There are several way to make authorization on your site with Symfony.
First is in your security.yml on the same level as firewalls tag:
access_control: - { path: ^/admin, roles: ROLE_USER }
This will block all users that don’t have ‘ROLE_USER’ to admin page.
Second option is to use Controller. Inside Method insert:
if(!$this->get('security.authorization_checker')->isGranted('ROLE_ADMIN')){ throw $this->createAccessDeniedException('GET OUT!'); }
Or like this:
$this->denyAccessUnlessGranted('ROLE_ADMIN');
This will deny access to all users that don’t have ‘ROLE_ADMIN’ to this method.
You can also use annotations:
/** * @Security("is_granted('ROLE_ADMIN')") */
Annotations also work if you add them to the Class. So they will block all users that don’t have ‘ROLE_ADMIN’ to this class.
Dynamic Roles
If you need ability to assign different permissions to different users you need to go little further. In User Entity add:
/** * @ORM\Column(type="json_array") */ private $roles = []; /** * @return array */ public function getRoles() { $roles = $this->roles; if (!in_array('ROLE_USER', $roles)) { $roles[] = 'ROLE_USER'; } return $roles; } /** * @param mixed $roles */ public function setRoles($roles) { $this->roles = $roles; }
Generate the migration for new field.
# php bin/console doctrine:migrations:diff # php bin/console doctrine:migrations:migrate
Security check in Twig
Example:
Welcome {{ app.user ? app.user.email : 'Bro'}}!
{% if is_granted('ROLE_USER') %}
Role Hierarchy
If you have many different sections that have to be accessed by many different types of users.
In security.yml on the same level as firewalls tag:
role_hierarchy: ROLE_ADMIN: [ROLE_MANAGE_GENUS]
To Controller class add annotation:
/** * @Security("is_granted('ROLE_MANAGE_GENUS')") */
That is how you can give different permissions to a specific role.
Impersonation
Switching user is really simple Symfony. In security.yml on the same level as anonymous tag in main section, add switch_user:
main: anonymous: ~ guard: authenticators: - app.security.login_form_authenticator logout: path: /logout switch_user: ~
Also you need to give permission to switch users by adding ROLE_ALLOWED_TO_SWITCH:
role_hierarchy: ROLE_ADMIN: [ROLE_MANAGE_GENUS, ROLE_ALLOWED_TO_SWITCH]
Make sure that you have configured the Entity user provider section:
providers: our_users: entity: { class: AppBundle\Entity\User, property: email }
The property sets the field by what we want to be impersonated.
To switch user add to URL ?_switch_user= and the email of the user you want to impersonate.
?_switch_user=example@gmail.com
To stop impersonation add to any URL:
?_switch_user=_exit