Sylius管理控制器如何受限于管理员用户

Question

When working in a traditional (or more accurately, some traditional) PHP MVC systems, if an application has an "admin" area that requires users to login to the application, a programmer will either use a controller class that inherits from some base admin controller, or uses some admin trait. The routing code in these systems knows to use certain methods on the admin controller/trait to check if a user is authorized.

Sylius controllers, however, are stand-alone classes with no parent classes .

<?php
//...
final class DashboardController
{
    //...
}

and don't appear to contain any code that does a "is the user logged in" check.

How does a sylius programmer create a route to an controller that requires a user to be logged in?

What system, under the hood, enforces a sylius user being logged in or not?

Answer 1

Sylius is using Symfony as a PHP Framework and it relies on the Security component to restrict access to certain areas of the application that are not intended to be public (eg. admin panel).

Such configuration can be seen here: https://github.com/Sylius/Sylius/blob/master/config/packages/security.yaml (see lines #16 and #101).

Resources (basically, every entity in Sylius - product, users, attributes, taxons) have a more advanced permissions that can be leveraged through plugins like https://github.com/Sylius/RbacPlugin or https://bitbag.shop/products/sylius-access-control-layer .

Example: https://github.com/Sylius/Sylius/blob/master/src/Sylius/Bundle/AdminBundle/Resources/config/routing/admin_user.yml#L10

You can read more about how Symfony Security component works here: https://symfony.com/doc/current/components/security.html