Dynamic Roles

Yo Steven Carré!

> if a user has several roles and I just want to remove one, I have to get the roles first and then reset them all after removing the one from the roles array(). Is there a more convenient way to achieve this?

The way the code is written out-of-the-box, there is not. You have a few options:

1) Say ok! No big deal - I'll just keep my code that does all this work :).
2) Create a new method on User called (for example) removeRole(string $roleName) and move the logic there for finding the role. Basically the same thing... but the code is more centralized.
3) If you want to, you can actually have an entire UserRole entity that you could relate to User and store roles there. Each UserRole would have an id, so you would know exactly which to delete. This might be overkill... to solve the problem ;).

Cheers!

Hi,
thanks for this very instructive article.
I have a question: the User entity has a setRoles() method so say if a user has several roles and I just want to remove one, I have to get the roles first and then reset them all after removing the one from the roles array(). Is there a more convenient way to achieve this?
Thank you

Oh, that's interesting. I've never have that problem - Maybe it's because of the MySql version. On which version are you running?

I had the same problem and ended up swapping json_array for simple_array which saved everything as a comma delimited list.

Hey @weaverryan,

I forgot a ':' after 'subfamily_{1..10}' thus screwing up the whole fixtures.
Small things can be easily overlooked!
It works now. :)

Thanks for the reply!

Hey David Mesman!

Ah man! Let's see if we can debug this. First, if you add a -vvv flag at the end of your command (so bin/console doctrine:fixtures:load -vvv) you will get a stacktrace on your error, which is usually very helpful to see exactly where the error is coming from!

Second, make sure that when you call setRoles() that you're passing it an *array*. I think that you might be setting this to a string. And then inside our setRoles() method in User, we are trying to foreach over that.

Let me know if that helps!

Cheers!

Hey Ryan,
When loading my fixtures after I added the roles field and migrated then I get this lovely error:
Message: "Warning: Invalid argument supplied for foreach()" ["error" => Symfony\Component\Debug\Exception\ContextErrorExcepti
on { …},"command" => "doctrine:fixtures:load","message" => "Warning: Invalid argument supplied for foreach()"] []. As a result of this nothing gets loaded into my database.

I am using Symfony 3.4

Hey Marcelo,

Glad you got it working!

Cheers!

Hey Man !

Finally after a little study I was able to solve this problem by creating a Voter with the extractRoles method.

Thanks for help.

Hey Marcelo,

Do you mean you need to have a user that may impersonate other users? e.g. you have a ROLE_SELLER_ADMIN that can log in as any ROLE_SELLER_USER and do some things on their behalf?

Then this Symfony docs might be useful for you: https://symfony.com/doc/cur...
We also say about impersonation here: https://knpuniversity.com/s...

I hope it helps!

Cheers!

Hello ! I
need to sign in with some ROLE, such as ROLE_SELLER_USER, after that, I
need to select a seller from a list and load roles from a Many to Many
table to continue on the next page.
Can you help me ?

Good analysis :)
and yep, every option can be good or bad depending on your situation, so it's good to take a moment to determine which implementation fits better to your needs.

Cheers!

Thank you for your response.
I am thinking about these solutions.
Option A will be usable if we had few results and no pagination.
I was thinking about option D ... I think it is usable with HATEOAS API, because I can generate route for "list of articles" action for each user role ... I like thin controllers.
Probably way B and D are the most common.

Greetz, Tomas

Hey Tomáš Hermánek

Good question. I can think of a couple of ways to do it
A) One controller action which will fetch all articles but in the template you would filter by ROLE
B) One controller action and based on user's role fetch the right articles (as you said)
C) Create a Twig's function for fetching the right articles based on given User
D) Two controller actions, one for each role. I wouldn't recommend this option because it adds extra complexity to the system.

So, as you can see, you can get creative looking for solutions, but the answer relies on your specifications.

Cheers!

