Dynamic Roles
Keep on Learning!
If you liked what you've learned so far, dive in! Subscribe to get access to this tutorial plus video, code and script downloads.
With a Subscription, click any sentence in the script to jump to that part of the video!
Login SubscribeEarlier, we talked about how the moment a user logs in, Symfony calls the getRoles() method on the User object to figure out which roles that user will have:
| // ... lines 1 - 12 | |
| class User implements UserInterface, PasswordAuthenticatedUserInterface | |
| { | |
| // ... lines 15 - 26 | |
| /** | |
| * @ORM\Column(type="json") | |
| */ | |
| private $roles = []; | |
| // ... lines 31 - 78 | |
| /** | |
| * @see UserInterface | |
| */ | |
| public function getRoles(): array | |
| { | |
| $roles = $this->roles; | |
| // guarantee every user at least has ROLE_USER | |
| $roles[] = 'ROLE_USER'; | |
| return array_unique($roles); | |
| } | |
| // ... lines 90 - 154 | |
| } |
This method reads a $roles array property that's stored in the database as JSON... then always adds ROLE_USER to it.
Until now, we haven't given any users any extra roles in the database... so all users have just ROLE_USER. You can see this in the web debug toolbar: click to jump into the profiler. Yup, we have ROLE_USER.
This is too boring... so let's add some true admin users! First, open config/packages/security.yaml... and, down under access_control, change this to once again require ROLE_ADMIN:
| security: | |
| // ... lines 2 - 50 | |
| access_control: | |
| - { path: ^/admin, roles: ROLE_ADMIN } | |
| // ... lines 53 - 54 |
Remember: roles are just strings that we invent... they can be anything: ROLE_USER ROLE_ADMIN, ROLE_PUPPY, ROLE_ROLLERCOASTER... whatever. The only rule is that they must start with ROLE_. Thanks to this, if we go to /admin... access denied!
Populating Roles in the Database
Let's add some admin users to the database. Open up the fixtures class: src/DataFixtures/AppFixtures.php. Let's see... down here, we're creating one custom user and then 10 random users. Make this first user an admin: set roles to an array with ROLE_ADMIN:
| // ... lines 1 - 15 | |
| class AppFixtures extends Fixture | |
| { | |
| public function load(ObjectManager $manager) | |
| { | |
| // ... lines 20 - 47 | |
| UserFactory::createOne([ | |
| 'email' => 'abraca_admin@example.com', | |
| 'roles' => ['ROLE_ADMIN'] | |
| ]); | |
| // ... lines 52 - 57 | |
| } | |
| } |
Let's also create one normal user that we can use to log in. Copy the UserFactory code, paste, use abraca_user@example.com... and leave roles empty:
| // ... lines 1 - 15 | |
| class AppFixtures extends Fixture | |
| { | |
| public function load(ObjectManager $manager) | |
| { | |
| // ... lines 20 - 47 | |
| UserFactory::createOne([ | |
| 'email' => 'abraca_admin@example.com', | |
| 'roles' => ['ROLE_ADMIN'] | |
| ]); | |
| UserFactory::createOne([ | |
| 'email' => 'abraca_user@example.com', | |
| ]); | |
| // ... lines 55 - 57 | |
| } | |
| } |
Let's do it! At your terminal, run:
symfony console doctrine:fixtures:load
When that finishes... spin over and refresh. We got logged out! That's because, when the user was loaded from the session, our user provider tried to refresh the user from the database... but the old user with its old id was gone thanks to the fixtures. Log back in.... with password tada and... access granted! We rock! And in the profiler, we have the two roles.
Checking for Access inside Twig
In addition to checking or enforcing roles via access_control... or from inside a controller, we often also need to check roles in Twig. For example, if the current user has ROLE_ADMIN, let's a link to the admin page.
