允许“常规”用户访问Sonata Admin CRUD操作

Question

希望有人能引导我朝着正确的方向前进！

我正在为我正在使用SonataUserBundle的项目设置一个基于SonataAdmin的系统。

我有一个扩展AbstractMain的模型设置，用于CRUD操作，可以使用导航菜单访问。从这里开始，作为超级管理员，我可以列出，创建，编辑和删除项目。完美！

我的目标是为“订阅”用户使用相同的SonataAdmin门户，但访问受限。他们应该只能列出项目。但是，当涉及到如何配置symfony / sonata / fosuser安全性时，我有点不知所措。防火墙规则在幕后进行，以实现这一目标。

我的app / config / security.yml就是这样。

security:
    role_hierarchy:
        ROLE_ADMIN:       [ROLE_USER, ROLE_SONATA_ADMIN]
        ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
        SONATA:
#            - ROLE_SONATA_PAGE_ADMIN_PAGE_EDIT  # if you are using acl then this line must be commented

    encoders:
        FOS\UserBundle\Model\UserInterface: sha512

    acl:
        provider: mongodb_acl_provider

    # https://symfony.com/doc/current/security.html#b-configuring-how-users-are-loaded
    providers:
        fos_userbundle:
            id: fos_user.user_provider.username
        hwi:
            id: sonata_oauth2_login.user.provider

    firewalls:
        # disables authentication for assets and the profiler, adapt it according to your needs
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false

        admin:
#            #pattern: /admin(.*) #REMOVE THIS LINE IF YOU ARE USING SONATA ADMIN
            context:            user
            form_login:
                provider:       fos_userbundle
                login_path:     /portal/login
                use_forward:    false
                check_path:     /portal/login_check
                failure_path:   null
                always_use_default_target_path: false
                default_target_path: /portal/dashboard
            logout:
                path:           /portal/logout
                target:         /portal/login
            anonymous:          true
            oauth:
                resource_owners:
                    google:         "/login/check-google"
                    facebook:       "/login/check-facebook"
                login_path:        /portal/login                 # For Sonata Admin
                use_forward:       false
                default_target_path: /portal/dashboard           # For Sonata Admin
                failure_path:      /portal/login                 # For Sonata Admin
                oauth_user_provider:
                    service:  sonata_oauth2_login.user.provider

    access_control:
        # Admin login page needs to be accessed without credential
        - { path: ^/portal/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/portal/logout$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/portal/login_check$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/portal/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }

        # Secured part of the site
        # This config requires being logged for the whole site and having the admin role for the admin part.
        # Change these rules to adapt them to your needs
        - { path: ^/portal/, role: [ROLE_ADMIN, ROLE_SONATA_ADMIN, ROLE_SONATA_USER] }
        - { path: ^/.*, role: IS_AUTHENTICATED_ANONYMOUSLY }
services:
    mongodb_acl_provider:
        parent: doctrine_mongodb.odm.security.acl.provider

这是我在config.yml下的sonata_admin配置：

sonata_admin:
    title: BLAHBLAH
    options:
        title_mode: single_text

    templates:
        list: AppBundle:CRUD:list.html.twig
        base_list_field: AppBundle:CRUD:base_list_field.html.twig
        layout: AppBundle::standard_layout.html.twig

    security:
        handler: sonata.admin.security.handler.acl
#        handler: sonata.admin.security.handler.role

        role_admin: ROLE_ADMIN
        role_super_admin: ROLE_SUPER_ADMIN

        # acl security information
        information:
            GUEST:    [VIEW, LIST]
            STAFF:    [EDIT, LIST, CREATE]
            EDITOR:   [OPERATOR, EXPORT]
            ADMIN:    [MASTER]

        # permissions not related to an object instance and also to be available when objects do not exist
        # the DELETE admin permission means the user is allowed to batch delete objects
        admin_permissions: [CREATE, LIST, DELETE, UNDELETE, EXPORT, OPERATOR, MASTER]

        # permission related to the objects
        object_permissions: [VIEW, EDIT, DELETE, UNDELETE, OPERATOR, MASTER, OWNER]

现在，通过此配置，我可以（作为superadmin）编辑用户并通过ACL设置授予单个用户访问权限以编辑他们自己的配置文件，如下所示：

ACL Settings for user

角色的用户设置中没有任何内容......

Roles for user

我已经完成了我可以遵循的SonataUserBundle设置安全性的说明，但是我在这个过程中的某个地方缺乏理解。

简而言之，所有用户都将使用相同的管理门户。管理员可以创建新用户，产品等。“常规”用户可以通过单击左侧菜单中的链接，从AbstractAdmin扩展的管理类中编辑自己的个人资料和“查看”产品。

我觉得我现在正在与Symfony安全人员一起徘徊，现在用fosuserbundle＆amp; sonatauserbundle加入了混合。 ：（

这是我的第一篇文章，所以如果我错过任何重要的内容，请原谅我。我会尽我所能填写任何细节，感谢您花时间观察我的困境！