Hi, I am thinking about best practices for following scenario: I have two roles ROLE_USER, ROLE_ADMIN. Also, I have object (i.e. Article) which can be in two states. draft, assigned. And also can be assigned to user. A want to list all articles but user with ROLE_USER can see only articles in draft state and assigned articles. User with role ROLE_ADMIN can see all articles. And question is. Is better practice to create controller with one action which handles each roles (based on role it picks proper repository method) or I should use two dedicated actions .... separated for each ROLE?
Thank you for your response.

Hey gstanto ,

Thanks for sharing it with others!

Cheers!

What I had to do to make this work on Symfony 4:

When running migration initially I received this error:

SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'JSON NOT NULL COMMENT '(DC2Type:json_array)'' at line 1

I tried to manually tweak the migration as Karol suggested below, but did not work for me.

I checked Mysql Version (As installed with setting from Ansible tutorial - recommended, btw)
Ver 14.14 Distrib 5.5.59, for debian-linux-gnu (x86_64) using readline 6.3

Then needed to tweak doctrine.yaml

doctrine:
    dbal:
        # configure these for your database server
        driver: 'pdo_mysql'
        server_version: '5.5' <-----(preset was 5.7, which has true json column types)

Then it worked fine. Maybe that will save someone the hour I spent figuring it out.

Or maybe is something related to your environment. Which OS, and database driver are you using?

Hey Diego Aguiar

I choose json_array type, and also set second parameter for createForm(..). Maybe I missed something else, I will check it all again.

I found the similar issue here, maybe it is smilar issue, i dont know.. :)

Thank you for response :)

Hey Danijela

I'm not sure why that's happening, but can you double check that you chose "json_array" as the type of your $roles property?
Another thing you can do is passing the User instance as a second parameter to your FormType (when creating it), so it automatically updates the properties.

// UserController.php
public function editAction(Request $request, User $user) {
    ...    
   $editForm = $this->createForm(UserEditType::class, $user)
   ...
}

Cheers!

Hey! :) I created EditUserForm, finally. I had a little problem with roles: sometimes roles were saved as json array ["ROLE_USER","ROLE_ADMIN"], sometimes as json object {"1":"ROLE_USER"}.
I solved it with next line, is there some better way? Thanks!

$user->setRoles(array_values($form->get("roles")->getData()));


Hey Karol Goraus

Thanks for sharing your problem and solution :)
But instead of setting a default value at the DataBase level, you can do it in your entity code

// User.php
class User {
    ....
    // Set default to an empty array
    private $roles = [];
    ....
}

I believe it should give you the same result

Cheers!

Hi everyone!

I am following your course but I use Postgres instead of MySql. I encountered a problem with the "roles" column.
Migration generated by console creates json column (with NOT NULL), as expected. Running the migrate command generates an error that column roles cannot be null
I tried to add columnDefinition='default=\'[\']::JSON' in "@ORM\Column" annotation but that generates "ALTER..." SQL without column type ((...) ADD roles default '[]'::JSON).
I ended up removing the columnDefinition part (so I had User.php like the one in this course) and modifying the migration file: $this->addSql('ALTER TABLE "user" ADD roles JSON NOT NULL DEFAULT \'[]\'::JSON');

I hope that someone can benefit from that, should one encounter such problem or maybe you have some other solution for that problem.

Cheers!

Hi Victor Bocharsky,

I did not have that indeed.
I passed a string to the setRoles method. Now I've changed that, and adjusted the setRoles function to setRoles(array $roles)!

Thanks!

Hey Dennis,

I suppose it's because in your code you're passing role as a string to setRoles() method, i.e. $user->setRoles('ROLE_ADMIN'). Check your setRoles() setter, in our project it has "setRoles(array $roles)" signature, which means your should pass an *array* of roles like: $user->setRoles(['ROLE_ADMIN']). If you still have some problems with it - please, show your setRoles() method declaration.

Cheers!

Hello KNP,

I've got a weird thing with the $roles json_array. I save the user to the database with this code:

$user = new User();
$user->setEmail('[email protected]');
$user->setPlainPassword('SuperCoolPassword');
$user->setRoles('ROLE_ADMIN');

$em = $this->getDoctrine()->getManager();
$em->persist($user);
$em->flush();

All goes well, and the user is saved into the database.

