Symfony Security Authorization

There are several way to make authorization on your site with Symfony.
First is in your security.yml on the same level as firewalls tag:

access_control:
        - { path: ^/admin, roles: ROLE_USER }

This will block all users that don’t have ‘ROLE_USER’ to admin page.

Second option is to use Controller. Inside Method insert:

        if(!$this->get('security.authorization_checker')->isGranted('ROLE_ADMIN')){
            throw $this->createAccessDeniedException('GET OUT!');
        }

Or like this:

$this->denyAccessUnlessGranted('ROLE_ADMIN');

This will deny access to all users that don’t have ‘ROLE_ADMIN’ to this method.

You can also use annotations:

/**
* @Security("is_granted('ROLE_ADMIN')")
*/

Annotations also work if you add them to the Class. So they will block all users that don’t have ‘ROLE_ADMIN’ to this class.

Dynamic Roles

If you need ability to assign different permissions to different users you need to go little further. In User Entity add:

    /**
     * @ORM\Column(type="json_array")
     */
    private $roles = [];

    /**
     * @return array
     */
    public function getRoles()
    {
        $roles = $this->roles;
        if (!in_array('ROLE_USER', $roles)) {
           $roles[] = 'ROLE_USER';
        }

        return $roles;
    }

    /**
     * @param mixed $roles
     */
    public function setRoles($roles)
    {
        $this->roles = $roles;
    }

Generate the migration for new field.

# php bin/console doctrine:migrations:diff
# php bin/console doctrine:migrations:migrate

Security check in Twig

Example:


Welcome {{ app.user ? app.user.email : 'Bro'}}!

{% if is_granted('ROLE_USER') %}
  • Logout
  • {% else %}
  • Login
  • {% endif %}.

    Role Hierarchy

    If you have many different sections that have to be accessed by many different types of users.

    In security.yml on the same level as firewalls tag:

    role_hierarchy:
            ROLE_ADMIN: [ROLE_MANAGE_GENUS]
    

    To Controller class add annotation:

    /**
     * @Security("is_granted('ROLE_MANAGE_GENUS')")
     */
    

    That is how you can give different permissions to a specific role.

    Impersonation

    Switching user is really simple Symfony. In security.yml on the same level as anonymous tag in main section, add switch_user:

    main:
                anonymous: ~
                guard:
                    authenticators:
                        - app.security.login_form_authenticator
    
                logout:
                    path: /logout
    
                switch_user: ~
    

    Also you need to give permission to switch users by adding ROLE_ALLOWED_TO_SWITCH:

    role_hierarchy:
            ROLE_ADMIN: [ROLE_MANAGE_GENUS, ROLE_ALLOWED_TO_SWITCH]
    

    Make sure that you have configured the Entity user provider section:

    providers:
            our_users:
                entity: { class: AppBundle\Entity\User, property: email }
    

    The property sets the field by what we want to be impersonated.

    To switch user add to URL ?_switch_user= and the email of the user you want to impersonate.

    ?_switch_user=example@gmail.com
    

    To stop impersonation add to any URL:

    ?_switch_user=_exit
    

    Leave a Reply

    Your email address will not be published. Required fields are marked *