@Security(" is_granted('删除',用户)")使用不请求用户,symfony2

时间:2017-05-31 12:36:38

标签: symfony security symfony-2.8

当我使用注释@Security("is_granted('remove', user)")时,我在Voter

中收到了错误的用户
/**
 * Delete User by ID
 *
 * @Rest\Delete("/{id}", name="delete_user")
 * @Security("is_granted('remove', user)")
 * 
 * @ApiDoc(
 *  section="5. Users",
 *  resource=true,
 *  description="Delete User",
 *  headers={
 *     {
 *      "name"="Authorization: Bearer [ACCESS_TOKEN]",
 *      "description"="Authorization key",
 *      "required"=true
 *     }
 *  },
 *  requirements={
 *      {
 *          "name"="id",
 *          "dataType"="string",
 *          "requirement"="\[a-z\-]+",
 *          "description"="Id of the object to receive"
 *      }
 *  },
 *  output="Status"
 * )
 *
 * @param User $user
 * @return Response;
 */
public function deleteAction(User $user)
{
    //$this->denyAccessUnlessGranted('remove', $user);
    $em = $this->getDoctrine()->getManager();
    $em->remove($user);
    $em->flush();

    $view = $this->view('Success deleted', Response::HTTP_NO_CONTENT);
    return $this->handleView($view);
}

但是,如果我在身体$this->denyAccessUnlessGranted('remove', $user);中使用功能,那就没问题了。帮我理解...... 设置

services:
user.user_voter:
    class: OD\UserBundle\Security\UserVoter
    arguments: ['@security.access.decision_manager']
    public: false
    tags:
        - { name: security.voter }

选民

namespace OD\UserBundle\Security;

use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Authorization\Voter\Voter;

use OD\UserBundle\Entity\User;

class UserVoter extends Voter
{
    const VIEW = 'view';
    const EDIT = 'edit';
    const REMOVE = 'remove';

    protected function supports($attribute, $subject)
    {
        # if the attribute isn't one we support, return false
        if (!in_array($attribute, array(self::VIEW, self::EDIT, self::REMOVE))) {
            return false;
        }

        # only vote on Booking objects inside this voter
        if (!$subject instanceof User) {
            return false;
        }

        return true;
    }

    protected function voteOnAttribute($attribute, $subject, TokenInterface $token)
    {
        $user = $token->getUser();

        if (!$user instanceof User) {
            # the user must be logged in; if not, deny access
            return false;
        }

        switch ($attribute) {
            case self::VIEW:
                return $this->canView($subject, $user);
            case self::EDIT:
                return $this->canEdit($subject, $user);
            case self::REMOVE:
                return $this->canRemove($subject, $user);
        }

        throw new \LogicException('This code should not be reached!');
    }

    private function canView(User $subject, User $user)
    {
        if ($subject->getId() === $user->getId()) {
            return true;
        }

        return false;
    }

    private function canEdit(User $subject, User $user)
    {
        if ($subject->getId() === $user->getId()) {
            return true;
        }

        return false;
    }

    private function canRemove(User $subject, User $user)
    {
        if ($subject->getId() === $user->getId()) {
            return true;
        }

        return false;
    }
}

1 个答案:

答案 0 :(得分:0)

* @Security("is_granted('remove', removingUser)")
* @param User $removingUser
* @return Response;
*/
public function deleteAction(User $removingUser)

此代码效果很好。这段代码效果很好。我没有找到确认,但似乎用户是为当前用户保留的