Now when I login, It's not returning the $roles as an array, so it breaks on this line
if(!in_array('ROLE_USER', $roles)) {

Now I fixed it with this:

$roles = (array)$this->roles;

But why isn't it an array?

Greetz, Dennis

Ohh that's very interesting!

I found a quick guide of how you can force your user token to be realod, I haven't tested it, but it may work for you:
http://www.pix-art.be/post/...

Also check for "EquatableInterface", that's the key ;)

Cheers!

I have the same issue, I'll try your second solution i'l let you know :) !

Thank's Diego.

But I don't use a database to store those roles. I mean it's a CAS authentication. This is how it works :

1 - My cas bundle handles the authentication. Set's a casUser (which has no addRole method).
2 - I added a method : addRoles which I call in my listener :

- { name: kernel.event_listener, event: kernel.controller, method: onKernelController }

I mean I cannot log out and log in to refresh the security token. Because the app logic roles are never stored in a database, but guessed logically.
So my problem now is how to refresh the securityToken because the "isGranted" method doesn't seem to know about the new added roles...

Anyway i'm digging.
Thank you all for the help.

Hey Abou!

You are right about not manipulating bundle files directly, it's a bad practice, if you really have to do it, it's better to fork the repository, make your changes and make a pull request

About adding roles dynamically, you can add a method to the User class like this:

public function addRole($role){
        $role = strtoupper($role);
        
        if (!in_array($role, $this->roles, true)) {
            $this->roles[] = $role;
        }
}

And then create an admin area where you can manage your user's. Just remember, after adding a role to an user, if that user is logged in, he will need to logout/login to refresh his roles list.

Oh, and thank you so much for your support, we really appreciate your interest in our tutorials!

Have a nice day :)

Hi everyone !

I'm wondering if there's a way to add dynamic roles to a user outside the user class.

I have a CAS authentication. So I use a bundle (the prayno one). For now I updated a file inside the bundle to add dynamic roles. But I don't like manipulating bundles files.

So what I'm asking is : Is there a way to update the roles outside the authentication system and outside the CAS bundle ? I mean just after the Auth layer ? ... I guess I should use The "kernel.request" event, but how ?...

Thank's !

P. S. : Hi Ryan do you remember me ?... I promised to purchase a year subscription and guess what ? It's done :D...

Hey Julien,

Thank you for the kind words! Btw, we have a separate track for OOP if you're interested in it:
https://knpuniversity.com/t...

Cheers!

Thank you so much. I realized that the pb was not (only) a lack of understanding of symphony, but OOP in general... I have to work more and more. By the way your courses are so great... I spent hours and hours on reading, searching and following different courses... But yours are so well executed and make me feel less dumb :-)!!!

Hey Julien,

Let me a bit improve and probably simplify my original idea: if you want to be able to set only one single role for your users, then you don't need User::$roles property at all, you just need the User::$role field. So your User entity may looks like:

User
{
    // other properties...

    /**
     * @ORM\Column(type="string")
     */
    private $role;

    public function getRole()
    {
        return $this->role;
    }

    public function setRole($role)
    {
        $this->role = $role;
    }

    // You have to keep this method due to the UserInterface
    public function getRoles()
    {
        return [$this->role];
    }

    public function setRoles(array $roles)
    {
        throw new \Exception('You probably never need to call it, but UserInterface enforce you to have this method')
    }

    // other methods...
}

How does it looks like? I.e. you replace User::$roles property with User::$role one. And then in your form just add a normal field for this $role property, so you event don't need "mapped => false" now.

P.S. Sorry for misleading you in my first reply.

Cheers!

Hi Victor, tanks for the reply. Until I get your answer I used jquery. But I would like to use the virtual choice type method. But I can it make it... :-(
The roles column in the database is empty.
Where do I have to create the method? In the User entity or in the form?

