我有一个角色列表,其中相互继承。 如果我为用户分配了特定的角色,那么没有问题,但是,如果我在层次结构中指定更高的角色,则不会选择继承的角色,并且用户会收到拒绝访问的错误。
角色:
ROLE_USER: []
ROLE_MEMBER: [ROLE_USER]
ROLE_ADMIN: [ROLE_MEMBER]
ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
访问:
- { path: ^/login$, roles: [IS_AUTHENTICATED_ANONYMOUSLY], anon: true, methods: [GET] }
- { path: ^/logout$, roles: [IS_AUTHENTICATED_ANONYMOUSLY], anon: true, methods: [GET] }
- { path: ^/admin, roles: [ROLE_ADMIN], anon: false, methods: [GET, POST, PUT, DELETE, HEAD, LINK, UNLINK, PATCH] }
从Profiler :(登录/ admin后)
Method GET HTTP Status 403 IP ###.##.##.## Profiled on Wed, 19 Jul 2017 19:27:00 +0000 Token #####
Roles
[▼
"ROLE_SUPER_ADMIN"
"ROLE_USER"
]
Inherited Roles
[▼
"ROLE_ALLOWED_TO_SWITCH"
"ROLE_ADMIN"
"ROLE_MEMBER"
"ROLE_USER"
]
FOSUser配置:
fos_user:
db_driver: orm
firewall_name: main
user_class: CoreSys\CoreBundle\Entity\User
use_listener: true
from_email:
address: webmaster@domain.com
sender_name: admin
//security.yml
...
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
form_login:
provider: fos_userbundle
csrf_token_generator: security.csrf.token_manager
use_forward: true
use_referer: true
always_use_default_target_path: false
default_target_path: /
logout: true
anonymous: true
编辑: 猜猜我应该提到我的角色/访问权限是数据库并由app / config中的辅助文件控制,然后通过编译器传递注入安全层。角色/访问对象似乎需要它作为数组而不是字符串