ホーム エクスプローラ ヘルプ
登録 サインイン
3erPartyFlowdat3
/
SonataAdminBundle
2
0
フォーク 0
ファイル 課題 0 プルリクエスト 0 Wiki
ツリー: fb1ef76553
ブランチ タグ
SonataAdminB...
/
Resources
/
doc
/
reference
/
security.rst

security.rst 4.8 KB
履歴 Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126 
  1. Security
    2. 

  2. ========
    3. 

  3. 

  4. The current ``AdminBundle`` implementation uses ACL and ROLES to handle permissions.
    5. 

  5. 

  6. If you want an easy way to handle users, please use :
    7. 

  7. 

  8.  - https://github.com/FriendsOfSymfony/UserBundle : handle users and group stored from RDMS or MongoDB
    9. 

  9.  - https://github.com/sonata-project/UserBundle : integrate the ``FriendsOfSymfony/UserBundle`` with
    10. 

  10.    the ``AdminBundle``
    11. 

  11. 

  12. The security integration is a work in progress and have some knows issues :
    13. 

  13.  - ACL permissions are immutables
    14. 

  14.  - Only one PermissionMap can be defined
    15. 

  15. 

  16. 

  17. Configuration
    18. 

  18. -------------
    19. 

  19. 

  20. 

  21.     - The following configuration defines :
    22. 

  22. 

  23.         - the ``FriendsOfSymfony/UserBundle`` as a security provider
    24. 

  24.         - the login form for authentification
    25. 

  25.         - the access control : resources with related required roles, the important part is the admin configuration
    26. 

  26.         - the ``acl`` option enable the ACL.
    27. 

  27. 

  28. .. code-block:: yaml
    29. 

  29. 

  30.     parameters:
    31. 

  31.         # ... other parameters
    32. 

  32.         security.acl.permission.map.class: Sonata\AdminBundle\Security\Acl\Permission\AdminPermissionMap
    33. 

  33. 

  34.     security:
    35. 

  35.         providers:
    36. 

  36.             fos_userbundle:
    37. 

  37.                 id: fos_user.user_manager
    38. 

  38. 

  39.         firewalls:
    40. 

  40.             main:
    41. 

  41.                 pattern:      .*
    42. 

  42.                 form-login:
    43. 

  43.                     provider:       fos_userbundle
    44. 

  44.                     login_path:     /login
    45. 

  45.                     use_forward:    false
    46. 

  46.                     check_path:     /login_check
    47. 

  47.                     failure_path:   null
    48. 

  48.                 logout:       true
    49. 

  49.                 anonymous:    true
    50. 

  50. 

  51.         access_control:
    52. 

  52.             # The WDT has to be allowed to anonymous users to avoid requiring the login with the AJAX request
    53. 

  53.             - { path: ^/wdt/, role: IS_AUTHENTICATED_ANONYMOUSLY }
    54. 

  54.             - { path: ^/profiler/, role: IS_AUTHENTICATED_ANONYMOUSLY }
    55. 

  55. 

  56.             # AsseticBundle paths used when using the controller for assets
    57. 

  57.             - { path: ^/js/, role: IS_AUTHENTICATED_ANONYMOUSLY }
    58. 

  58.             - { path: ^/css/, role: IS_AUTHENTICATED_ANONYMOUSLY }
    59. 

  59. 

  60.             # URL of FOSUserBundle which need to be available to anonymous users
    61. 

  61.             - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    62. 

  62.             - { path: ^/login_check$, role: IS_AUTHENTICATED_ANONYMOUSLY } # for the case of a failed login
    63. 

  63.             - { path: ^/user/new$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    64. 

  64.             - { path: ^/user/check-confirmation-email$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    65. 

  65.             - { path: ^/user/confirm/, role: IS_AUTHENTICATED_ANONYMOUSLY }
    66. 

  66.             - { path: ^/user/confirmed$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    67. 

  67.             - { path: ^/user/request-reset-password$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    68. 

  68.             - { path: ^/user/send-resetting-email$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    69. 

  69.             - { path: ^/user/check-resetting-email$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    70. 

  70.             - { path: ^/user/reset-password/, role: IS_AUTHENTICATED_ANONYMOUSLY }
    71. 

  71. 

  72.             # Secured part of the site
    73. 

  73.             # This config requires being logged for the whole site and having the admin role for the admin part.
    74. 

  74.             # Change these rules to adapt them to your needs
    75. 

  75.             - { path: ^/admin/, role: ROLE_ADMIN }
    76. 

  76.             - { path: ^/.*, role: IS_AUTHENTICATED_ANONYMOUSLY }
    77. 

  77. 

  78. 

  79.         role_hierarchy:
    80. 

  80.             ROLE_ADMIN:       ROLE_USER
    81. 

  81.             ROLE_SUPERADMIN: [ROLE_ADMIN, ROLE_SONATA_ADMIN, ROLE_ALLOWED_TO_SWITCH]
    82. 

  82. 

  83.         acl:
    84. 

  84.             connection: default
    85. 

  85. 

  86. - Install the ACL tables ``php app/console init:acl``
    87. 

  87. 

  88. - Create a new user :
    89. 

  89. 

  90. .. code-block::
    91. 

  91. 

  92.     # php app/console fos:user:create
    93. 

  93.     Please choose a username:root
    94. 

  94.     Please choose an email:root@domain.com
    95. 

  95.     Please choose a password:root
    96. 

  96.     Created user root
    97. 

  97. 

  98. 

  99. - Promote an user as super admin :
    100. 

  100. 

  101. .. code-block::
    102. 

  102. 

  103.     # php app/console fos:user:promote root
    104. 

  104.     User "root" has been promoted as a super administrator.
    105. 

  105. 

  106. If you have Admin classes, you can install the related CRUD ACL rules :
    107. 

  107. 

  108. .. code-block::
    109. 

  109. 

  110.     # php app/console sonata:admin:setup-acl
    111. 

  111.     Starting ACL AdminBundle configuration
    112. 

  112.     > install ACL for sonata.media.admin.media
    113. 

  113.        - add role: ROLE_SONATA_MEDIA_ADMIN_MEDIA_EDIT, ACL: ["EDIT"]
    114. 

  114.        - add role: ROLE_SONATA_MEDIA_ADMIN_MEDIA_LIST, ACL: ["LIST"]
    115. 

  115.        - add role: ROLE_SONATA_MEDIA_ADMIN_MEDIA_CREATE, ACL: ["CREATE"]
    116. 

  116.        - add role: ROLE_SONATA_MEDIA_ADMIN_MEDIA_DELETE, ACL: ["DELETE"]
    117. 

  117.        - add role: ROLE_SONATA_MEDIA_ADMIN_MEDIA_OPERATOR, ACL: ["OPERATOR"]
    118. 

  118.     ... skipped ...
    119. 

  119. 

  120. If you try to access to the admin class you should see the login form, just logon with the ``root`` user.
    121. 

  121. 

  122. Usage
    123. 

  123. -----
    124. 

  124. 

  125. Everytime you create a new ``Admin`` class, you should create start the command ``php app/console sonata:admin:setup-acl``
    126. 

  126. so the ACL database will be updated with the latest masks and roles informations.
    127.