Página Principal Explorar Ajuda
Registe-se Iniciar Sessão
VendorSoftware
/
SonataAdminBundle
2
0
Fork 0
Ficheiros Problemas 0 Pull Requests 0 Wiki
Árvore: 2053b64a2f
Ramos Etiquetas
SonataAdminB...
/
Resources
/
doc
/
reference
/
security.rst

security.rst 6.3 KB
Histórico Em bruto

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181 
  1. Security
    2. 

  2. ========
    3. 

  3. 

  4. The security part is managed by a ``SecurityHandler``, the bundle comes with 2 handlers
    5. 

  5. 

  6.   - ``sonata.admin.security.handler.acl`` : ACL and ROLES to handle permissions
    7. 

  7.   - ``sonata.admin.security.handler.noop`` : always returns true, can be used with the Symfony2 firewall
    8. 

  8. 

  9. The default value is ``sonata.admin.security.handler.noop``, if you want to change the default value
    10. 

  10. you can set the ``security_handler`` to ``sonata.admin.security.handler.acl``.
    11. 

  11. 

  12. .. code-block:: yaml
    13. 

  13. 

  14.     # app/config/config.yml
    15. 

  15.     sonata_admin:
    16. 

  16.         security_handler: sonata.admin.security.handler.acl
    17. 

  17. 

  18. The following section explains how to set up ACL with the ``FriendsOfSymfony/UserBundle``.
    19. 

  19. 

  20. ACL and FriendsOfSymfony/UserBundle
    21. 

  21. -----------------------------------
    22. 

  22. 

  23. If you want an easy way to handle users, please use :
    24. 

  24. 

  25.  - https://github.com/FriendsOfSymfony/FOSUserBundle : handle users and groups stored in RDMS or MongoDB
    26. 

  26.  - https://github.com/sonata-project/SonataUserBundle : integrates the ``FriendsOfSymfony/UserBundle`` with
    27. 

  27.    the ``AdminBundle``
    28. 

  28. 

  29. The security integration is a work in progress and has some known issues :
    30. 

  30.  - ACL permissions are immutables
    31. 

  31.  - Only one PermissionMap can be defined
    32. 

  32. 

  33. 

  34. Configuration
    35. 

  35. ~~~~~~~~~~~~~
    36. 

  36. 

  37. Before you can use ``FriendsOfSymfony/FOSUserBundle`` you need to set it up as described in the documentation
    38. 

  38. of the bundle. In step 4 you need to create a User class (in a custom UserBundle). Do it as follows:
    39. 

  39. 

  40. .. code-block:: php
    41. 

  41. 

  42.     <?php
    43. 

  43. 

  44.     namespace Acme\UserBundle\Entity;
    45. 

  45. 

  46.     use Sonata\UserBundle\Entity\BaseUser as BaseUser;
    47. 

  47.     use Doctrine\ORM\Mapping as ORM;
    48. 

  48. 

  49.     /**
    50. 

  50.      * @ORM\Entity
    51. 

  51.      * @ORM\Table(name="fos_user")
    52. 

  52.     \*/
    53. 

  53.     class User extends BaseUser
    54. 

  54.     {
    55. 

  55.         /**
    56. 

  56.          * @ORM\Id
    57. 

  57.          * @ORM\Column(type="integer")
    58. 

  58.          * @ORM\GeneratedValue(strategy="AUTO")
    59. 

  59.          \*/
    60. 

  60.         protected $id;
    61. 

  61. 

  62.         public function __construct()
    63. 

  63.         {
    64. 

  64.             parent::__construct();
    65. 

  65.             // your own logic
    66. 

  66.         }
    67. 

  67.     }
    68. 

  68. 

  69. In your ``app/config/config.yml`` you then need to put the following:
    70. 

  70. 

  71. .. code-block:: yaml
    72. 

  72. 

  73.     fos_user:
    74. 

  74.         db_driver: orm
    75. 

  75.         firewall_name: main
    76. 

  76.         user_class: Acme\UserBundle\Entity\User
    77. 

  77. 

  78. The following configuration for the SonataUserBundle defines:
    79. 

  79. 

  80.     - the ``FriendsOfSymfony/FOSUserBundle`` as a security provider
    81. 

  81.     - the login form for authentification
    82. 

  82.     - the access control : resources with related required roles, the important part is the admin configuration
    83. 

  83.     - the ``acl`` option to enable the ACL.
    84. 

  84. 

  85. In ``app/config/config.yml``:
    86. 

  86. 

  87. .. code-block:: yaml
    88. 

  88. 

  89.     parameters:
    90. 

  90.         # ... other parameters
    91. 

  91.         security.acl.permission.map.class: Sonata\AdminBundle\Security\Acl\Permission\AdminPermissionMap
    92. 

  92. 

  93. In ``app/config/security.yml``:
    94. 

  94. 

  95. .. code-block:: yaml
    96. 

  96. 

  97.     security:
    98. 

  98.         providers:
    99. 

