Geek Answers Handbook

Over 32 Symfony2 Security System roles / permissions?

Everything in Symfony2 looks good, but there is one problem, and I cannot find a solution. The problem is that the Symfony2 security component is limited to 30-32 roles / permissions. One of my projects, a project / problem tracking system, will need more than 32 permissions. There are several different system components that must have their own set of permissions. Just because someone has problems creating, reading, updating, or deleting does not mean that they have these permissions for projects, steps, etc ... Each component will need its own permission to create, read , updating and deletion, and not on specify specific permissions for specific components, and there is no doubt that I will receive a restriction of 30-32 roles / permissions.

I asked on the IRC and the mailing list, with no direction where to go. I would rather be able to simply add this functionality on top of an existing security component (preferably through a kit). I'm not sure how I can achieve more than 30-32 roles / permissions with the symfony2 security component.

I would prefer not to create my own security system with ACLs.

+4
source share
3 answers

I think that you misunderstood the acl system, you can only create 32 kinds of roles, but according to the domain object. This is done using integer bitmask operations (this explains the limitation of “32” as an integer ... well, you know the answer).

So, for example, the permission to delete one object will be the same - "MASK_DELETE" - for the project a milestone or a ticket. Therefore, if you used ProblematicAclManagerBundle , you just had to do:

$aclManager->addPermission($ticket, $userEntity, MaskBuilder::MASK_DELETE);

or

$aclManager->addPermission($projet, $userEntity, MaskBuilder::MASK_DELETE);

to give the user permission to delete $ project or $ ticket. It also creates an acl entry for the domain object and an entry for the user if they do not already exist. However, I need to know if it is possible to create different mask names for the class or each class of the package?

You will find a deeper explanation on acls here

+5
source

as stated earlier in gilden's interrogative comments:

But this is just a precedent for an ACL. Now you can use the integrated ACL system ! It is fairly easy to modify / expand to best suit your needs.

For beginners, I find it best to read these articles from the Symfony2 official book in the following order:

  • Security - Including information about: Authentication and Authorization, Users and Roles, Access Control in Templates and Controllers
  • Access Control Lists (ACLs) - Including information about: Download and Configure, Create ACLs, ACEs, Access Checks, and Cumulative Permissions
  • Advanced ACL Concepts - Including Information on: Design Concepts, Database Table Structure, Scope, Before and After Authorization Solutions, Process for Achieving Authorization Solutions

SO.com also has an interesting question about the Symfony2 ACL.

Good luck

+4
source

I know this is an old post, but I just wanted to share this with someone who has a similar answer.

The key to providing a solution is in this sentence in your question:

There are several different system components that must have their own set of permissions.

You can create a separate voter for each of these components.

  • Create a class that extends AclVoter .
  • Override the supportsClass() method to ensure that the voter only votes for the classes of the component for which it is intended.
  • Create your own PermissionMap containing the set of permissions required by the component.
  • Pass the PermissionMap to AclVoter in the service settings.
  • Mark the voter as security.voter so that AccessDecisionManager starts using it.

It has a long way to go.

I also recommend thinking about ACL Component code, there are many functions that, unfortunately, are not documented.

0
source

More articles:


All Articles