stackoom
  简体   繁体   中英

When should I use the deny access functions in Symfony 4.4 controllers?

 原文  2021-09-27 07:10:31       php/ symfony/ security/ controller/ symfony-4.4

Question

I was wondering how the security works in Symfony. I have in security.yaml this line of code:

# Admins can go to /account-management
- { path: '^/account-managent', roles: [ROLE_ADMIN] }

This deny's access to everyone except users with admin roles going to /account-management and anything after.

Now I have a account management controller. But I am wondering if I ever need to use a deny access function like $this->denyAccessUnlessGranted('ROLE_ADMIN'); or $this->isGranted('ROLE_ADMIN') .

Controller with inline comments: 

/**
 * @Route("/account-management") // Is this class completely protected by security.yaml? Or does it work function specific?
 */
class AccountManagementController extends AbstractController
{
    /**
     * @Route("/{id}", name="account_management_delete", methods={"POST"})
     */
    public function deleteUser()
    {
        // I should not need this here right? Since I already have this configured in my security.yaml.
        // $this->denyAccessUnlessGranted('ROLE_ADMIN');

        # code...
    }

    public function handleUserData()
    {
        // Do I need this here? Since there is no route thing connected with this?
        $this->denyAccessUnlessGranted('ROLE_ADMIN');

        # code...
    }
}

So how does the security.yaml work? And when should the deny access functions be used?

1 answers

solution1
 1 ACCPTED  2021-09-27 08:09:22

Let's try to change the POV.

Think about a system where more types of users are involved, eg Admins, Backoffice Operators (boh must be authenticated), and simple users that can access the frontend as anonymous or as authenticated for private content.

You could define a zone (let's call this "authenticated") where both Admins and BO-Operators can access but they have different responsabilities.

Simple Users Can visit the site, register, login to access their personal data, edit profile etc.

BOO They can add content, approve user registration etc.

Admins All the BOO stuffs plus delete Simple Users registration

security.yaml

# Read https://symfony.com/doc/current/security.html#hierarchical-roles
role_hierarchy:
    ROLE_ADMIN: ROLE_BACKOFFICE

access_control:
    - { path: '^/authenticated', roles: [ROLE_BACKOFFICE] }

/**
 * @Route("/authenticated") // It's protected by the firewall defined in security.yaml
 */
class AccountManagementController extends AbstractController
{
    /**
     * @Route("/{id}", name="account_management_delete", methods={"POST"})
     */
    public function deleteUser()
    {
        // As backoffice operators due to role hierarchy can access you should restrict the permissions to Admins
        $this->denyAccessUnlessGranted('ROLE_ADMIN');

        # code...
    }

    public function handleUserData()
    {
        // No control except the firewall needed as BOO can already access
    }
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question when should i use multiple controllers in mvc? Should i use Sleep() or just deny them Testing Controllers in Symfony 4.4 while using annotations Deny access if user is not confirmed on Symfony Access Container in Symfony controllers Symfony2 reusable functions in controllers Deny access to ROLE_ADMIN symfony Deny access in Symfony method unless you are in localhost how to deny access to controller functions in codeigniter framework Syntax error when I change anything in my Controllers Symfony 4
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM