php - Symfony 2 ACL 和角色层次结构

Question

我有点卡住了，找不到这个问题的答案。

在我的应用测试中，我创建了两个实体 User 和 Comment，它们都已正确映射。

我创建了一个小型 Controller ，如果我将评论和数据添加到 ACL 表，如果我将评论创建为标准用户并关联“ROLE_USER” ，并尝试以角色“ROLE_ADMIN”的用户身份访问它我被拒绝访问，它似乎完全忽略了 security.yml 层次结构。

我知道这可以通过添加 ROLE_USER 等而不是用户 ID 来实现，但我不想这样做。

我的代码示例如下。

评论 Controller

    <?php

    namespace ACL\TestBundle\Controller;

    use Symfony\Bundle\FrameworkBundle\Controller\Controller;
    use Sensio\Bundle\FrameworkExtraBundle\Configuration\Route;
    use Sensio\Bundle\FrameworkExtraBundle\Configuration\Template;
    use Symfony\Component\HttpFoundation\Request;
    use ACL\TestBundle\Forms\Type\commentType;
    use ACL\TestBundle\Entity\Comment;
    use Symfony\Component\Security\Core\Exception\AccessDeniedException;
    use Symfony\Component\Security\Acl\Domain\ObjectIdentity;
    use Symfony\Component\Security\Acl\Domain\UserSecurityIdentity;
    use Symfony\Component\Security\Acl\Permission\MaskBuilder;

    class DefaultController extends Controller
    {
        /**
         * @Route("/", name="_default")
         * @Template()
         */
        public function indexAction()
        {
            die('success');
        }

        /**
         * @Route("/comment/new/")
         * @Template()
         */
        public function newAction(Request $request)
        {
            $comment = new Comment();

            $form = $this->createForm(new commentType(), $comment);

            $form->handleRequest($request);

            if ($form->isValid()) {
                $comment->setUsers($this->getUser());
                $em = $this->getDoctrine()->getManager();
                $em->persist($comment);
                $em->flush();

                // creating the ACL
                $aclProvider = $this->get('security.acl.provider');
                $objectIdentity = ObjectIdentity::fromDomainObject($comment);
                $acl = $aclProvider->createAcl($objectIdentity);

                // retrieving the security identity of the currently logged-in user
                $securityIdentity = UserSecurityIdentity::fromAccount($this->getUser());

                // grant owner access
                $acl->insertObjectAce($securityIdentity, MaskBuilder::MASK_OWNER);
                $aclProvider->updateAcl($acl);
            }

            return array(
                'form' => $form->createView(),
            );
        }

        /**
         * @Route("/comment/{id}/", requirements={"id":"\d+"})
         * @Template()
         */
        public function editAction(Request $request,$id)
        {
            $em = $this->getDoctrine()->getManager();
            $comment = $em->find('ACLTestBundle:Comment', $id);

            $securityContext = $this->get('security.context');

            // check for edit access
            if (false === $securityContext->isGranted('EDIT',$comment)) {
                throw new AccessDeniedException();
            }

            $form = $this->createForm(new commentType(), $comment);

            $form->handleRequest($request);

            if($form->isValid()){
                $em->persist($comment);
                $em->flush();
            }

            return array('form' => $form->createView());
        }
    }

安全.yml

 security:
        encoders:
            ACL\TestBundle\Entity\User: plaintext
        acl:
            connection: default

        providers:
            database:
                entity: { class: ACLTestBundle:User }

        role_hierarchy:
            ROLE_ADMIN: [ROLE_USER, ROLE_ALLOWED_TO_SWITCH]

        firewalls:
            dev:
                pattern:  ^/(_(profiler|wdt)|css|images|js)/
                security: false
            main:
                pattern:     ^/
                provider:    database
                anonymous:   true
                logout:      true
                switch_user: true
                form_login:
                    login_path: _security_login

        access_control:
            - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
            - { path: ^/, roles: IS_AUTHENTICATED_FULLY }

我很感激任何建议!

Answer 1

问题是您正在添加基于 UserIdentity 的 ACL，并希望检查基于 RoleIdentity 的 gran。如果你想这样做 Role base 如下更改创建的 ACL

// creating the ACL
$aclProvider = $this->get('security.acl.provider');
$objectIdentity = ObjectIdentity::fromDomainObject($comment);
$acl = $aclProvider->createAcl($objectIdentity);

// retrieving the security identity of the currently logged-in user
$securityIdentity = UserSecurityIdentity::fromAccount($this->getUser());

// grant owner access
$acl->insertObjectAce($securityIdentity, MaskBuilder::MASK_OWNER);

// grant EDIT access to ROLE_ADMIN
$securityIdentity = new RoleSecurityIdentity('ROLE_ADMIN');
$acl->insertObjectAce($securityIdentity, MaskBuilder::MASK_EDIT);
$aclProvider->updateAcl($acl);

如您所见，我保留了特定用户的所有者访问权限，然后我为 ROLE_ADMIN 添加了编辑访问权限。您可以保持 Controller 不变。

如果你不想让它成为角色基础，而只是想给管理员用户一个异常(exception)，你可以将你的 Controller 更改为

// check for edit access
if (false === $securityContext->isGranted('EDIT',$comment) && false === $securityContext->isGranted('ROLE_ADMIN') ) {
   throw new AccessDeniedException();
}