管理角色并为角色分配权限 - Symfony
Manage Roles and Assign Permissions to Roles - Symfony
我正在基于角色和权限在 Symfony 3 中构建一个管理面板。每个管理员将被分配一个角色(或多个角色),然后他将能够根据分配给该角色的权限执行操作。
为了给你一个想法,这里有一个例子:
- 管理面板具有添加用户、编辑用户和删除用户的功能。
- 我创建了一个角色:
USER_MANAGEMENT_WITHOUT_DELETE
,它有权访问 user_create
和 user_edit
。
- 我创建了
USER_MANAGEMENT_WITH_DELETE
角色,该角色有权 user_create
、user_edit
和 user_delete
- 现在,角色为
USER_MANAGEMENT_WITH_DELETE
的管理员可以 add
、edit
和 delete
角色为 USER_MANAGEMENT_WITHOUT_DELETE
的管理员只能 add
和 edit
用户,但不能删除他们。
我搜索并找到了 FOSUserBundle and ACL. Some recommended ACL while others say it's better to use FOSUserBunder
我还阅读了 FOSUserBunder 的文档以及它如何在 roles
列中存储角色,类似于 a:1:{i:0;s:10:"ROLE_ADMIN";}
,但是没有提到权限。所以这是我的查询:
- 我对这两者感到困惑。我应该使用哪一个?
- 如果我使用
FOSUserBunder
,如何管理权限?
角色不是特定于 FOSUserBundle。他们在 Symfony 中。
ACLs 比使用角色更复杂。所以我建议使用角色。
来自 Symfony 文档:
ACL 的替代方案
Using ACL's isn't trivial, and for simpler use cases, it may be
overkill. If your permission logic could be described by just writing
some code (e.g. to check if a Blog is owned by the current User), then
consider using voters. A voter is passed the object being voted on,
which you can use to make complex decisions and effectively implement
your own ACL. Enforcing authorization (e.g. the isGranted part) will
look similar to what you see in this entry, but your voter class will
handle the logic behind the scenes, instead of the ACL system.
为了处理 'permissions',我建议使用 Voters :
首先像这样创建一个选民:
配置:
# app/config/services.yml
services:
app.user_permissions:
class: AppBundle\Voters\UserPermissionsVoter
arguments: ['@security.access.decision_manager']
tags:
- { name: security.voter }
public: false
和 class :
namespace AppBundle\Voters;
use Symfony\Component\Security\Core\Authorization\Voter\Voter;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\User\UserInterface;
class UserPermissionsVoter extends Voter
{
const USER_CREATE = 'user_create';
const USER_EDIT = 'user_edit';
const USER_DELETE = 'user_delete';
private $decisionManager;
public function __construct($decisionManager)
{
$this->decisionManager = $decisionManager;
}
protected function supports($attribute, $object)
{
if (!in_array($attribute, array(self::USER_CREATE,self::USER_EDIT,self::USER_DELETE))) {
return false;
}
return true;
}
protected function voteOnAttribute($attribute, $object, TokenInterface $token)
{
$user = $token->getUser();
if (!$user instanceof UserInterface) {
return false;
}
switch($attribute) {
case self::USER_CREATE:
if ($this->decisionManager->decide($token, array('ROLE_USER_MANAGEMENT_WITH_DELETE'))
|| $this->decisionManager->decide($token, array('USER_MANAGEMENT_WITHOUT_DELETE'))
){
return true;
}
break;
case self::USER_EDIT:
// ...
break;
case self::USER_DELETE:
// ...
break;
}
return false;
}
}
然后您可以在您的控制器中检查权限:
userCreateAction()
{
if(!$this->isGranted('user_create')){throw $this->createAccessDeniedException('You are not allowed to create an user.');}
// next steps ...
}
我正在基于角色和权限在 Symfony 3 中构建一个管理面板。每个管理员将被分配一个角色(或多个角色),然后他将能够根据分配给该角色的权限执行操作。
为了给你一个想法,这里有一个例子:
- 管理面板具有添加用户、编辑用户和删除用户的功能。
- 我创建了一个角色:
USER_MANAGEMENT_WITHOUT_DELETE
,它有权访问user_create
和user_edit
。 - 我创建了
USER_MANAGEMENT_WITH_DELETE
角色,该角色有权user_create
、user_edit
和user_delete
- 现在,角色为
USER_MANAGEMENT_WITH_DELETE
的管理员可以add
、edit
和delete
角色为USER_MANAGEMENT_WITHOUT_DELETE
的管理员只能add
和edit
用户,但不能删除他们。
我搜索并找到了 FOSUserBundle and ACL. Some recommended ACL while others say it's better to use FOSUserBunder
我还阅读了 FOSUserBunder 的文档以及它如何在 roles
列中存储角色,类似于 a:1:{i:0;s:10:"ROLE_ADMIN";}
,但是没有提到权限。所以这是我的查询:
- 我对这两者感到困惑。我应该使用哪一个?
- 如果我使用
FOSUserBunder
,如何管理权限?
角色不是特定于 FOSUserBundle。他们在 Symfony 中。
ACLs 比使用角色更复杂。所以我建议使用角色。
来自 Symfony 文档: ACL 的替代方案
Using ACL's isn't trivial, and for simpler use cases, it may be overkill. If your permission logic could be described by just writing some code (e.g. to check if a Blog is owned by the current User), then consider using voters. A voter is passed the object being voted on, which you can use to make complex decisions and effectively implement your own ACL. Enforcing authorization (e.g. the isGranted part) will look similar to what you see in this entry, but your voter class will handle the logic behind the scenes, instead of the ACL system.
为了处理 'permissions',我建议使用 Voters :
首先像这样创建一个选民:
配置:
# app/config/services.yml
services:
app.user_permissions:
class: AppBundle\Voters\UserPermissionsVoter
arguments: ['@security.access.decision_manager']
tags:
- { name: security.voter }
public: false
和 class :
namespace AppBundle\Voters;
use Symfony\Component\Security\Core\Authorization\Voter\Voter;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\User\UserInterface;
class UserPermissionsVoter extends Voter
{
const USER_CREATE = 'user_create';
const USER_EDIT = 'user_edit';
const USER_DELETE = 'user_delete';
private $decisionManager;
public function __construct($decisionManager)
{
$this->decisionManager = $decisionManager;
}
protected function supports($attribute, $object)
{
if (!in_array($attribute, array(self::USER_CREATE,self::USER_EDIT,self::USER_DELETE))) {
return false;
}
return true;
}
protected function voteOnAttribute($attribute, $object, TokenInterface $token)
{
$user = $token->getUser();
if (!$user instanceof UserInterface) {
return false;
}
switch($attribute) {
case self::USER_CREATE:
if ($this->decisionManager->decide($token, array('ROLE_USER_MANAGEMENT_WITH_DELETE'))
|| $this->decisionManager->decide($token, array('USER_MANAGEMENT_WITHOUT_DELETE'))
){
return true;
}
break;
case self::USER_EDIT:
// ...
break;
case self::USER_DELETE:
// ...
break;
}
return false;
}
}
然后您可以在您的控制器中检查权限:
userCreateAction()
{
if(!$this->isGranted('user_create')){throw $this->createAccessDeniedException('You are not allowed to create an user.');}
// next steps ...
}