FOSUserBundle and ACL Business Role

Question

I started to learn Symfony 2 this weekend. I faced no problem, as the framework is well documented in my opinion.

I'm using FOSUserBundle package for ACL. I'm wondering if it's possible to make it similar to Yii framework:

$bizRule='return Yii::app()->user->id==$params["post"]->authID;';
$task=$auth->createTask('updateOwnPost','update a post by author himself',$bizRule);
$task->addChild('updatePost');

You may see all details on the snippet above.

How can I achieve something similar with Symfony 2? Is this possible?

Answer 1

Symfony2 has an ACL system out of the box that will do this. I'm including the relevant code for the sake of completeness (modified for Post instead of Comment as is in the documentation):

public function addPostAction()
{
    $post = new Post();

    // setup $form, and bind data
    // ...

    if ($form->isValid()) {
        $entityManager = $this->get('doctrine.orm.default_entity_manager');
        $entityManager->persist($post);
        $entityManager->flush();

        // creating the ACL
        $aclProvider = $this->get('security.acl.provider');
        $objectIdentity = ObjectIdentity::fromDomainObject($post);
        $acl = $aclProvider->createAcl($objectIdentity);

        // retrieving the security identity of the currently logged-in user
        $securityContext = $this->get('security.context');
        $user = $securityContext->getToken()->getUser();
        $securityIdentity = UserSecurityIdentity::fromAccount($user);

        // grant owner access
        $acl->insertObjectAce($securityIdentity, MaskBuilder::MASK_OWNER);
        $aclProvider->updateAcl($acl);
    }
}

Essentially, you're giving the currently logged in user ownership of the Post entity (which includes edit permissions). And then to check if the current user has permission to edit:

public function editPostAction(Post $post)
{
    $securityContext = $this->get('security.context');

    // check for edit access
    if (false === $securityContext->isGranted('EDIT', $post))
    {
        throw new AccessDeniedException();
    }

    // retrieve actual post object, and do your editing here
    // ...
}

I highly recommend that you read through both the Access Control List and Advanced ACL Concepts cookbook recipes for more information. The actual creation of ACLs as shown above is extremely verbose, and I have been working on an open-source ACL manager to ease the pain... it "kind of works;" it's early beta and needs a lot of love, so use at your own risk.