php – Symfony 2 ACL和角色层次结构
发布时间:2020-12-13 17:30:34 所属栏目:PHP教程 来源:网络整理
导读:我有点陷入困境,无法找到答案. 在我的应用测试中,我创建了两个实体用户和注释都正确映射. 我已经创建了一个小控制器,根据用户将注释和数据添加到ACL表,如果我创建我的注释作为标准用户与“ROLE_USER”关联,并尝试以用户身份访问它角色’ROLE_ADMIN’我被拒绝
|
我有点陷入困境,无法找到答案.
在我的应用测试中,我创建了两个实体用户和注释都正确映射. 我已经创建了一个小控制器,根据用户将注释和数据添加到ACL表,如果我创建我的注释作为标准用户与“ROLE_USER”关联,并尝试以用户身份访问它角色’ROLE_ADMIN’我被拒绝访问,似乎完全忽略了security.yml层次结构. 我知道这可以通过添加而不是用户ID ROLE_USER等来工作,但我不想这样做. 我的代码示例如下. CommentController <?php
namespace ACLTestBundleController;
use SymfonyBundleFrameworkBundleControllerController;
use SensioBundleFrameworkExtraBundleConfigurationRoute;
use SensioBundleFrameworkExtraBundleConfigurationTemplate;
use SymfonyComponentHttpFoundationRequest;
use ACLTestBundleFormsTypecommentType;
use ACLTestBundleEntityComment;
use SymfonyComponentSecurityCoreExceptionAccessDeniedException;
use SymfonyComponentSecurityAclDomainObjectIdentity;
use SymfonyComponentSecurityAclDomainUserSecurityIdentity;
use SymfonyComponentSecurityAclPermissionMaskBuilder;
class DefaultController extends Controller
{
/**
* @Route("/",name="_default")
* @Template()
*/
public function indexAction()
{
die('success');
}
/**
* @Route("/comment/new/")
* @Template()
*/
public function newAction(Request $request)
{
$comment = new Comment();
$form = $this->createForm(new commentType(),$comment);
$form->handleRequest($request);
if ($form->isValid()) {
$comment->setUsers($this->getUser());
$em = $this->getDoctrine()->getManager();
$em->persist($comment);
$em->flush();
// creating the ACL
$aclProvider = $this->get('security.acl.provider');
$objectIdentity = ObjectIdentity::fromDomainObject($comment);
$acl = $aclProvider->createAcl($objectIdentity);
// retrieving the security identity of the currently logged-in user
$securityIdentity = UserSecurityIdentity::fromAccount($this->getUser());
// grant owner access
$acl->insertObjectAce($securityIdentity,MaskBuilder::MASK_OWNER);
$aclProvider->updateAcl($acl);
}
return array(
'form' => $form->createView(),);
}
/**
* @Route("/comment/{id}/",requirements={"id":"d+"})
* @Template()
*/
public function editAction(Request $request,$id)
{
$em = $this->getDoctrine()->getManager();
$comment = $em->find('ACLTestBundle:Comment',$id);
$securityContext = $this->get('security.context');
// check for edit access
if (false === $securityContext->isGranted('EDIT',$comment)) {
throw new AccessDeniedException();
}
$form = $this->createForm(new commentType(),$comment);
$form->handleRequest($request);
if($form->isValid()){
$em->persist($comment);
$em->flush();
}
return array('form' => $form->createView());
}
}
security.yml security:
encoders:
ACLTestBundleEntityUser: plaintext
acl:
connection: default
providers:
database:
entity: { class: ACLTestBundle:User }
role_hierarchy:
ROLE_ADMIN: [ROLE_USER,ROLE_ALLOWED_TO_SWITCH]
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
pattern: ^/
provider: database
anonymous: true
logout: true
switch_user: true
form_login:
login_path: _security_login
access_control:
- { path: ^/login,roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/,roles: IS_AUTHENTICATED_FULLY }
我很感激任何建议! 解决方法
问题是您正在添加基于UserIdentity的ACL,并希望检查基于RoleIdentity的gran.如果要这样做,角色库将更改创建ACL,如下所示
// creating the ACL
$aclProvider = $this->get('security.acl.provider');
$objectIdentity = ObjectIdentity::fromDomainObject($comment);
$acl = $aclProvider->createAcl($objectIdentity);
// retrieving the security identity of the currently logged-in user
$securityIdentity = UserSecurityIdentity::fromAccount($this->getUser());
// grant owner access
$acl->insertObjectAce($securityIdentity,MaskBuilder::MASK_OWNER);
// grant EDIT access to ROLE_ADMIN
$securityIdentity = new RoleSecurityIdentity('ROLE_ADMIN');
$acl->insertObjectAce($securityIdentity,MaskBuilder::MASK_EDIT);
$aclProvider->updateAcl($acl);
如您所见,我保留了特定用户的所有者访问权限,然后我添加了ROLE_ADMIN的编辑权限.您可以按原样保留控制器. 如果您不想使其成为角色基础但只想为管理员用户提供例外,则可以将控制器更改为 // check for edit access
if (false === $securityContext->isGranted('EDIT',$comment) && false === $securityContext->isGranted('ROLE_ADMIN') ) {
throw new AccessDeniedException();
}
(编辑:李大同) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |