8000 Fixed the sample security voter to take into account the role hierarchy by javiereguiluz · Pull Request #5024 · symfony/symfony-docs · GitHub
[go: up one dir, main page]

Skip to content

Fixed the sample security voter to take into account the role hierarchy #5024

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 6 commits into from
Closed
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
Fixed the sample security voter to take into account the role hierarchy
  • Loading branch information
javiereguiluz committed Feb 19, 2015
commit e6b10e92f90ed81210149d5ca65688d10b8770be
27 changes: 26 additions & 1 deletion best_practices/security.rst
Original file line number Diff line number Diff line change
Expand Up @@ -140,13 +140,22 @@ the same ``getAuthorEmail`` logic you used above:

use Symfony\Component\Security\Core\Authorization\Voter\AbstractVoter;
use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Component\Security\Core\Role\RoleHierarchyInterface;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;

// AbstractVoter class requires Symfony 2.6 or higher version
class PostVoter extends AbstractVoter
{
const CREATE = 'create';
const EDIT = 'edit';

protected $roleHierarchy;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should make this private.


public function __construct(RoleHierarchyInterface $roleHierarchy)
{
$this->roleHierarchy = $roleHirarchy;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

typo: $roleHirarchy

}

protected function getSupportedAttributes()
{
return array(self::CREATE, self::EDIT);
Expand All @@ -163,7 +172,7 @@ the same ``getAuthorEmail`` logic you used above:
return false;
}

if ($attribute === self::CREATE && in_array('ROLE_ADMIN', $user->getRoles(), true)) {
if ($attribute === self::CREATE && $this->hasRole('ROLE_ADMIN', $user)) {
return true;
}

Expand All @@ -173,6 +182,21 @@ the same ``getAuthorEmail`` logic you used above:

return false;
}

/**
* Checks if the user token has the given role taking into account the
* entire role hierarchy defined by the application.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[...] hierarchy if defined [...] or [...] hierarchy as defined [...]?

*/
protected function hasRole($roleName, TokenInterface $userToken)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wouldn't userHasRole be a better name. It now looks like a hasser/isser of the class itself

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And it should be private imho.

{
foreach ($this->roleHierarchy->getReachableRoles($userToken->getRoles()) as $role) {
if ($roleName === $role->getRole()) {
return true;
}
}

return false;
}
}

To enable the security voter in the application, define a new service:
Expand All @@ -184,6 +208,7 @@ To enable the security voter in the application, define a new service:
# ...
post_voter:
class: AppBundle\Security\PostVoter
arguments: ["@security.role_hierarchy"]
public: false
tags:
- { name: security.voter }
Expand Down
0