I am building system and trying to decide between Voters and ACL. What I need to achieve is there should be users with different roles to access object properties, for example: A regular authenticated user could see Post and it contents but not it's "Position" attribute, and User with editor role could also see the Post and it's contents, and have permision to see "Position" attribute and edit it. Can I achieve this functionality by using voters alone, or I need to use ACL?
I'm sorry for confusing question, I'm new to symfony and don't quite yet understand those concepts. What I wan't to achieve is permissions in object field level.
Regular user can access "TITLE" and "CONTENT" properties, and modify "CONTENT" property", moderator can view and edit, both of previous properties, and admin should have access to all object properties, and do whatever with them.
The docs only explain how to check access on objects rather than properties. I'll explain the decisions I make when choosing between voters or ACL. Next I'll explain how you can use (Hierachy) voters to achieve your goal.
When users simply have or don't have access to a object based on a role, access can be performed using the firewall and is the simplest solution.
However when access depends on a per object basis under certain rules a Voter should be used. An example, Users can only edit a post when they created it. But moderators should always be ably to edit a post.
The most difficult of access control is when a user can be granted access by an other user. For example, an admin can assign users to a post and grant them edit permissions. This is a solution where access can't be decided based purely on the role of the user. The access/permissions need to be stored per user for an object. This is what ACL does. It stores permissions on objects in the database per user.
As for your problem.
Mostly these kind of uses are handled in the code itself. I've seen a lot of different forms for an entity. UserPostFormType
, ModeratorPostFormType
and AdminPostFormType
. This isn't very dry as you can see. And checking the type of user in the code
Consider defining roles and manage them using hierarchy.
Define separate roles per property per action. Thus define the following roles.
ROLE_ID_VIEW
ROLE_ID_EDIT
ROLE_TITLE_VIEW
ROLE_TITLE_EDIT
...
You can then assign these roles to the correct user role.
security:
role_hierarchy:
ROLE_USER: [ROLE_TITLE_VIEW, ROLE_CONTENT_VIEW, ROLE_CONTENT_EDIT]
ROLE_MODERATOR: [ROLE_USER, ROLE_TITLE_EDIT]
ROLE_ADMIN: [ROLE_MODERATOR, ROLE_ID_EDIT, ROLE_ID_VIEW]
You can now use the Hierarchy Voter to check if a user can modify or view a certain property. The cleanest solution would be to create a Listener on you form which adds fields on your forms based the permissions the current user has.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With