Hey Julien,

There's a lot of ways to do it. If you're good at JavaScript, you could write a simple JS script which will allow you to select only one checkbox, i.e. reset all checkboxes except the latest. But probably there's another better solution: since UserInterface enforce you to have setRoles()/getRoles(), you can add a new "virtual" ChoiceType form field which name is "role", make it "mapped => false" and add User::setRole() method which will get a role string value, add it to an empty array and set this array to the $this->roles property overwriting the current role. The 3rd is more complex I think, but should work well too - choiceType with multiple false and create a Data Transformer for this field, which will convert single role string to an array and back: array with a single role to the single role string.

Cheers!

Hi, I would like to make the user select only one role. But with the choiceType with multiple false, it gives a string and then a nice error appears, as expected. Do you have a hint? Thx...
By the way as you can guess I'm a newbie

Thanks guys, is clear now :)

Hey Mounir,

Great! This's exactly the correct behavior. So ROLE_USER in this case is dynamicly added to all your users at runtime, even if they don't have any roles. It allows you do not worry about assigning default ROLE_USER to all your users. But if you add a different role to a user - it will be stored into the DB! So check if it works correctly by adding a new ROLE_ADMIN for the admin user, then persist() and flush() - you should see the only ROLE_ADMIN in database as we expected.

Cheers!

Sorry, i have just seen your reply.

Yes i do use MySQL dababase.

My getRoles() look like this:

public function getRoles()
{
$roles = $this->roles;

// give everyone ROLE_USER!
if ( !in_array('ROLE_USER', $roles) ) {
$roles[] = 'ROLE_USER';
}

return $roles;
}

I have no groups property in User class.

when i dump $roles in getRoles() i get ['ROLE_USER']
and when i dump $user->getRoles() in registerAction(), before persist method, i get ['ROLE_USER'].

But dumping $user in registerAction(), before persist method returns roles with empty array.

Thanks Victor!

Hey Mounir,

Check your setter/getter methods - maybe you just made a logic typo there. Also, try to debug roles before doing persist() and flush() with:

dump($user->getRoles());
die;
$em->persist($user);
$em->flush();

Or if you set roles only in data fixtures, try to dump the result array which your getter returns:

    public function getRoles()
    {
        $roles = [];
        
        // loop over some ManyToMany relation to a Group entity
        foreach ($this->groups as $group) {
            $roles = array_merge($roles, $group->getRoles());
        }
        
        dump($roles); die;
        return $roles;
    }

Btw, do you use MySQL database?

Cheers!

Hi Ryan/Victor,

I get an empty array in roles database column! help plz

I was surprised as well! And actually, I looked and there is an old issue about this: https://github.com/symfony/.... Our solution was also one posted there - so we were both thinking the right approach.

Cheers!

Hey Ryan,

Thanks for the reply - I've only just seen it now but I did implement pretty much exactly what you suggested in your second option!

I did find it a bit weird that this behaviour wasn't supported at all and to achieve it you have to go about it in a round about way - surely role management of users with instant effect is a wide spread need?! Other than that Guard has been excellent to work with.

Cheers,

Hey samdjstevens!

Yes, you understand things very well! For simplicity, I tell people that User::getRoles() is checked, but you're correct: this method is actually only called once on authentication. Those roles are then stored on the token, which is serialized from the session. The token is then deserialized from the session on each request, and those initial roles are used.

So, how can you change this? Honestly, it looks a bit tricky: it's just *not* the normal behavior of the token. But, I can see 2 paths:

1) Create your *own* token class (or extend whichever you're using now). Inside, override the setUser() method, and re-set the roles whenever this is called. setUser() is called at the beginning of the request and is passed the User object. So, it's a good spot to re-set the roles. But, you won't be able to extend AbstractToken anymore, because $roles is private - you'll need your own token. Also, depending on how you authenticate, overriding the token could be tricky - most of the time this is deep inside the authentication code. I think this would only be feasible if you're using Guard authentication, because then you can override the createAuthenticatedToken method (https://github.com/symfony/... to return a new token class.

2) Another option - arguably better - is to create a listener on kernel.request. Give it a priority of 7, so that it runs *right* after the Firewall listener (which refreshes your User from the database). Inside, fetch the currently-authenticated User, and use it to instantiate a brand *new* token. That new token will of course have the new roles. Then, set it manually on the security.token_storage service class with $tokenStorage->setToken($newToken). This should work, as long as you make the new token the same class as the original and give it all the same data (e.g. if you originally have a PostAuthenticatedGuardToken, then re-use this and pass it the same args https://github.com/symfony/....

