Roles hierarchy: what is it for?

New topics about Symfony 2 should go here

Moderators: tiagojsag, dcobalt

Roles hierarchy: what is it for?

Postby Erica Kirsch » Wed Dec 19, 2012 10:52 pm

I need to add a new role ROLE_USER_X to the system that will get a little more permissions than a general ROLE_USER.
So in terms of permissions ROLE_USER < ROLE_USER_X < ROLE_ADMIN.

Somewhere in security.yml I write this
Code: Select all
    role_hierarchy:
        ROLE_USER_X: ROLE_USER
        ROLE_ADMIN: ROLE_USER_X


What I wanted to get from the hierarchy is $user->hasRole('ROLE_USER_X') to be true for admins. But it seems hasRole()/getRoles() only uses data from the entity, it completely ignores the hierarchy.

So what is the point of role_hierarchy and where it is used?
Erica Kirsch
Junior Member
 
Posts: 10
Joined: Wed Dec 19, 2012 10:29 pm

Re: Roles hierarchy: what is it for?

Postby tiagojsag » Thu Dec 20, 2012 12:43 am

Hi,

I don't know if hasRole ignores the hierarchy or not, but isGranted doesn't, and that's the main use for it:

Say you give a certain object write permissions to ROLE_USER_X. In that case, and with isGranted, a user with ROLE_ADMIN will be granted write permissions to that object.

Hope htis helps

cheers
Tiago Garcia
@tiagojsag

Core Web Developer @ Shopware
http://www.shopware.de
User avatar
tiagojsag
Faithful Member
 
Posts: 885
Joined: Wed Aug 10, 2011 4:58 pm

Re: Roles hierarchy: what is it for?

Postby Erica Kirsch » Thu Dec 20, 2012 8:04 am

tiagojsag wrote:Say you give a certain object write permissions to ROLE_USER_X.


Thats not my case. I don't need ACLs, I only need to group users into two groups (ROLE_USER and ROLE_USER_X) and be able to check is it a general user or not
Erica Kirsch
Junior Member
 
Posts: 10
Joined: Wed Dec 19, 2012 10:29 pm

Re: Roles hierarchy: what is it for?

Postby bjo3rn » Thu Dec 20, 2012 7:35 pm

So what are you trying to achieve? Please provide some more info. The SecurityContext::isGranted() method @tiago posted is not only available in ACLs.
User avatar
bjo3rn
Faithful Member
 
Posts: 1244
Joined: Fri Jun 17, 2011 10:03 am
Location: Germany

Re: Roles hierarchy: what is it for?

Postby tiagojsag » Fri Dec 21, 2012 12:21 pm

I think the goal here is role based permissions, which don't actually require full ACL.
I think you can also use isGranted('ROLE_USER_X'). Try it

cheers
Tiago Garcia
@tiagojsag

Core Web Developer @ Shopware
http://www.shopware.de
User avatar
tiagojsag
Faithful Member
 
Posts: 885
Joined: Wed Aug 10, 2011 4:58 pm

Re: Roles hierarchy: what is it for?

Postby dcobalt » Fri Dec 21, 2012 3:55 pm

tiagojsag wrote:I think you can also use isGranted('ROLE_USER_X'). Try it


In my project I don't implement object-level ACL, only user roles, and I can confirm this works. That is, if a user has this role:

Code: Select all
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]


then for the purposes of twig's is_granted, the annotation @Secure, and the security.context service's isGranted method, querying for ROLE_ADMIN and the others will return true.
dcobalt
Faithful Member
 
Posts: 283
Joined: Thu Oct 20, 2011 6:06 pm

Re: Roles hierarchy: what is it for?

Postby Erica Kirsch » Fri Dec 21, 2012 9:23 pm

Thanks for the tips, but isGranted is not eligible for me as it only works on the context (i.e. the currently logged user) while I'm working with "external" user entities.
Okay, I did what I needed without roles at all, custom logic only.
Erica Kirsch
Junior Member
 
Posts: 10
Joined: Wed Dec 19, 2012 10:29 pm

Re: Roles hierarchy: what is it for?

Postby dcobalt » Thu Dec 27, 2012 3:35 pm

Yeah, sorry, I didn't catch on that. I just went through Symfony's Security component, and it all seems geared towards the context. I'm not seeing anything in there that could help with your situation, so I think you're stuck with slapping custom logic onto the user's stored roles.

Anyway, if you didn't find the service "security.role_hierarchy" yet, it has a method "getReachableRoles":

Code: Select all
/**
     * Returns an array of all roles reachable by the given ones.
     *
     * @param RoleInterface[] $roles An array of RoleInterface instances
     *
     * @return RoleInterface[] An array of RoleInterface instances
     */


It might be helpful. You can also override the security.role_hierarchy.class parameter to implement your own hierarchy class.
dcobalt
Faithful Member
 
Posts: 283
Joined: Thu Oct 20, 2011 6:06 pm


Return to General Symfony 2 discussion

Who is online

Users browsing this forum: No registered users and 8 guests