如何在Symfony中构建角色层次结构

时间:2016-06-18 17:23:55

标签: symfony

我有这个role_hierarchy:

role_hierarchy:
    ROLE_USER:        [ROLE_EDITOR, ROLE_WEBSITE]
    ROLE_ADMIN:       ROLE_USER

然后

access_control:
    - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/register, role: ROLE_ADMIN }
    - { path: ^/, role: ROLE_USER }

非注册用户应该能够访问登录页面, 管理员应该使用注册页面(我只希望管理员能够添加新用户),注册用户(编辑或网站)应该看到主页(/)

现在,如果我是用户EDITOR,我用

保护资源
{% if is_granted('ROLE_WEBSITE') %}

我可以看到资源,但这不是我想要的。实际上在剖析器中我可以看到:

Roles   [ROLE_EDITOR, ROLE_USER]
Inherited Roles [ROLE_EDITOR, ROLE_WEBSITE]

因此编辑器用户继承了ROLE_WEBSITE角色。我该如何解决这个问题?

感谢 中号

完整的security.yml

security:
encoders:
    FOS\UserBundle\Model\UserInterface: bcrypt

role_hierarchy:
    ROLE_USER:        [ROLE_EDITOR, ROLE_WEBSITE]
    ROLE_ADMIN:       ROLE_USER

providers:
    fos_userbundle:
        id: fos_user.user_provider.username_email

firewalls:
    main:
        pattern: ^/
        form_login:
            provider: fos_userbundle
            csrf_token_generator: security.csrf.token_manager

        logout:       true
        anonymous:    true
        guard:
            authenticators:
                - app.token_authenticator

access_control:
    - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/register, role: ROLE_ADMIN }
    - { path: ^/, role: ROLE_USER }

2 个答案:

答案 0 :(得分:0)

1st) Login to MySql (i.e. mysql -u uname -p where uname is user try 'root').

2nd) Run this SQL:

SELECT id,username,roles FROM fos_user;

This will display all the roles given to each user. Then you can see who has "ROLE_EDITOR" and "ROLE_WEBSITE". Then exit mysql.

Use the following (examples) to manage the particular users:

php bin/console fos:user:promote uname ROLE_EDITOR
php bin/console fos:user:demote uname ROLE_EDITOR

Then, since ROLE_EDITOR & ROLE_WEBSITE sounds like is should be below ROLE_USER, I think you need this change:

access_control:
    - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/register, role: ROLE_ADMIN }
    - { path: ^/, role: [ROLE_EDITOR,ROLE_WEBSITE] }

I think that might work. Try it. If not, maybe you can filter more based on path prefixes. Hope this helps.

答案 1 :(得分:0)

经过几次尝试,我解决了将heiriarchy改为

的问题
role_hierarchy:
    ROLE_USER:        ROLE_EDITOR
    ROLE_USER:        ROLE_WEBSITE
    ROLE_ADMIN:       ROLE_USER