Phew! Let me know if that helps! I'm a bit surprised it's that tough - your use-case makes good sense to me. It's possible I'm missing some built-in functionality, but I don't see it.

Cheers!

Hi Ryan/Victor,

I'm struggling with having the authenticated user's roles refreshed from the database on each page request. If I understand correctly, the roles are stored in the token, and that is what is checked against, (and not the return of the `getRoles()` method) on each page load.

I've tried setting the `always_authenticate_before_granting` config option to true but this did nothing, tried implementing the `EquatableInterface`, which again did nothing.

Any ideas on how I can have the user roles be refreshed from the database before any security checks are made?

Cheers,

Aaah to bad. Thanks for the reply. I'll make a bash script then :)

Hey Daan!

This "shouldn't" happen, because the command calculates the correct order that the tables should be truncated. But, it *can* happen if you have some circular relationships (e.g. two tables - or maybe a bigger loop - that each have foreign keys that point back to each other). One way to fix that - if it's appropriate for your app - is to add some @JoinColumn(onDelete="CASCADE") (or SET NULL) functionality, so that when items in one of those relationships is deleted, it cascades in the database.

But, if that's not really appropriate for your app (i.e. CASCADE would be potentially dangerous for that relationship in production), then you *will* need a workaround, as you suggested. There are no hook points that I know of, so I would recommend just making a simple shell script that runs all the commands for you (database:drop, database:create, migrations:migrate, fixtures:load).

Cheers!

He Ryan/Viktor,

A question regarding fixtures. ./bin/console doctrine:fixtures:load gives a fatal once i already have content, because of the foreign key constraints. This happens when it wants to truncate each table.

Is there a way to either:
1) set the order in which tables are truncated?
2) or to execute a query before it runs the purge()-command?

I know i can delete and recreate the entire database, but i find that a pretty lame workaround.

Kind Regards!

Hey Johan,

Nice notice, thanks! Actually, we require only the latest 2.5 version of doctrine ORM due to the next line in composer.json: "doctrine/orm": "^2.5". So Composer won't use 2.6 for this project even when it'll be available.

But I think we could add a note about it, I'll add it.

Cheers!

UPD: Note added in https://github.com/knpunive...

Just a small note: The "json_array" type is deprecated since Doctrine 2.6. You should use "json" instead.

Source: http://docs.doctrine-projec...

EDIT: I actually just tried to use "json" and it does not even work yet, it says the type is not recognized. I don't know :l

Hey Yang,

Let me help you. Yes, it's definitely possible! The UserInterface just enforce you to have authentication-related fields on an entity, that's it. So you can add whatever you need fields to the User entity besides UserInterface required fields, even some relation properties like ManyToMany, etc.

Yes, you're right! You wouldn't need to add these extra properties, but you could if it'll be useful for you, i.e. to build some complex join queries or just for convenience to get a collection of related entities.

Cheers!

Hi Ryan,

In my old blog system implemented with plain php, I had 3 tables for posts, comments and users. In post/comment-table theres a authorId column which points to an user. and in the user-table, infos like password and roles are stored. Now I want to rebuild this with symfony. So I would have post/comment entities, in post there will be a private $comment with OneToMany relation to the comment-entity and so on...
my question ist now about user, is it possible to make an "class User implement UserInterface", so I have access to all the authentication stuff, and at the same time, have ManyToOne-relation in post/comment entities point to the user? something like

/**
* @ORM\ManyToOne(targetEntity="AppBundle\Entity\User")
* @ORM\JoinColumn(nullable=false, onDelete="CASCADE")
*/
private $user;

Btw. I recall in the doctrine relationship tutorial, you said something about theres only ManyToOne or ManyToMany relationship. So I wouln't need to add extra properties like $comments or $posts in the user class?

