Deny Access in the Controller
Keep on Learning!
If you liked what you've learned so far, dive in! Subscribe to get access to this tutorial plus video, code and script downloads.
With a Subscription, click any sentence in the script to jump to that part of the video!
Login SubscribeThere are two main places where you can deny access. The first we just learned about: access_control
in security.yaml
:
security: | |
// ... lines 2 - 40 | |
access_control: | |
- { path: ^/admin, roles: ROLE_ADMIN } | |
// ... lines 43 - 44 |
It's simple - just a regular expression and a role. It's the best way to protect entire areas of your site - like everything under /admin
with ROLE_ADMIN
.
I do use access controls for things like that. But, most of the time, I prefer to control access at a more granular level. Open CommentAdminController
. Most of the time, I deny access right inside the controller.
To test this out - let's comment-out our access control:
security: | |
// ... lines 2 - 40 | |
access_control: | |
# - { path: ^/admin, roles: ROLE_ADMIN } | |
// ... lines 43 - 44 |
Back in CommentAdminController
, how can we deny access here? Simple: $this->denyAccessUnlessGranted()
and pass this a role: ROLE_ADMIN
:
// ... lines 1 - 10 | |
class CommentAdminController extends Controller | |
{ | |
// ... lines 13 - 15 | |
public function index(CommentRepository $repository, Request $request, PaginatorInterface $paginator) | |
{ | |
$this->denyAccessUnlessGranted('ROLE_ADMIN'); | |
// ... lines 19 - 32 | |
} | |
} |
That's it. Move over and refresh!
Nice! Try changing it to ROLE_USER
:
// ... lines 1 - 10 | |
class CommentAdminController extends Controller | |
{ | |
// ... lines 13 - 15 | |
public function index(CommentRepository $repository, Request $request, PaginatorInterface $paginator) | |
{ | |
$this->denyAccessUnlessGranted('ROLE_USER'); | |
// ... lines 19 - 32 | |
} | |
} |
Access granted! I love it!
IsGranted Annotation
But wait, there's more! As simple as this is, I like to use annotations. Check this out: delete the denyAccessUnlessGranted()
code. Instead, above the method, add @IsGranted()
to use an annotation that comes from SensioFrameworkExtraBundle: a bundle that we installed a long time ago via composer require annotations
. In double quotes, pass ROLE_ADMIN
:
// ... lines 1 - 6 | |
use Sensio\Bundle\FrameworkExtraBundle\Configuration\IsGranted; | |
// ... lines 8 - 11 | |
class CommentAdminController extends Controller | |
{ | |
/** | |
// ... line 15 | |
* @IsGranted("ROLE_ADMIN") | |
*/ | |
public function index(CommentRepository $repository, Request $request, PaginatorInterface $paginator) | |
{ | |
// ... lines 20 - 32 | |
} | |
} |
Nice! Try it: refresh!
Access Denied by controller annotation
Pretty sweet. I know not everyone will love using annotations for this. So, if you don't love it, use the PHP version. No problem.
Protecting an Entire Controller Class
Oh, but the annotation does have one superpower. In addition to putting @IsGranted
above a controller method, you can also put it above the controller class. Above CommmentAdminController
, add @IsGranted("ROLE_ADMIN")
:
// ... lines 1 - 6 | |
use Sensio\Bundle\FrameworkExtraBundle\Configuration\IsGranted; | |
// ... lines 8 - 11 | |
/** | |
* @IsGranted("ROLE_ADMIN") | |
*/ | |
class CommentAdminController extends Controller | |
{ | |
// ... lines 17 - 35 | |
} |
Now, every method inside of this controller... which is only one right now, will require this role. When you refresh... yep! Same error. That is an awesome way to deny access.
We know how to make sure a user has a role. But, how can we simply make sure a user is logged in, regardless of roles? Let's find out next - and - create our first admin users.
How does ROLE_ADMIN look like in the database role column? Is it litterly a string called 'ROLE_ADMIN'? Or is ROLE_ADMIN a const somewhere?