If you liked what you've learned so far, dive in!
Subscribe to get access to this tutorial plus
video, code and script downloads.
I do use access controls to lock down big sections, but, mostly, I handle authorization inside my controllers.
Let's play around: comment out the access_control:
| ... lines 1 - 2 | |
| security: | |
| ... lines 4 - 33 | |
| access_control: | |
| # - { path: ^/admin, roles: ROLE_ADMIN } |
And open up GenusAdminController. To check if the current user has a role,
you'll always use one service: the authorization checker. It looks like this:
if (!$this->get('security.authorization_checker')->isGranted('ROLE_ADMIN'). So,
if we do not have ROLE_ADMIN, then throw $this->createAccessDeniedException():
| ... lines 1 - 13 | |
| class GenusAdminController extends Controller | |
| { | |
| ... lines 16 - 18 | |
| public function indexAction() | |
| { | |
| if (!$this->get('security.authorization_checker')->isGranted('ROLE_ADMIN')) { | |
| throw $this->createAccessDeniedException('GET OUT!'); | |
| } | |
| ... lines 24 - 31 | |
| } | |
| ... lines 33 - 84 | |
| } |
That message is just for us developers.
Head back and refresh. Access denied!
So what's the magic behind that createAccessDeniedException() method? Find out:
hold Command and click to open it. Ah, it literally just throws a special exception
called AccessDeniedException:
| ... lines 1 - 21 | |
| use Symfony\Component\Security\Core\Exception\AccessDeniedException; | |
| ... lines 23 - 38 | |
| abstract class Controller implements ContainerAwareInterface | |
| { | |
| ... lines 41 - 257 | |
| /** | |
| * Returns an AccessDeniedException. | |
| * | |
| * This will result in a 403 response code. Usage example: | |
| * | |
| * throw $this->createAccessDeniedException('Unable to access this page!'); | |
| * | |
| * @param string $message A message | |
| * @param \Exception|null $previous The previous exception | |
| * | |
| * @return AccessDeniedException | |
| */ | |
| protected function createAccessDeniedException($message = 'Access Denied.', \Exception $previous = null) | |
| { | |
| return new AccessDeniedException($message, $previous); | |
| } | |
| ... lines 274 - 396 | |
| } |
It turns out - no matter where you are - if you need to deny access for any reason, just throw this exception. Symfony handles everything else.
Simple, but that was too much work. So, you'll probably just do this instead:
$this->denyAccessUnlessGranted('ROLE_ADMIN'):
| ... lines 1 - 13 | |
| class GenusAdminController extends Controller | |
| { | |
| ... lines 16 - 18 | |
| public function indexAction() | |
| { | |
| $this->denyAccessUnlessGranted('ROLE_ADMIN'); | |
| ... lines 22 - 29 | |
| } | |
| ... lines 31 - 82 | |
| } |
Much better: that does the same thing as before.
And, I have another idea! If you love annotations, you can use those to deny
access. Above the controller, add @Security() then type a little expression:
is_granted('ROLE_ADMIN'):
| ... lines 1 - 7 | |
| use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security; | |
| ... lines 9 - 14 | |
| class GenusAdminController extends Controller | |
| { | |
| /** | |
| * @Route("/genus", name="admin_genus_list") | |
| * @Security("is_granted('ROLE_ADMIN')") | |
| */ | |
| public function indexAction() | |
| { | |
| ... lines 23 - 29 | |
| } | |
| ... lines 31 - 82 | |
| } |
This has the exact same effect - it just shows us a different message.
But no matter how easy we make it, what we really want to do is lock down this
entire controller. Right now, we could still go to /admin/genus/new and have
access. We could repeat the security check in every controller... or we could do
something cooler.
Add the annotation above the class itself:
| ... lines 1 - 7 | |
| use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security; | |
| ... lines 9 - 11 | |
| /** | |
| * @Security("is_granted('ROLE_ADMIN')") | |
| * @Route("/admin") | |
| */ | |
| class GenusAdminController extends Controller | |
| { | |
| ... lines 18 - 82 | |
| } |
As soon as you do that, all of these endpoints are locked down.
Sweet!
// composer.json
{
"require": {
"php": ">=5.5.9",
"symfony/symfony": "3.1.*", // v3.1.4
"doctrine/orm": "^2.5", // v2.7.2
"doctrine/doctrine-bundle": "^1.6", // 1.6.4
"doctrine/doctrine-cache-bundle": "^1.2", // 1.3.0
"symfony/swiftmailer-bundle": "^2.3", // v2.3.11
"symfony/monolog-bundle": "^2.8", // 2.11.1
"symfony/polyfill-apcu": "^1.0", // v1.2.0
"sensio/distribution-bundle": "^5.0", // v5.0.22
"sensio/framework-extra-bundle": "^3.0.2", // v3.0.16
"incenteev/composer-parameter-handler": "^2.0", // v2.1.2
"composer/package-versions-deprecated": "^1.11", // 1.11.99
"knplabs/knp-markdown-bundle": "^1.4", // 1.4.2
"doctrine/doctrine-migrations-bundle": "^1.1" // 1.1.1
},
"require-dev": {
"sensio/generator-bundle": "^3.0", // v3.0.7
"symfony/phpunit-bridge": "^3.0", // v3.1.3
"nelmio/alice": "^2.1", // 2.1.4
"doctrine/doctrine-fixtures-bundle": "^2.3" // 2.3.0
}
}