Chapters

36 Chapters | 1:50:44 |

01

Introduction

0:44
02

Security Fundamentals

3:47
03

Authorization with Access Control

2:08
04

Creating a Login Form (Part 1)

4:46
05

Creating a Login Form (Part 2)

3:57
06

Logging Out and Cleaning Up

5:03
07

Twig Security and IS_AUTHENTICATED_FULLY

2:41
08

Denying Access: AccessDeniedException

4:23
09

Entity Security

4:32
10

Saving Users

3:37
11

Adding Dynamic Roles to each User

4:56
12

Repository Security

4:20
13

Doctrine’s QueryBuilder

2:25
14

The UserProvider: Custom Logic to Load Security Users

3:15
15

User Serialization

2:16
16

Registration Form

3:11
17

Form Rendering

4:38
18

Using More Fields: email and repeated

2:31
19

Handling Form Submissions

4:22
20

Form: Default Data

2:10
21

Cleaning up with a plainPassword Field

1:34
22

Using an External Form Type Class

2:40
23

Registration Validation

3:36
24

Server-Side Validation

4:18
25

Adding a Flash Message

1:35
26

Automatically Authenticating after Registration

0:55
27

Functional Testing

5:04
28

Testing Forms

3:21
29

Controlling Data / Fixtures in a Test

3:23
30

More about Container, the “doctrine” Service and the Entity Manager

1:54
31

After-dinner Mint

3:35
32

Security: Creating Roles and Role Hierarchies

2:50
33

Switching Users / Impersonation

1:09
34

Whitelisting: Securing all Pages, except a few

2:15
35

Accessing the User

1:09
36

Remember Me Functionality

1:44

This tutorial has a new version, check it out!

> Symfony 2 > Starting in Symfony2: Course 2 (2.4+)

Buy Access to Course

32.

Security: Creating Roles and Role Hierarchies

Autoplay

Keep on Learning!

If you liked what you've learned so far, dive in! Subscribe to get
access to this tutorial plus video, code and script downloads.

Start your All-Access Pass

Buy just this tutorial for $12.00

Previous Chapter

Next Chapter

Security: Creating Roles and Role Hierarchies¶

Let’s change gears and mention a few more things about security. Earlier, we saw how you could enforce security in two different ways. The access_control method is the easiest, but we can always enforce things manually in the controller. In both cases, we’re checking whether or not a user has a specific role. If they do, they get access. If they don’t, they’ll see the login page or the access denied screen.

In our example, we showed a pretty basic system with just ROLE_USER and ROLE_ADMIN. If you need another role, just start using it. For example, if only some users are able to create events, we can protect event creation with a new role.

To show this, let’s make the role that’s passed to enforceUserSecurity configurable and then only let a user create an event if they have some ROLE_EVENT_CREATE role:

// src/Yoda/EventBundle/Controller/EventController.php
// ...

public function createAction(Request $request)
{
    $this->enforceUserSecurity('ROLE_EVENT_CREATE');
}

// also change ROLE_USER to ROLE_EVENT_CREATE in newAction

// ...
private function enforceUserSecurity($role = 'ROLE_USER')
{
    $securityContext = $this->container->get('security.context');
    if (!$securityContext->isGranted($role)) {
        // in Symfony 2.5
        // throw $this->createAccessDeniedException('message!');
        throw new AccessDeniedException('Need '.$role);
    }
}

The only rule when creating a role is that it must start with ROLE_. If it doesn’t, you won’t get an error, but security won’t be enforced.

Try it out by logging in as admin. But first, reload the fixtures, since our users were deleted earlier when running our functional test.

Now, try to create an event. No access! Our admin user has ROLE_USER and ROLE_ADMIN, but not ROLE_EVENT_CREATE. If we want to give all administrators the ability to create events, we can take advantage of role hierarchy, which we can see in security.yml. Add ROLE_EVENT_CREATE to ROLE_ADMIN and refresh again:

# app/config/security.yml
security:
    # ...
    role_hierarchy:
        ROLE_ADMIN:       [ROLE_USER, ROLE_EVENT_CREATE]
        ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]

We are in! Now let’s schedule that wookiee wine down!

Strategies for Controller Access¶

Keep these two tips in mind when using roles:

Protect the actual parts of your application using feature-specific roles, not user-specific roles. This means your roles should describe the features they give you access to, like ROLE_EVENT_CREATE and not the type of user that should have access, like ROLE_ADMIN.

