|
|
@@ -123,7 +123,7 @@ EXPORT (for the native Sonata export links)
|
|
|
Each permission is relative to an admin: if you try to get a list in FooAdmin (declared as ``app.admin.foo``
|
|
|
service), Sonata will check if the user has the ``ROLE_APP_ADMIN_FOO_EDIT`` role.
|
|
|
|
|
|
-The role name will be based on the name of your admin service. For instance, `acme.blog.post.admin` will become `ROLE_ACME_BLOG_POST_ADMIN_{ACTION}`.
|
|
|
+The role name will be based on the name of your admin service. For instance, ``acme.blog.post.admin`` will become ``ROLE_ACME_BLOG_POST_ADMIN_{ACTION}``.
|
|
|
|
|
|
So our ``security.yml`` file may look to something like this:
|
|
|
|
|
|
@@ -170,7 +170,7 @@ You can now test if a user is authorized from an Admin class:
|
|
|
.. code-block:: php
|
|
|
|
|
|
if ($this->isGranted('LIST')) {
|
|
|
- ...
|
|
|
+ // ...
|
|
|
}
|
|
|
|
|
|
From a controller extending ``Sonata\AdminBundle\Controller\CRUDController``:
|
|
|
@@ -178,7 +178,7 @@ From a controller extending ``Sonata\AdminBundle\Controller\CRUDController``:
|
|
|
.. code-block:: php
|
|
|
|
|
|
if ($this->admin->isGranted('LIST')) {
|
|
|
- ...
|
|
|
+ // ...
|
|
|
}
|
|
|
|
|
|
Or from a Twig template:
|
|
|
@@ -215,13 +215,12 @@ Then declare your handler as a service:
|
|
|
|
|
|
.. code-block:: xml
|
|
|
|
|
|
- <services>
|
|
|
- <service id="aapp.security.handler.role" class="AppBundle\Security\Handler\RoleSecurityHandler" public="false">
|
|
|
- <argument type="service" id="security.context" on-invalid="null" />
|
|
|
- <argument type="collection">
|
|
|
- <argument>ROLE_SUPER_ADMIN</argument>
|
|
|
- </argument>
|
|
|
- </service>
|
|
|
+ <service id="app.security.handler.role" class="AppBundle\Security\Handler\RoleSecurityHandler" public="false">
|
|
|
+ <argument type="service" id="security.context" on-invalid="null" />
|
|
|
+ <argument type="collection">
|
|
|
+ <argument>ROLE_SUPER_ADMIN</argument>
|
|
|
+ </argument>
|
|
|
+ </service>
|
|
|
|
|
|
And specify it as Sonata security handler on your configuration:
|
|
|
|
|
|
@@ -601,7 +600,7 @@ because for example you want to restrict access using extra rules:
|
|
|
security:
|
|
|
access_decision_manager:
|
|
|
|
|
|
- # Strategy can be: affirmative, unanimous or consensus
|
|
|
+ # strategy value can be: affirmative, unanimous or consensus
|
|
|
strategy: unanimous
|
|
|
|
|
|
- to make this work the permission needs to be checked using the Object ACL
|
|
|
@@ -610,7 +609,9 @@ because for example you want to restrict access using extra rules:
|
|
|
|
|
|
.. code-block:: html+jinja
|
|
|
|
|
|
- {% if admin.isGranted('EDIT', user_object) %} {# ... #} {% endif %}
|
|
|
+ {% if admin.isGranted('EDIT', user_object) %}
|
|
|
+ {# ... #}
|
|
|
+ {% endif %}
|
|
|
|
|
|
- because the object ACL permission is checked, the ACL for the object must
|
|
|
have been created, otherwise the ``AclVoter`` will deny ``EDIT`` access
|
|
|
@@ -633,10 +634,14 @@ In the templates, or in your code, you can use the Admin method ``isGranted()``:
|
|
|
.. code-block:: html+jinja
|
|
|
|
|
|
{# use the admin security method #}
|
|
|
- {% if admin.isGranted('EDIT') %} {# ... #} {% endif %}
|
|
|
+ {% if admin.isGranted('EDIT') %}
|
|
|
+ {# ... #}
|
|
|
+ {% endif %}
|
|
|
|
|
|
{# or use the default is_granted Symfony helper, the following will give the same result #}
|
|
|
- {% if is_granted('ROLE_SUPER_ADMIN') or is_granted('EDIT', admin) %} {# ... #} {% endif %}
|
|
|
+ {% if is_granted('ROLE_SUPER_ADMIN') or is_granted('EDIT', admin) %}
|
|
|
+ {# ... #}
|
|
|
+ {% endif %}
|
|
|
|
|
|
- check for an admin that the user is allowed to ``DELETE``, the object is added
|
|
|
to also check if the object owner is allowed to ``DELETE``:
|
|
|
@@ -644,10 +649,14 @@ In the templates, or in your code, you can use the Admin method ``isGranted()``:
|
|
|
.. code-block:: html+jinja
|
|
|
|
|
|
{# use the admin security method #}
|
|
|
- {% if admin.isGranted('DELETE', object) %} {# ... #} {% endif %}
|
|
|
+ {% if admin.isGranted('DELETE', object) %}
|
|
|
+ {# ... #}
|
|
|
+ {% endif %}
|
|
|
|
|
|
{# or use the default is_granted Symfony helper, the following will give the same result #}
|
|
|
- {% if is_granted('ROLE_SUPER_ADMIN') or is_granted('DELETE', object) %} {# ... #} {% endif %}
|
|
|
+ {% if is_granted('ROLE_SUPER_ADMIN') or is_granted('DELETE', object) %}
|
|
|
+ {# ... #}
|
|
|
+ {% endif %}
|
|
|
|
|
|
List filtering
|
|
|
~~~~~~~~~~~~~~
|
|
|
@@ -681,7 +690,7 @@ By default, the ACL editor allows to set permissions for all users managed by
|
|
|
``FOSUserBundle``.
|
|
|
|
|
|
To customize displayed user override
|
|
|
-`Sonata\AdminBundle\Controller\CRUDController::getAclUsers()`. This method must
|
|
|
+``Sonata\AdminBundle\Controller\CRUDController::getAclUsers()``. This method must
|
|
|
return an iterable collection of users.
|
|
|
|
|
|
.. code-block:: php
|
|
|
@@ -711,7 +720,10 @@ return an iterable collection of roles.
|
|
|
protected function getAclRoles()
|
|
|
{
|
|
|
// Display only ROLE_BAPTISTE and ROLE_HELENE
|
|
|
- $roles = array('ROLE_BAPTISTE', 'ROLE_HELENE');
|
|
|
+ $roles = array(
|
|
|
+ 'ROLE_BAPTISTE',
|
|
|
+ 'ROLE_HELENE'
|
|
|
+ );
|
|
|
|
|
|
return new \ArrayIterator($roles);
|
|
|
}
|
|
|
@@ -734,7 +746,9 @@ service to use when retrieving your users.
|
|
|
|
|
|
sonata_admin:
|
|
|
security:
|
|
|
- acl_user_manager: my_user_manager # The name of your service
|
|
|
+
|
|
|
+ # the name of your service
|
|
|
+ acl_user_manager: my_user_manager
|
|
|
|
|
|
.. _`SonataUserBundle's documentation area`: https://sonata-project.org/bundles/user/master/doc/reference/installation.html
|
|
|
.. _`changing the access decision strategy`: http://symfony.com/doc/2.2/cookbook/security/voters.html#changing-the-access-decision-strategy
|
Thomas