  99.             fos_userbundle:
    100. 

  100.                 id: fos_user.user_manager
    101. 

  101. 

  102.         firewalls:
    103. 

  103.             main:
    104. 

  104.                 pattern:      .*
    105. 

  105.                 form-login:
    106. 

  106.                     provider:       fos_userbundle
    107. 

  107.                     login_path:     /login
    108. 

  108.                     use_forward:    false
    109. 

  109.                     check_path:     /login_check
    110. 

  110.                     failure_path:   null
    111. 

  111.                 logout:       true
    112. 

  112.                 anonymous:    true
    113. 

  113. 

  114.         access_control:
    115. 

  115.             # The WDT has to be allowed to anonymous users to avoid requiring the login with the AJAX request
    116. 

  116.             - { path: ^/wdt/, role: IS_AUTHENTICATED_ANONYMOUSLY }
    117. 

  117.             - { path: ^/profiler/, role: IS_AUTHENTICATED_ANONYMOUSLY }
    118. 

  118. 

  119.             # AsseticBundle paths used when using the controller for assets
    120. 

  120.             - { path: ^/js/, role: IS_AUTHENTICATED_ANONYMOUSLY }
    121. 

  121.             - { path: ^/css/, role: IS_AUTHENTICATED_ANONYMOUSLY }
    122. 

  122. 

  123.             # URL of FOSUserBundle which need to be available to anonymous users
    124. 

  124.             - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    125. 

  125.             - { path: ^/login_check$, role: IS_AUTHENTICATED_ANONYMOUSLY } # for the case of a failed login
    126. 

  126.             - { path: ^/user/new$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    127. 

  127.             - { path: ^/user/check-confirmation-email$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    128. 

  128.             - { path: ^/user/confirm/, role: IS_AUTHENTICATED_ANONYMOUSLY }
    129. 

  129.             - { path: ^/user/confirmed$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    130. 

  130.             - { path: ^/user/request-reset-password$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    131. 

  131.             - { path: ^/user/send-resetting-email$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    132. 

  132.             - { path: ^/user/check-resetting-email$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    133. 

  133.             - { path: ^/user/reset-password/, role: IS_AUTHENTICATED_ANONYMOUSLY }
    134. 

  134. 

  135.             # Secured part of the site
    136. 

  136.             # This config requires being logged for the whole site and having the admin role for the admin part.
    137. 

  137.             # Change these rules to adapt them to your needs
    138. 

  138.             - { path: ^/admin/, role: ROLE_ADMIN }
    139. 

  139.             - { path: ^/.*, role: IS_AUTHENTICATED_ANONYMOUSLY }
    140. 

  140. 

  141. 

  142.         role_hierarchy:
    143. 

  143.             ROLE_ADMIN:       ROLE_USER
    144. 

  144.             ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_SONATA_ADMIN, ROLE_ALLOWED_TO_SWITCH]
    145. 

  145. 

  146.         acl:
    147. 

  147.             connection: default
    148. 

  148. 

  149. - Install the ACL tables ``php app/console init:acl``
    150. 

  150. 

  151. - Create a new user :
    152. 

  152. 

  153. .. code-block::
    154. 

  154. 

  155.     # php app/console fos:user:create --super-admin
    156. 

  156.     Please choose a username:root
    157. 

  157.     Please choose an email:root@domain.com
    158. 

  158.     Please choose a password:root
    159. 

  159.     Created user root
    160. 

  160. 

  161. If you have Admin classes, you can install the related CRUD ACL rules :
    162. 

  162. 

  163. .. code-block::
    164. 

  164. 

  165.     # php app/console sonata:admin:setup-acl
    166. 

  166.     Starting ACL AdminBundle configuration
    167. 

  167.     > install ACL for sonata.media.admin.media
    168. 

  168.        - add role: ROLE_SONATA_MEDIA_ADMIN_MEDIA_EDIT, ACL: ["EDIT"]
    169. 

  169.        - add role: ROLE_SONATA_MEDIA_ADMIN_MEDIA_LIST, ACL: ["LIST"]
    170. 

  170.        - add role: ROLE_SONATA_MEDIA_ADMIN_MEDIA_CREATE, ACL: ["CREATE"]
    171. 

  171.        - add role: ROLE_SONATA_MEDIA_ADMIN_MEDIA_DELETE, ACL: ["DELETE"]
    172. 

  172.        - add role: ROLE_SONATA_MEDIA_ADMIN_MEDIA_OPERATOR, ACL: ["OPERATOR"]
    173. 

  173.     ... skipped ...
    174. 

  174. 

  175. If you try to access the admin class you should see the login form, just logon with the ``root`` user.
    176. 

  176. 

  177. Usage
    178. 

  178. ~~~~~
    179. 

  179. 

  180. Everytime you create a new ``Admin`` class, you should create ACL by using the command ``php app/console sonata:admin:setup-acl``
    181. 

  181. so the ACL database will be updated with the latest masks and roles informations.
    182.