如何使用 Symfony2 中的 AccessDecisionManager 来授权任意用户? [英] How to use the AccessDecisionManager in Symfony2 for authorization of arbitrary users?
问题描述
我希望能够验证是否向任何在 Symfony2 中实现 UserInterface
的任意对象授予了属性(角色).这可能吗?
I'd like to be able to verify whether or not attributes (roles) are granted to any arbitrary object implementing UserInterface
in Symfony2. Is this possible?
UserInterface->getRoles()
不适合我的需求,因为它没有考虑角色层次结构,我宁愿不在那个部门重新发明轮子,这就是为什么如果可能,我想使用 Access Decision Manager.
UserInterface->getRoles()
is not suitable for my needs because it does not take the role hierarchy into account, and I'd rather not reinvent the wheel in that department, which is why I'd like to use the Access Decision Manager if possible.
谢谢.
针对以下 Olivier 的解决方案,以下是我的经验:
您可以通过 isGranted 方法使用 security.context 服务.您可以传递第二个参数,即您的对象.
You can use the security.context service with the isGranted method. You can pass a second argument which is your object.
$user = new CoreModelUser();
var_dump($user->getRoles(), $this->get('security.context')->isGranted('ROLE_ADMIN', $user));
输出:
array (size=1)
0 => string 'ROLE_USER' (length=9)
boolean true
我的角色层次结构:
role_hierarchy:
ROLE_USER: ~
ROLE_VERIFIED_USER: [ROLE_USER]
ROLE_ADMIN: [ROLE_VERIFIED_USER]
ROLE_SUPERADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
ROLE_ALLOWED_TO_SWITCH: ~
我的UserInterface->getRoles()
方法:
public function getRoles()
{
$roles = [$this->isVerified() ? 'ROLE_VERIFIED_USER' : 'ROLE_USER'];
/**
* @var UserSecurityRole $userSecurityRole
*/
foreach ($this->getUserSecurityRoles() as $userSecurityRole) {
$roles[] = $userSecurityRole->getRole();
}
return $roles;
}
ROLE_ADMIN
必须明确分配,但 isGranted('ROLE_ADMIN', $user)
返回 TRUE
即使用户刚刚创建并且除了默认的 ROLE_USER
之外,没有被分配任何角色,只要当前登录的用户被授予 ROLE_ADMIN
.这让我相信 isGranted()
的第二个参数被忽略了,并且 Token
提供给 AccessDecisionManager->decide()
使用 SecurityContext
代替.
ROLE_ADMIN
must be explicitly assigned, yet isGranted('ROLE_ADMIN', $user)
returns TRUE
even if the user was just created and has not been assigned any roles other than the default ROLE_USER
, as long as the currently logged in user is granted ROLE_ADMIN
. This leads me to believe the 2nd argument to isGranted()
is just ignored and that the Token
provided to AccessDecisionManager->decide()
by the SecurityContext
is used instead.
如果这是一个错误,我会提交报告,但也许我仍然做错了什么?
If this is a bug I'll submit a report, but maybe I'm still doing something wrong?
推荐答案
security.context
自 2.6 起已弃用.
security.context
Is deprecated since 2.6.
$token = new UsernamePasswordToken(
$user,
null,
'secured_area',
$user->getRoles()
);
$tokenStorage = $this->container->get('security.token_storage');
$tokenStorage->setToken($token);
$authorizationChecker = new AuthorizationChecker(
$tokenStorage,
$this->container->get('security.authentication.manager'),
$this->container->get('security.access.decision_manager')
);
if (!$authorizationChecker->isGranted('ROLE_ADMIN')) {
throw new AccessDeniedException();
}
这篇关于如何使用 Symfony2 中的 AccessDecisionManager 来授权任意用户?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!