Symfony - Understanding super admin

Question

I'm trying to understand something about Symfony and the "super admin".

When I use FOSUser to create a user with super admin privileges

php app/console fos:user:create adminuser --super-admin

I'd firstly like to know what means (from the doc)

[...]Specifying the --super-admin option will flag the user as a super admin[...]

I imagine it means granting ROLE_SUPER_ADMIN to the user because I don't see any super-admin field in the user table.

Secondly, while (still from the doc)

A super admin has access to any part of your application

security:
    role_hierarchy:
        ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH, ...]

Why do we still need to configure the access hierarchy for it ?

Answer 1

Looking at FOSUserBundle's code you will find that the CreateUserCommand if invoked with the --super-admin flag will call the UserManipulator with a boolean argument $superadmin=true.

Now the UserManipulator calls the UserManager who will create a User Object, call it's setSuperAdmin() method and persist the new user afterwards.

The method looks as follows:

public function setSuperAdmin($boolean)
{
    if (true === $boolean) {
        $this->addRole(static::ROLE_SUPER_ADMIN);
    } else {
        $this->removeRole(static::ROLE_SUPER_ADMIN);
    }

    return $this;
}

So answering your first question:

Yes, the --super-admin flag causes FOSUserBundle to create a new user with the ROLE_SUPER_ADMIN role.

You still have to include the role hierarchy in your security configuration because the ROLE_SUPER_ADMIN role basically doesn't differ from any other role.

It's just a convention provided by the Symfony standard edition that users with role ROLE_SUPER_ADMIN should not have any access restrictions.

If you want the ROLE_SUPER_ADMIN to bypass all security voters by default - have a look at JMSSecurityExtraBundle's IddqdVoter which implements this for the special role ROLE_IDDQD. But this has already been suggested in your other question here.

Answer 2

By defining the hierarchy, you explicitly grant it the ROLE_ADMIN and ROLE_ALLOWED_TO_SWITCH roles (or other custom roles you could have)

If you comment this line, and you try to access with your ROLE_SUPER_ADMIN user to an action with a ROLE_ADMIN check, you will get a not allowed error.

The ROLE_SUPER_ADMIN is just a convention for the name the super administrator role should have, but it does not have privileges by it's own, you have to explicitly grant them to it.