Symfony忽略fosuser自定义角色

时间:2016-04-22 10:45:52

标签: symfony fosuserbundle hierarchy roles

所以,这是我的security.yml 

security:
    encoders:
        FOS\UserBundle\Model\UserInterface: bcrypt

    role_hierarchy:
        ROLE_CLINICIAN:   ROLE_USER
        ROLE_ADMIN:       ROLE_CLINICIAN
        ROLE_OWNER:       ROLE_ADMIN
        ROLE_SUPER_ADMIN: ROLE_OWNER

    providers:
        fos_userbundle:
            id: fos_user.user_provider.username_email

    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false

        main:
            pattern: ^/
            form_login:
                provider:       fos_userbundle
                csrf_provider:  security.csrf.token_manager
            logout:    true
            anonymous: ~

    access_control:
        - { path: ^/login$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/resetting, roles: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: /, roles: ROLE_USER }
        - { path: ^/, roles: ROLE_ADMIN }
        - { path: ^/api, roles: ROLE_OWNER }
        - { path: ^/api, roles: ROLE_SUPER_ADMIN }
        - { path: ^/api/clinics, roles: ROLE_CLINICIAN }

我应该有像这样的角色层次结构

 ROLE_CLINICIAN
       |
   ROLE_ADMIN
       |
   ROLE_OWNER
       |
ROLE_SUPER_ADMIN

但是symfony忽略了它,现在我想让ROLE_CLINICIAN只能访问path: ^/api/clinics页面,但是这个角色仍然可以访问每个页面

2 个答案:

答案 0 :(得分:0)

这是工作解决方案

security:
    encoders:
        FOS\UserBundle\Model\UserInterface: bcrypt

    role_hierarchy:
        ROLE_ADMIN:       ROLE_CLINICIAN
        ROLE_OWNER:       ROLE_ADMIN
        ROLE_SUPER_ADMIN: ROLE_OWNER

    providers:
        fos_userbundle:
            id: fos_user.user_provider.username_email

    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false

        main:
            pattern: ^/
            form_login:
                provider:       fos_userbundle
                csrf_provider:  security.csrf.token_manager
            logout:
                path:   fos_user_security_logout
                target: fos_user_security_login
            anonymous: ~

    access_control:
        - { path: ^/login$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/resetting, roles: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/api/clients, roles: ROLE_CLINICIAN }
        - { path: ^/api, roles: ROLE_SUPER_ADMIN }
        - { path: ^/api, roles: ROLE_OWNER }
        - { path: ^/#/, roles: ROLE_USER }

路径:^ /允许访问我的应用中的所有页面,因此无论如何,ROLE_USER的每个父级都可以访问每个页面,但是http://symfony.com/doc/current/cookbook/security/access_control.html

Remember, the first rule that matches is used,所以诀窍是将 - {path:^ /#/,roles:ROLE_USER}放到列表的末尾。

答案 1 :(得分:0)

从上到下评估访问控制规则。第一个匹配的访问控制规则获胜。在您的示例中,这意味着永远不会考虑最后四条规则。由于ROLE_CLINICIAN角色包含ROLE_USER角色,因此您的用户将始终被授予访问权限。

您可以详细了解如何评估访问控制规则in the documentation

相关问题
最新问题