如何使用 Symfony2 中的 AccessDecisionManager 来授权任意用户? [英] How to use the AccessDecisionManager in Symfony2 for authorization of arbitrary users?

问题描述

我希望能够验证是否向任何在 Symfony2 中实现 UserInterface 的任意对象授予了属性(角色).这可能吗?

I'd like to be able to verify whether or not attributes (roles) are granted to any arbitrary object implementing UserInterface in Symfony2. Is this possible?

UserInterface->getRoles() 不适合我的需求，因为它没有考虑角色层次结构，我宁愿不在那个部门重新发明轮子，这就是为什么如果可能，我想使用 Access Decision Manager.

UserInterface->getRoles() is not suitable for my needs because it does not take the role hierarchy into account, and I'd rather not reinvent the wheel in that department, which is why I'd like to use the Access Decision Manager if possible.

谢谢.

针对以下 Olivier 的解决方案，以下是我的经验:

您可以通过 isGranted 方法使用 security.context 服务.您可以传递第二个参数，即您的对象.

You can use the security.context service with the isGranted method. You can pass a second argument which is your object.

$user = new CoreModelUser();
var_dump($user->getRoles(), $this->get('security.context')->isGranted('ROLE_ADMIN', $user));

输出:

array (size=1)
  0 => string 'ROLE_USER' (length=9)

boolean true

我的角色层次结构:

role_hierarchy:
    ROLE_USER:          ~
    ROLE_VERIFIED_USER: [ROLE_USER]
    ROLE_ADMIN:         [ROLE_VERIFIED_USER]
    ROLE_SUPERADMIN:    [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
    ROLE_ALLOWED_TO_SWITCH: ~

我的UserInterface->getRoles()方法:

public function getRoles()
{
    $roles = [$this->isVerified() ? 'ROLE_VERIFIED_USER' : 'ROLE_USER'];

    /**
     * @var UserSecurityRole $userSecurityRole
     */
    foreach ($this->getUserSecurityRoles() as $userSecurityRole) {
        $roles[] = $userSecurityRole->getRole();
    }

    return $roles;
}

ROLE_ADMIN 必须明确分配，但 isGranted('ROLE_ADMIN', $user) 返回 TRUE 即使用户刚刚创建并且除了默认的 ROLE_USER 之外，没有被分配任何角色，只要当前登录的用户被授予 ROLE_ADMIN.这让我相信 isGranted() 的第二个参数被忽略了，并且 Token 提供给 AccessDecisionManager->decide()使用 SecurityContext 代替.

ROLE_ADMIN must be explicitly assigned, yet isGranted('ROLE_ADMIN', $user) returns TRUE even if the user was just created and has not been assigned any roles other than the default ROLE_USER, as long as the currently logged in user is granted ROLE_ADMIN. This leads me to believe the 2nd argument to isGranted() is just ignored and that the Token provided to AccessDecisionManager->decide() by the SecurityContext is used instead.

如果这是一个错误，我会提交报告，但也许我仍然做错了什么?

If this is a bug I'll submit a report, but maybe I'm still doing something wrong?

推荐答案

security.context 自 2.6 起已弃用.

security.context Is deprecated since 2.6.

使用AuthorizationChecker:

$token = new UsernamePasswordToken(
     $user,
     null,
     'secured_area',
     $user->getRoles()
);
$tokenStorage = $this->container->get('security.token_storage');
$tokenStorage->setToken($token);
$authorizationChecker = new AuthorizationChecker(
     $tokenStorage,
     $this->container->get('security.authentication.manager'),
     $this->container->get('security.access.decision_manager')
);
if (!$authorizationChecker->isGranted('ROLE_ADMIN')) {
    throw new AccessDeniedException();
}

这篇关于如何使用 Symfony2 中的 AccessDecisionManager 来授权任意用户?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！