[英]Sonata Admin ACL hide element in list
After a lot of effort I was finally able to configure Sonata Admin with ACL following this guide: 经过大量的努力,我终于能够按照此指南使用ACL配置Sonata Admin:
https://sonata-project.org/bundles/admin/master/doc/reference/security.html https://sonata-project.org/bundles/admin/master/doc/reference/security.html
I wanted to users to be able to view and edit only items with the same country
property as the user. 我希望用户只能查看和编辑与用户具有相同country
属性的项目。
This is my config.yml: 这是我的config.yml:
parameters:
locale: en
sonata.user.admin.user.class: AppBundle\Admin\UserAdmin
sonata.admin.security.mask.builder.class: Sonata\AdminBundle\Security\Acl\Permission\MaskBuilder
# SonataAdminBundle Configuration
sonata_admin:
security:
handler: sonata.admin.security.handler.acl
role_admin: ROLE_ADMIN
role_super_admin: ROLE_SUPER_ADMIN
# acl security information
information:
GUEST: [VIEW, LIST]
STAFF: [EDIT, LIST, CREATE]
EDITOR: [OPERATOR, EXPORT]
ADMIN: [MASTER]
# permissions not related to an object instance and also to be available when objects do not exist
# the DELETE admin permission means the user is allowed to batch delete objects
admin_permissions: [CREATE, LIST, DELETE, UNDELETE, EXPORT, OPERATOR, MASTER]
# permission related to the objects
object_permissions: [VIEW, EDIT, DELETE, UNDELETE, OPERATOR, MASTER, OWNER]
I created an AclVoter in order to show/hides elements: 我创建了一个AclVoter来显示/隐藏元素:
services:
security.acl.voter.country_owned_permissions:
class: AppBundle\Security\Authorization\Voter\CountryOwnedAclVoter
arguments:
- "@security.acl.provider"
- "@security.acl.object_identity_retrieval_strategy"
- "@security.acl.security_identity_retrieval_strategy"
- "@security.acl.permission.map"
- "@logger"
tags:
- { name: monolog.logger, channel: security }
- { name: security.voter, priority: 255 }
public: false
This is the actual class: 这是实际的类:
<?php
namespace AppBundle\Security\Authorization\Voter;
use FOS\UserBundle\Model\UserInterface;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Acl\Voter\AclVoter;
class CountryOwnedAclVoter extends AclVoter
{
public function supportsClass($class)
{
// support the Class-Scope ACL for votes with the custom permission map
// return $class === 'Sonata\UserBundle\Admin\Entity\UserAdmin' || is_subclass_of($class, 'FOS\UserBundle\Model\UserInterface');
// if you use php >=5.3.7 you can check the inheritance with is_a($class, 'Sonata\UserBundle\Admin\Entity\UserAdmin');
// support the Object-Scope ACL
return is_subclass_of($class, 'AppBundle\Model\CountryOwnedInterface');
}
public function supportsAttribute($attribute)
{
return in_array($attribute, array(
'LIST',
'VIEW',
'EDIT',
'DELETE',
'EXPORT',
));
}
public function vote(TokenInterface $token, $object, array $attributes)
{
if (!$this->supportsClass(get_class($object))) {
return self::ACCESS_ABSTAIN;
}
foreach ($attributes as $attribute) {
if ($this->supportsAttribute($attribute)) {
if ($object->getCountry() != $token->getUser()->getCountry()) {
//if ($object->isSuperAdmin() && !$token->getUser()->isSuperAdmin()) {
// deny a non super admin user to edit a super admin user
return self::ACCESS_DENIED;
}
}
}
// use the parent vote with the custom permission map:
// return parent::vote($token, $object, $attributes);
// otherwise leave the permission voting to the AclVoter that is using the default permission map
return self::ACCESS_ABSTAIN;
}
}
It seems to work fine since a user can only edit items which have the same country as the users. 由于用户只能编辑与用户所在国家/地区相同的项目,因此似乎可以正常工作。 The problem is that he can still view the items in the list. 问题在于他仍然可以查看列表中的项目。
What am I doing wrong? 我究竟做错了什么?
As specified in the official documentation I just needed to install a specific bundle: 按照官方文档中的说明,我只需要安装一个特定的软件包:
5.4.6. 5.4.6。 LIST FILTERING 清单筛选
List filtering using ACL is available as a third party bundle: CoopTilleulsAclSonataAdminExtensionBundle. 使用ACL的列表过滤可作为第三方捆绑包使用:CoopTilleulsAclSonataAdminExtensionBundle。 When enabled, the logged in user will only see the objects for which it has the VIEW right (or superior). 启用后,登录用户将仅看到其具有VIEW权限(或更高权限)的对象。
This will suffice: 这样就足够了:
composer require tilleuls/acl-sonata-admin-extension-bundle
In AppKernel.php
: 在AppKernel.php
:
// ACL list filter
new CoopTilleuls\Bundle\AclSonataAdminExtensionBundle\CoopTilleulsAclSonataAdminExtensionBundle(),
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.