access for ROLE_ADMIN. You can keep the controller as is.
如果您不想使其成为角色基础,而只想为管理员用户提供例外,则可以将控制器更改为
If you don't want to make it Role base but just want to give an exception for admin users you can change your controller as
// check for edit access
if (false === $securityContext->isGranted('EDIT',$comment) && false === $securityContext->isGranted('ROLE_ADMIN') ) {
throw new AccessDeniedException();
}
这篇关于Symfony 2 ACL和角色层次结构的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
