Symfony 3 - I have some difficulties to manage my roles

Question

I'm trying to establish roles on my site. I have 3 administration pages:

• /admin/users
• /admin/packages
• /admin/information

The ROLE_ADMIN must be able to access these 3 links.

ROLE_INFOS must be able to access /admin/information

ROLE_PACKAGES must be able to access /admin/packages

My security.php looks like :

# app/config/security.yml
security:
    encoders:
        FOS\UserBundle\Model\UserInterface: bcrypt

role_hierarchy:
    ROLE_ADMIN:       ROLE_USER, ROLE_INFOS, ROLE_PACKAGES
    ROLE_INFOS:       ROLE_INFOS, ROLE_USER
    ROLE_PACKAGES:    ROLE_PACKAGES, ROLE_USER
    ROLE_USER:        ROLE_USER

//...

access_control:
    - { path: ^/admin/paquets, role: ROLE_PACKAGES }
    - { path: ^/admin/informations, role: ROLE_INFOS }
    - { path: ^/admin, role: ROLE_ADMIN }
    - { path: ^/accueil, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/, role: ROLE_USER }

I wanted to know if my way of organizing this is correct?

In addition, on my site, I have a navbar that displays different tabs depending on the role of the user

I have a tab "Management" which is actually a drop-down menu pointing to the 3 possible links (packages, users, information).

Only, I have this in my base.html.twig:

 {% if is_granted('ROLE_ADMIN') %}

this condition shows me the management tab for the admins. I would like it to be displayed for each of the roles I mentioned ( ROLE_ADMIN, ROLE_INFO, ROLE_PACKAGES ).

Do I have to make something like :

{% if is_granted('ROLE_ADMIN') %} or
{% if is_granted('ROLE_INFOS') %} or
{% if is_granted('ROLE_PACKAGES') %}

Thanks for your help

Answer 1

You can manage it as you already done it, but...

1. There are some errors in your security.yml file (hierarchy should return array and avoid recursive array)
2. It is easiest to manage security via controller and views instead of access_control in your security.yml

#app/config/security.yml
security:
    encoders:
        FOS\UserBundle\Model\UserInterface: bcrypt

role_hierarchy:
    ROLE_ADMIN:       [ROLE_USER, ROLE_INFOS, ROLE_PACKAGES]
    ROLE_INFOS:       [ROLE_USER]
    ROLE_PACKAGES:    [ROLE_USER]

In your view you can hide some links by using:

{% if is_granted('ROLE_ADMIN') %}
    <a href="{{ path('packages_foo') }}">Link to admin packages</a>
{% endif %}

Be aware, that only security annotation in a Controller manage security access. If you only use the code above, a user can access to page if it know URL to access to administration page.

In your controller, you can set security with security annotations which is a better practice than control_access tools in security.yaml file:

#src/Controller/PackageController.php

/* ... */
use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security;
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
/* ... */

/**
 * Package controller .
 *
 * @Route("/admin/packages")
 *
 * @Security("is_granted('ROLE_PACKAGE')")
 */
class PaymentController extends AbstractController

Have a look on Symfony security annotation documentation.