Use the role hierarchy section to manage which types of users have which roles. For example, you might decide that ROLE_USER should have ROLE_BLOG_CREATE and ROLE_EVENT_CREATE, which you setup here. Assign your actual users these user-specific roles, like ROLE_USER or ROLE_MARKETING.

By following these tips, you’ll be able to easily control the exact areas of your site that different users have access to.

4 Comments

Sort By

Krzysztof-K 4 years ago edited

What about Roles Hierarchy inside Voter?
`
ROLE_ADMIN: [ROLE_USER, ROLE_EVENT_CREATE]


if (in_array('ROLE_EVENT_CREATE', $user->getRoles())) {
                    return true;
                }
`
Above code will fail about that when user has ROLE_ADMIN - it will check only for ROLE_EVENT_CREATE in roles, but ignore whole hierarchy.
How to deal with that?

| Reply |

weaverryan SFCASTS Krzysztof-K 4 years ago

For anyone else finding this, check out the answer over here: https://symfonycasts.com/sc... :)

| Reply |

Peter-K 6 years ago

I cant get my head around this.

My scenario: I have a site where you have multiple section but for this example lets say we have a LIST section only.
This LIST section have 2 states:
1st state: see the list
2nd state: see the list and edit/add/delete - CRUD

Is this how you would set up this scenario:

role_hierarchy:
ROLE_READONLY_USER: [ROLE_LIST],
ROLE_CRUD_USER: [ROLE_CRUD_LIST],

Issue here is that both of these users will access the same template but only role_crud_user will see extra buttons.

Lets say the route is /list => template list.html.twig

But surely in controller I need to validate if role_readonly OR role_crud then access granted.

Next issue is that in my template I must have then if role_crud_user then show button.

Soo simple but before I was always using if this role or that role or that role then button is visible and I found it not really scalable and now I am going into the same problem so where I am making mistake?

The issue with my old approch is that there might be a new role ROLE_LIST_ONLY_DELETE then I would have to go to code and add another OR role_delete then show delete button.

So the question is how would you set up this scenario initially and also if there is another ROLE_DELETE that can see the list but only delete (cannot add or edit)

| Reply |

MolloKhan SFCASTS Peter-K 6 years ago edited

Hey Peter K.

If you want to enable/disable buttons per action, I don't see how you can get rid off those if's (4 in total)
But, what you can do is setup a good ROLE hierarchy, something like:


// Whoever have this ROLE, will be able to do everything
ROLE_CRUD_USER: [ROLE_READ_USER, ROLE_UPDATE_USER, ROLE_UPDATE_USER, ROLE_DELETE_USER]

And in your template you check directly for each role


{% if is_granted('ROLE_UPDATE_USER') %}
    // show update button
{% else if ... %}

Another thing you can give it a try is to use Voters, we have a tutorial about them, is a bit old, but I believe voters haven't changed too much since then.
https://knpuniversity.com/screencast/new-in-symfony3/voter

I hope this help you :) Cheers!

1 | Reply |

Symfony 2

What PHP libraries does this tutorial use?

// composer.json
{
    "require": {
        "php": ">=5.3.3",
        "symfony/symfony": "~2.4", // v2.4.2
        "doctrine/orm": "~2.2,>=2.2.3", // v2.4.2
        "doctrine/doctrine-bundle": "~1.2", // v1.2.0
        "twig/extensions": "~1.0", // v1.0.1
        "symfony/assetic-bundle": "~2.3", // v2.3.0
        "symfony/swiftmailer-bundle": "~2.3", // v2.3.5
        "symfony/monolog-bundle": "~2.4", // v2.5.0
        "sensio/distribution-bundle": "~2.3", // v2.3.4
        "sensio/framework-extra-bundle": "~3.0", // v3.0.0
        "sensio/generator-bundle": "~2.3", // v2.3.4
        "incenteev/composer-parameter-handler": "~2.0", // v2.1.0
        "doctrine/doctrine-fixtures-bundle": "~2.2.0", // v2.2.0
        "ircmaxell/password-compat": "~1.0.3", // 1.0.3
        "phpunit/phpunit": "~4.1" // 4.1.0
    }
}

Previous Chapter

Next Chapter

Security: Creating Roles and Role Hierarchies

Share this awesome video!

Keep on Learning!

Security: Creating Roles and Role Hierarchies¶

Strategies for Controller Access¶

4 Comments

Delete comment?

What PHP libraries does this tutorial use?