I'm trying to create a custom voter to check access on entities for specific actions. So the logic for that is working fine. But then I have some actions that are allowed if the user is either the "owner" of that entity, or they are an admin.
However, I can't just check the ROLE of the user because I'm looking at the role hierarchy. The example in the docs for this just uses in_array
, but that won't work (http://symfony.com/doc/current/best_practices/security.html)
My voter is like this (shortened for clarity). I've tried injecting the security context (or specifically AuthorizationCheckerInterface in 2.6), but that has a circular dependency since this is a voter.
<?php
// ...
class ApplicationVoter extends AbstractVoter
{
const VIEW = 'view';
/**
* @var AuthorizationCheckerInterface
*/
private $security;
/*public function __construct(AuthorizationCheckerInterface $security)
{
$this->security = $security;
}*/
/**
* {@inheritdoc}
*/
protected function getSupportedAttributes()
{
return array(
self::VIEW
);
}
/**
* {@inheritdoc}
*/
protected function getSupportedClasses()
{
return array('Study\MainBundle\Entity\Application');
}
/**
* {@inheritdoc}
*/
protected function isGranted($attribute, $application, $user = null)
{
if (!$user instanceof UserInterface) {
return false;
}
if ($attribute === self::VIEW) {
return $this->canView($application, $user);
}
return false;
}
/**
* Can view own application if not deleted
* Admin can view if submitted
*
* @param \Study\MainBundle\Entity\Application $application
* @param \Study\MainBundle\Entity\User $user
*
* @return boolean
*/
protected function canView(Application $application, User $user)
{
return ($application->isOwner($user) && !$application->isDeleted())
|| (!$application->isHiddenToAdmin() && $this->security->isGranted('ROLE_ADMIN_RO'));
}
}
I'd like to just use the built-in RoleHiearchyVoter here, but it's a non-public service. Is there some solution for this? I'd like to avoid duplicating framework code or making my roles more complicated than just strings if possible.
EDIT: Injecting the whole container works, but isn't my ideal solution. Is that the only way I can access the built-in hierarchy from a voter?
There is a service called security.role_hierarchy which has the info you need. It's basically how the security context checks for roles. Need a few lines of wrapper code but it's not too bad.
# Need this because the service is not public
# http://symfony.com/doc/current/components/dependency_injection/advanced.html
cerad_core__role_hierarchy:
alias: security.role_hierarchy
cerad_game__game_official__voter:
class: Cerad\Bundle\GameBundle\Action\GameOfficial\GameOfficialVoter
public: false
arguments:
- '@cerad_core__role_hierarchy'
tags:
- { name: security.voter }
The voter class:
class GameOfficialVoter implements VoterInterface
{
public function __construct($roleHierarchy)
{
$this->roleHierarchy = $roleHierarchy;
}
protected function hasRole($token,$targetRole)
{
$reachableRoles = $this->roleHierarchy->getReachableRoles($token->getRoles());
foreach($reachableRoles as $role)
{
if ($role->getRole() == $targetRole) return true;
}
return false;
}
protected function canViewOfficialName($official,$token)
{
// Pending is the only one protected against for now
if ($official->getAssignState() != 'Pending') return $this->accessGranted;
// Assignors can always see
if ($this->hasRole($token,'ROLE_ASSIGNOR')) return $this->accessGranted;
return $this->accessDenied;
}
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With