Open templates/base.html.twig. Right after this answers link... so let me search for "answers"... there we go, add if, then use a special is_granted() function to check to see if the user has ROLE_ADMIN:
| <html> | |
| // ... lines 3 - 14 | |
| <body> | |
| <nav class="navbar navbar-expand-lg navbar-light bg-light px-1"> | |
| <div class="container-fluid"> | |
| // ... lines 18 - 26 | |
| <div class="collapse navbar-collapse" id="navbar-collapsable"> | |
| <ul class="navbar-nav me-auto mb-2 mb-lg-0"> | |
| // ... lines 29 - 31 | |
| {% if is_granted('ROLE_ADMIN') %} | |
| // ... lines 33 - 35 | |
| {% endif %} | |
| </ul> | |
| // ... lines 38 - 40 | |
| </div> | |
| </div> | |
| </nav> | |
| // ... lines 44 - 48 | |
| </body> | |
| </html> |
It's that easy! If that's true, copy the nav link up here... paste.. send the user to admin_dashboard and say "Admin":
| <html> | |
| // ... lines 3 - 14 | |
| <body> | |
| <nav class="navbar navbar-expand-lg navbar-light bg-light px-1"> | |
| <div class="container-fluid"> | |
| // ... lines 18 - 26 | |
| <div class="collapse navbar-collapse" id="navbar-collapsable"> | |
| <ul class="navbar-nav me-auto mb-2 mb-lg-0"> | |
| // ... lines 29 - 31 | |
| {% if is_granted('ROLE_ADMIN') %} | |
| <li class="nav-item"> | |
| <a class="nav-link" href="{{ path('admin_dashboard') }}">Admin</a> | |
| </li> | |
| {% endif %} | |
| </ul> | |
| // ... lines 38 - 40 | |
| </div> | |
| </div> | |
| </nav> | |
| // ... lines 44 - 48 | |
| </body> | |
| </html> |
When we refresh... got it!
Let's do the same with the "log in" and "sign up" links: we only need those if we are not logged in. Down here, to simply check if the user is logged in, use is_granted('ROLE_USER')... because, in our app, every user has at least that role. Add else, endif, then I'll indent. If we are logged in, we can paste to add a "Log out" link that points to the app_logout route:
| <html> | |
| // ... lines 3 - 14 | |
| <body> | |
| <nav class="navbar navbar-expand-lg navbar-light bg-light px-1"> | |
| <div class="container-fluid"> | |
| // ... lines 18 - 26 | |
| <div class="collapse navbar-collapse" id="navbar-collapsable"> | |
| // ... lines 28 - 38 | |
| {% if is_granted('ROLE_USER') %} | |
| <a class="nav-link text-black-50" href="{{ path('app_logout') }}">Log Out</a> | |
| {% else %} | |
| <a class="nav-link text-black-50" href="{{ path('app_login') }}">Log In</a> | |
| <a href="#" class="btn btn-dark">Sign up</a> | |
| {% endif %} | |
| </div> | |
| </div> | |
| </nav> | |
| // ... lines 48 - 52 | |
| </body> | |
| </html> |
Cool! Refresh and... so much better. This is looking like a real site!
Next, let's learn about a few special "strings" that you can use with authorization: strings that do not start with ROLE_. We'll use one of these to show how we could easily deny access to every page in a section except for one.
5 Comments
Hello,
When i edit a user with a form, how do i save then the user role to the database. It needs to be a array.
With the dataFixtures it works fine, but how do i this by a form. I mis this in the video's
Thnx
Hi @WilcoS!
That's a good question :). If you have some sort of "user admin" section. you could create a "checkbox" field for this. In Symfony forms, this would be something like this (in a form class):
Let me know if that helps!
Hi Ryan,
I have this in my formType but the select pulldown i getting the next error: Expected argument of type "array", "string" given at property path "roles".
How do I solve this?
Thnx
Hey Wilco!
Apologies for the glacial reply - I had some vacation last week :).
Ok, so the problem here is
'multiple' => false,and the fact that therolesproperty on yourUserobject is technically an array. When you havemultiplefalse, it means that the user is selecting just one, string value. But then the form component looks at theUser.rolesproperty and thinks "But hmm, I can't set this property to a string, it is an array!".I understand why you have
'multiple' => false,, however: you only want the user to worry about selecting a single role. The easiest way to solve this is:You could simplify the
rolesproperty onUserto be calledroleand have this be a simple string. Then you would have normalgetRole(): ?stringandsetRole(string $role)methods and you would call your form fieldrole(with nos). You will STILL need agetRoles()method, because the security system needs this. But it will now look something like this:The only reason this would NOT work is if, for some reason, you have some situation where a few users DO need multiple roles in the database. But it doesn't sound like you have that case.
Cheers!
Thnx it's working fine now.
"Houston: no signs of life"
Start the conversation!