Define roles in a bundle config

Question

I have some questions about roles that I'm trying to understand a long time:

1. We have some bundles that we use in couple of projects. We would like to define roles in a bundle config, so that we do not copy roles into the role_hierarchy in security.yml. Is there any clean way to do it?

My first idea was to import them into role_hierarchy like this:

role_hierarchy:
    ROLE_ADMIN:                             ROLE_USER, ROLE_TRANSLATOR
    ROLE_SUPER_ADMIN:                       ROLE_ADMIN
    ROLE_NOT_APPROVED_USER:                 ROLE_USER
    ROLE_TRANSLATOR:                        ROLE_USER
    "%base_bundle.role.hierarchy%"

This of course doesn't work. Is there any possibility to do it this way(merge arrays in yaml)?

My other idea was to store roles in DB, but in my opinion it's overkill, because we have no dynamic roles. Everything is static.

Is there any workaround to achieve what I try to do? Or is it a good idea to define it in a bundle?

2. I use roles as permissions (ROLE_POST_EDIT, ROLE_POST_DELETE, ...) and voters to deny or approve access to the resource. So at the end there are a tons of roles. Is it a good idea to mix roles with permissions? If not what is the best practise?

EDIT: I feel the difference between ROLE_POST_EDIT and ROLE_USER or ROLE_ADMIN. User has ROLE_USER because he is user. But user has "permission ROLE_EDIT_POST" to be able to edit a post. In my opinion there is a difference between. Anyway should I care about this difference or is there any other practise how to do?

Answer 1

1. We have some bundles that we use in couple of projects. We would like to define roles in a bundle config, so that we do not copy roles into the role_hierarchy in security.yml. Is there any clean way to do it?

You can use Prepended Extensions to "prepend" configuration of another extension:

class AcmeHelloExtension extends Extension implements PrependExtensionInterface
{
    // ...

    public function prepend(ContainerBuilder $container)
    {
        $container->prependExtensionConfig('security', [
            'role_hierarchy' => [
                'ROLE_ADMIN' => ...
                ...
            ],
        ]);
    }
}

2. I use roles as permissions (ROLE_POST_EDIT, ROLE_POST_DELETE, ...) and voters to deny or approve access to the resource. So at the end there are a tons of roles. Is it a good idea to mix roles with permissions? If not what is the best practise?

A small misconfusion here: The roles you define with role_hierarchy are not related to the things you pass to isGranted(). You're passing attributes to isGranted(). Unfortunately, for the RoleHierarchyVoter, symfony decided to make the attributes similair to the role name (that is, if the role name starts with ROLE_).

Voters vote on permissions, or attributes as they are called. So it's perfectly valid and good practice to have many permissions in isGranted().

However, I recommend not to start them with ROLE_*. These attributes are checked by the RoleVoter/RoleHierarchyVoter. Name them e.g. POST_EDIT, POST_DELETE:

if ($this->isGranted('POST_EDIT', $post)) {
    // ...
}