-
-
Notifications
You must be signed in to change notification settings - Fork 5.2k
Fixed the sample security voter to take into account the role hierarchy #5024
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from 1 commit
e6b10e9
f9be868
d68003c
75b35e0
3dd747c
471ecda
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
- Loading branch information
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -140,13 +140,22 @@ the same ``getAuthorEmail`` logic you used above: | |
|
||
use Symfony\Component\Security\Core\Authorization\Voter\AbstractVoter; | ||
use Symfony\Component\Security\Core\User\UserInterface; | ||
use Symfony\Component\Security\Core\Role\RoleHierarchyInterface; | ||
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; | ||
|
||
// AbstractVoter class requires Symfony 2.6 or higher version | ||
class PostVoter extends AbstractVoter | ||
{ | ||
const CREATE = 'create'; | ||
const EDIT = 'edit'; | ||
|
||
protected $roleHierarchy; | ||
|
||
public function __construct(RoleHierarchyInterface $roleHierarchy) | ||
{ | ||
$this->roleHierarchy = $roleHirarchy; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. typo: |
||
} | ||
|
||
protected function getSupportedAttributes() | ||
{ | ||
return array(self::CREATE, self::EDIT); | ||
|
@@ -163,7 +172,7 @@ the same ``getAuthorEmail`` logic you used above: | |
return false; | ||
} | ||
|
||
if ($attribute === self::CREATE && in_array('ROLE_ADMIN', $user->getRoles(), true)) { | ||
if ($attribute === self::CREATE && $this->hasRole('ROLE_ADMIN', $user)) { | ||
return true; | ||
} | ||
|
||
|
@@ -173,6 +182,21 @@ the same ``getAuthorEmail`` logic you used above: | |
|
||
return false; | ||
} | ||
|
||
/** | ||
* Checks if the user token has the given role taking into account the | ||
* entire role hierarchy defined by the application. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [...] hierarchy if defined [...] or [...] hierarchy as defined [...]? |
||
*/ | ||
protected function hasRole($roleName, TokenInterface $userToken) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. wouldn't There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. And it should be |
||
{ | ||
foreach ($this->roleHierarchy->getReachableRoles($userToken->getRoles()) as $role) { | ||
if ($roleName === $role->getRole()) { | ||
return true; | ||
} | ||
} | ||
|
||
return false; | ||
} | ||
} | ||
|
||
To enable the security voter in the application, define a new service: | ||
|
@@ -184,6 +208,7 @@ To enable the security voter in the application, define a new service: | |
# ... | ||
post_voter: | ||
class: AppBundle\Security\PostVoter | ||
arguments: ["@security.role_hierarchy"] | ||
public: false | ||
tags: | ||
- { name: security.voter } | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should make this
private
.