Fixed the sample security voter to take into account the role hierarchy

symfony · javiereguiluz · Feb 19, 2015 · Feb 19, 2015 · Feb 21, 2015 · Feb 23, 2015
commit e6b10e92f90ed81210149d5ca65688d10b8770be
diff --git a/best_practices/security.rst b/best_practices/security.rst
@@ -140,13 +140,22 @@ the same ``getAuthorEmail`` logic you used above:
 
     use Symfony\Component\Security\Core\Authorization\Voter\AbstractVoter;
     use Symfony\Component\Security\Core\User\UserInterface;
+    use Symfony\Component\Security\Core\Role\RoleHierarchyInterface;
+    use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 
     // AbstractVoter class requires Symfony 2.6 or higher version
     class PostVoter extends AbstractVoter
     {
         const CREATE = 'create';
         const EDIT   = 'edit';
 
+        protected $roleHierarchy;
+
+        public function __construct(RoleHierarchyInterface $roleHierarchy)
+        {
+            $this->roleHierarchy = $roleHirarchy;
+        }
+
         protected function getSupportedAttributes()
         {
             return array(self::CREATE, self::EDIT);
@@ -163,7 +172,7 @@ the same ``getAuthorEmail`` logic you used above:
                 return false;
             }
 
-            if ($attribute === self::CREATE && in_array('ROLE_ADMIN', $user->getRoles(), true)) {
+            if ($attribute === self::CREATE && $this->hasRole('ROLE_ADMIN', $user)) {
                 return true;
             }
 
@@ -173,6 +182,21 @@ the same ``getAuthorEmail`` logic you used above:
 
             return false;
         }
+
+        /**
+         * Checks if the user token has the given role taking into account the
+         * entire role hierarchy defined by the application.
+         */
+        protected function hasRole($roleName, TokenInterface $userToken)
+        {
+            foreach ($this->roleHierarchy->getReachableRoles($userToken->getRoles()) as $role) {
+                if ($roleName === $role->getRole()) {
+                    return true;
+                }
+            }
+
+            return false;
+        }
     }
 
 To enable the security voter in the application, define a new service:
@@ -184,6 +208,7 @@ To enable the security voter in the application, define a new service:
         # ...
         post_voter:
             class:      AppBundle\Security\PostVoter
+            arguments:  ["@security.role_hierarchy"]
             public:     false
             tags:
                - { name: security.voter }