Protecting controller actions and routes in Symfony
Question
Official documentation on Symfony pages suggest using ROLE_ADMIN (example) attribute in the ACL call
$this->denyAccessUnlessGranted('ROLE_ADMIN', null, 'Unable to access this page!');
my question is if it is possible to use ACL call without the ROLE_ prefix.
The issue is that we have multiple systems without ROLES but with permissions as "USER.CREATE" or "USER_CREATE" which would protect the route POST /user/create and action Create() in UserController.
The best solution would be to have a Voter which would call the ACL as
$objectName = 'USER';
$action = 'CREATE';
$this->denyAccessUnlessGranted($objectName. '_'. $action, null, 'Unable to access this page!');
But this does not work because everything relays on ROLE_ prefix. Did anyone tried to achieve something like this?
1 answers
solution1
0 2017-09-17 09:24:28
IIRC, ROLE is mandatory prefix in symfony role voter and I do not think it can be avoided (it is hardcoded) but you can create your own voters and add logic you need there, you can read more here:
https://symfony.com/doc/current/security/voters.html
Also a great tutoral for voters:
https://stovepipe.systems/post/symfony-security-roles-vs-voters
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.