Sonata Admin: Let users only edit entities they own (ACL)

Question

I have Sonata Admin set up with ACLs. I have different users, groups and permissions which work fine. To achieve this, i followed the Sonata Admin documentation on ACLs .

So here is my question : What is a clean way to ensure that backend (admin) users can only view, edit and delete the entities they created with Symfony's and Sonata Admin's built-in ACL mechanisms? Sonata Admin automatically stores the owner (creator) of the object once it is persisted in the ACL tables (from the Sonata docs ):

Owner : when an object is created, the currently logged in user is set as owner for that object and is granted all access for that object;

The same question has already been answered on Stackoverflow , but the answer does not explain in detail how to solve it with ACLs.

Answer 1

There is a new Symfony bundle doing just that: https://github.com/coopTilleuls/CoopTilleulsAclSonataAdminExtensionBundle

All you need to do is enable ACL in Sonata Admin , install the bundle and activate it. Pretty easy and effective, I use it in my Symfony2 project with Sonata Admin 2.2.

Answer 2

I saw 2 ways to do that:

• Create a custom AclVoter
• Override your Admin Class' CreateQuery()

I was not able to do any of these for doing the very simple thing that I needed, but I think this is the idea.

Actually this is one of many Symfony things on which I spent many hours and thousands lines of code without big success... Such simple needs should not be as much pain in the arse...

Answer 3

Don't grant the EDIT permission to the users. They can edit the instances they own but not others' instances.

I use this configuration:

#app/config/config.yml
sonata_admin:
    security:
        information:
            STAFF:    [VIEW, LIST, CREATE]
            EDITOR:   [OPERATOR, EXPORT]
            ADMIN:    [MASTER]

Documentation