如何在数据库级别动态处理Symfony2中的角色|权限：对它们的CRUD操作

Question

I am working in a Symfony 2.8 project and I have a doubt regarding users/groups/roles|permissions. There are a few ways to handle users and groups as for example SonataUser on top of SonataAdmin and lately EasyAdmin but all of them lacks ROLE|permissions management and this is exactly my doubt: what's the proper way to handle them? Yes, I know I need to write them at security.yml but I don't know if I can store then in DB (somewhere) and then read from there. I have research about this and found ACL, Voters and so on but instead of clear my mind the research is confusing me a lot so I need some push from people here. Then:

• How would you handle this?
• Any example at code level? (I prefer to see something other than words to get the whole point)
• Are ROLES sames as permissions?

Update: improve question

What I want to have is a ManyToMany relationship between users and roles and possibly groups and roles . I think that as SonataUserBundle handle this is by creating a column roles in user table and assign a lot of roles to each user, even create new ones if I'm not mistaken but what about if I want to create as much roles as I can without assign them to a user and later add many roles to a user even to a group?

How would you do that?

Answer 1

You can add new roles in the FOSUserBundle on the go. There is no need for you to initially add it in the security.yml file.

To do this you can do something like this:

$user = new User();
$user->addRole('ROLE_NEWUSER'); //Role Name should begin with 'ROLE_'

or in your controller you can get current or any user

$this->getUser();
$user->addRole('ROLE_NEWUSER'); //Role Name should begin with 'ROLE_'

This answers your first and second part.

For the third part, Roles can be used as permissions. I have implemented a structure previously where I was restricting access to pages based on the user role also restricting what data they can change based on their role.

UPDATE I implemented an Event Listener for this which would listen to all the kernel requests which is called onKernelRequest . I have partially done the access management on the SQL side since I have my roles stored in SQL side as well but one can do the same on the Server side. My Event Listener looked like this: (This is a trimmed down version of what I have)

class TokenListener
{
    protected $em;
    protected $token_storage;
    protected $templating;
    protected $router;
    protected $resolver;
    public function __construct($em,TokenStorageInterface $token_storage, TwigEngine $templating, Router $router, ControllerResolver $resolver)
    {
        $this->em = $em;
        $this->token_storage = $token_storage;
        $this->templating = $templating;
        $this->router = $router;
        $this->resolver = $resolver;
    }


    public function onKernelRequest(GetResponseEvent $event)
    {
        $request = $event->getRequest();
        $route  = $request->attributes->get('_route');
        $routeArr = array('fos_js_routing_js', 'fos_user_security_login', '_wdt'); //These are excluded routes. These are always allowed. Required for login page
        if(!is_int(array_search($route, $routeArr)) && false)
        {
            $userRoles = $this->token_storage->getToken()->getUser()->getRoles();
            if(!in_array('ROLE_NEWUSER', $userRoles))
            {
                $event->setResponse(new RedirectResponse($this->router->generate('user_management_unauthorized_user', array())));
            }
        }
    }
}

My services.yml looks like this

services:
    app.tokens.action_listener:
        class: EventListenerBundle\EventListener\TokenListener
        arguments:
            entityManager: "@doctrine.orm.entity_manager"
            token_storage: "@security.token_storage"
            templating: "@templating"
            router: "@router"
            resolver: "@controller_resolver"
        tags:
            - { name: kernel.event_listener, event: kernel.request, method: onKernelRequest }

UPDATE To answer your update part of the question, what you can do is have another roles entity and you could populate the roles you want in advance and then have a one to many relationship with the original User table. You can then have something like prePersist or preUpdate Doctrine Lifecycle Events to check when adding a new if the role already exists in your roles entity. That should precisely solve your problem. All this will involve a little tweaking though. There is no straight way to do this.

Answer 2

It depends how you want to implement this.

One approach:

Implement the UserProviderInterface to loadByUsername (this is where you load the roles and permissions) an implementation of a UserInterface (your User ).

Then Implement the VoterInterface . Register this as a service tagged with security.voter and specify it as a provider in security.yml. Override the vote function to assess the User you loaded for permissions (and maybe roles too) from TokenInterface which is the first argument of that function.