Hey James,

In if statement you could check whether the current user has a role ROLE_ADMIN or the current user is owner (like in Ryan's example) - then allow access:

public function showAction($id)
{
  $user = // query for the User
  
  $this->denyAccessUnlessGranted('ROLE_ADMIN');

  if ($user != $this->getUser()) {
    throw $this->createAccessDeniedException('this is not your account!');
  }
}

Cheers!

Voters is it ! Thanks again! But if I still want admin to have access, how do I add the admin to the if statement? And is there some king of super admin for developers like you talked about in one of you tuto?

Thanks

Hi James!

I'm not 100% sure I'm going to answer what you're actually asking, but let me give it a shot - then you can tell me that I didn't fully understand your question if I miss :).

Giving each user a different role is cool, but it's still a "global" property - it helps to answer questions like "should the user have access to the blog admin area in general". But, roles can't be used for security that's based on an *object* - e.g. perhaps a user should have access to only the blog posts that *they* author. So, they will have access to edit *some* blog posts, but not others. Is this kind of what you're asking?

In short, there are 2 ways to solve this:

1) Manually (I don't often do this, but you'll see how simple it is). For example, suppose there is some url like /users/{id}, but I should only be able to see *my* page. Then, you might do this in the controller:


public function showAction($id)
{
$user = // query for the User

if ($user != $this->getUser)) {
throw $this->createAccessDeniedException('this is not your account!');
}
}


So, you can simply put whatever security logic you need in your controller and then deny access like this.

2) A better solution is to use voters: https://knpuniversity.com/s.... These are very similar to doing what I just did above, but you centralize your security logic so that you can more easily re-use it.

Does this help? Or did I totally answer the wrong question? :)

Cheers!

Just a quick one, if I add different users which have different accounts with their details and their favorites etc.. How would you protect each new users account. I would say dynamically but I am not sure how, maybe with their ID I suppose?

Thanks guys, is clear now :)

Regards,

Hey Richard!

Ah, that makes more sense :). Or, more specifically - you mean @Security("ROLE_ADMIN").

It's more or less perfectly equivalent. The ^/admin in the firewall causes some code to run that compares the URL and if matches, checks for ROLE_ADMIN. If you use @Security, it does the same thing - except instead of checking if the URL matches, it checks to see if that controller class is being executed on this request.

So it comes down to a matter or preference: do you like protecting by URL better? Or do you like to secure specific controller classes. It's nice to have both options :).

Cheers!

Hi Victor, sorry my bad, What I want to say, was, what is the different about using @Security(/admin) vs using in the firewall ^/admin.

Hmm. I was used to roles and permissions structure. I mean, used to have a roles table, permissions table, pivot tables between them, user could have roles but also a independent permissions and so on. I was using https://github.com/romanbic... with Laravel.

How this relates to Symfony? Do groups act as roles and roles become permissions in Symfony world? If a role represents a set of permissions, hard coded in my application (according to: http://stackoverflow.com/qu... ) how am I supposed to associate permissions with roles?

Hey Richard,

That's different things. The "@Route" annotation at the top of any controller class is just a prefix for all routes, which this controller has. It means, that if you have:

/**
 * @Route("/admin")
 */
 class GenusController
{
  /**
   * @Route("/genus")
   */
  public function indexAction()
  {
    // code here...
  }
}

so the `indexAction()` URL will be the "/admin/genus" (i.e. with "/admin" prefix) but not just the "/genus". That's it!

Firewall in turn allows you to configure who has access to a page.

Cheers!

Ryan, what would be the different doing the @Route(/admin) at the top of the controller vs using the firewall? And if in this case there are no different, what is the advantage of using on or other.

Thansk

Hi Andjii!

This error means one very specific thing: Symfony cannot find a route that matches the current URL. So, it definitely has nothing to do with your form or your controller: the problem is *definitely* your route.

Can you tell post your Route annotation code and also tell me what URL you're going to? Also, try running the "bin/console debug:router" command to see if your route shows up there.

Cheers!

I created class EditUserFormType which extends AbstractType, as in example. It is placed at "Form" folder. I added @Route with proper route, but no form got, only "No rout found". Where I've done mistake?