symfony framework forum

[Erica Kirsch]

I need to add a new role ROLE_USER_X to the system that will get a little more permissions than a general ROLE_USER.
So in terms of permissions ROLE_USER < ROLE_USER_X < ROLE_ADMIN.

Somewhere in security.yml I write this

Code: Select all

    role_hierarchy:
        ROLE_USER_X: ROLE_USER
        ROLE_ADMIN: ROLE_USER_X


What I wanted to get from the hierarchy is $user->hasRole('ROLE_USER_X') to be true for admins. But it seems hasRole()/getRoles() only uses data from the entity, it completely ignores the hierarchy.

So what is the point of role_hierarchy and where it is used?

[tiagojsag]

Hi,

I don't know if hasRole ignores the hierarchy or not, but isGranted doesn't, and that's the main use for it:

Say you give a certain object write permissions to ROLE_USER_X. In that case, and with isGranted, a user with ROLE_ADMIN will be granted write permissions to that object.

Hope htis helps

cheers

[Erica Kirsch]

Say you give a certain object write permissions to ROLE_USER_X.

Thats not my case. I don't need ACLs, I only need to group users into two groups (ROLE_USER and ROLE_USER_X) and be able to check is it a general user or not

[dreipunktnull]

So what are you trying to achieve? Please provide some more info. The SecurityContext::isGranted() method @tiago posted is not only available in ACLs.

[tiagojsag]

I think the goal here is role based permissions, which don't actually require full ACL.
I think you can also use isGranted('ROLE_USER_X'). Try it

cheers

[dcobalt]

I think you can also use isGranted('ROLE_USER_X'). Try it

In my project I don't implement object-level ACL, only user roles, and I can confirm this works. That is, if a user has this role:

Code: Select all

ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]

then for the purposes of twig's is_granted, the annotation @Secure, and the security.context service's isGranted method, querying for ROLE_ADMIN and the others will return true.

[Erica Kirsch]

Thanks for the tips, but isGranted is not eligible for me as it only works on the context (i.e. the currently logged user) while I'm working with "external" user entities.
Okay, I did what I needed without roles at all, custom logic only.

[dcobalt]

Yeah, sorry, I didn't catch on that. I just went through Symfony's Security component, and it all seems geared towards the context. I'm not seeing anything in there that could help with your situation, so I think you're stuck with slapping custom logic onto the user's stored roles.

Anyway, if you didn't find the service "security.role_hierarchy" yet, it has a method "getReachableRoles":

Code: Select all

/**
     * Returns an array of all roles reachable by the given ones.
     *
     * @param RoleInterface[] $roles An array of RoleInterface instances
     *
     * @return RoleInterface[] An array of RoleInterface instances
     */


It might be helpful. You can also override the security.role_hierarchy.class parameter to implement your own hierarchy class.