role_hierarchy with Symfony2

6
votes

I have a big problem with my role_hierarchy,

security:
    role_hierarchy:
        ROLE_ADMIN:[ROLE_USER,ROLE_AUTHOR,ROLE_MODERATOR]
        ROLE_SUPER_ADMIN:[ROLE_ADMIN,ROLE_ALLOWED_TO_SWITCH]

with that, if i got the SUPER_ADMIN role, I will got the ROLE_AUTHOR, ROLE_MODERATOR, ROLE_USER AND ROLE_ADMIN. But my problem it's when I login on my website, if I check the profiler, i can see i got only the ROLE_SUPER_ADMIN, not the others roles, so, can you help me?

my view (base.html.twig)

<h3>Blog</h3>
<ul class="nav nav-pills nav-stacked">
    <li><a href="{{ path('dom_home') }}">Home Page</a></li>
    {% if is_granted('ROLE_AUTHOR') %}
        <li><a href="{{ path('dom_add') }}">Add a post</a></li>
    {% endif %}
    {% if is_granted('IS_AUTHENTICATED_FULLY') %}
        <li><a href="{{ path('fos_user_security_logout') }}">Logout</a></li>
    {% else %}
        <li><a href="{{ path('fos_user_security_login') }}">login</a></li>
        <li><a href="{{ path('fos_user_registration_register') }}">register</a></li>
    {% endif %}
</ul>

my security.yml (app/config)

security:
    encoders:
        Symfony\Component\Security\Core\User\User: plaintext
        FOS\UserBundle\Model\UserInterface: sha512

    role_hierarchy:
        ROLE_ADMIN:       [ROLE_USER,ROLE_AUTHOR,ROLE_MODERATOR]
        ROLE_SUPER_ADMIN: [ROLE_ADMIN,ROLE_ALLOWED_TO_SWITCH]

    providers:
        in_memory:
            users:
                user:  { password: userpass, roles: [ 'ROLE_USER' ] }
                admin: { password: adminpass, roles: [ 'ROLE_ADMIN' ] }
        fos_userbundle:
            id: fos_user.user_manager
    firewalls:
        dev:
            pattern:  ^/(_(profiler|wdt)|css|images|js)/
            security: false
        login:
            pattern:   ^/(login$|register|resetting)
            anonymous: true
        main:
            pattern: ^/
            form_login:
                provider:    fos_userbundle
                remember_me: true
                always_use_default_target_path: true
                default_target_path: /dom/
            remember_me:
                key:         %secret%
            anonymous:       false
            logout:          true

edit:

my view (base.html.twig)

<h3>Blog</h3>
<ul class="nav nav-pills nav-stacked">
    <li><a href="{{ path('dom_home') }}">Home Page</a></li>
    {% if is_granted('ROLE_AUTHOR') %}
        <li><a href="{{ path('dom_add') }}">Add a post</a></li>
    {% endif %}
    {% if is_granted('IS_AUTHENTICATED_FULLY') %}
        <li><a href="{{ path('fos_user_security_logout') }}">Logout</a></li>
    {% else %}
        <li><a href="{{ path('fos_user_security_login') }}">login</a></li>
        <li><a href="{{ path('fos_user_registration_register') }}">register</a></li>
    {% endif %}
</ul>

my security.yml (app/config)

security:
    encoders:
        Symfony\Component\Security\Core\User\User: plaintext
        FOS\UserBundle\Model\UserInterface: sha512

    role_hierarchy:
        ROLE_ADMIN:       [ROLE_USER,ROLE_AUTHOR,ROLE_MODERATOR]
        ROLE_SUPER_ADMIN: [ROLE_ADMIN,ROLE_ALLOWED_TO_SWITCH]

    providers:
        in_memory:
            users:
                user:  { password: userpass, roles: [ 'ROLE_USER' ] }
                admin: { password: adminpass, roles: [ 'ROLE_ADMIN' ] }
        fos_userbundle:
            id: fos_user.user_manager
    firewalls:
        dev:
            pattern:  ^/(_(profiler|wdt)|css|images|js)/
            security: false
        login:
            pattern:   ^/(login$|register|resetting)
            anonymous: true
        main:
            pattern: ^/
            form_login:
                provider:    fos_userbundle
                remember_me: true
                always_use_default_target_path: true
                default_target_path: /dom/
            remember_me:
                key:         %secret%
            anonymous:       false
            logout:          true

please answer :)

1
securitysymfonyhierarchyrolesrole
The hierarchy does not mean, that you are explicitly added to these roles, i.e. that when you check the profiler you don't see all the roles. It only means, that the access is "inherited". In other words, when you restrict access to an action to ROLE_MODERATOR, even though you are not assigned this role, you can still access the action as ROLE_SUPER_ADMIN inherits the access. - dbrumann
ok, but if i'm doing is_granted('ROLE_MODERATOR'), i will be able to access to it? Like: {% if is_granted('ROLE_MODERATOR') %} moderator {% else %} no moderator {%endif%}, in a twig template, i'll be able to see moderator? - Stickly
I have just trying this and it's don't works - Stickly
It works for me. Can you show more details of your security.yml and the controller/view? Maybe the firewall is not configured for the controller you have tested it with? - dbrumann
Please, I need help, I don't know what I can do. - Stickly

1 Answers

10
votes

I cannot see what's wrong from the code snippets you provided, so I made a little example application to give you a step by step-instruction which might lead you to the source of the problem.

  1. Cloned symfony-standard (master) (and removed Acme\DemoBundle)
  2. Added "friendsofsymfony/user-bundle": "dev-master" to composer.json
  3. Created new bundle Mahok\SecurityBundle (php app/console generate:bundle)
  4. Created new Entity php app/console doctrine:generate:entity
  5. Modified Entity according to FOS\UserBundle documentation (step 3; Important: Change the table name to something other than "user", as this is a reserved word and might cause trouble!)

  6. Modified app/AppKernel.php, app/config/config.yml, app/config/routing.yml and app/config/security.yml according to FOS\UserBundle documentation. For reference: This is the security.yml I use:

    jms_security_extra:
    secure_all_services: false
    expressions: true

security:
    encoders:
        FOS\UserBundle\Model\UserInterface: sha512

role_hierarchy:
    ROLE_AUTHOR:      [ROLE_USER]
    ROLE_MODERATOR:   [ROLE_AUTHOR]
    ROLE_ADMIN:       [ROLE_MODERATOR]
    ROLE_SUPER_ADMIN: [ROLE_ADMIN]

providers:
    fos_userbundle:
        id: fos_user.user_manager

firewalls:
    dev:
        pattern:  ^/(_(profiler|wdt)|css|images|js)/
        security: false

    auth:
        pattern:   (^/login$|^/register|^/resetting)
        anonymous: true

    main:
        pattern:    ^/
        form_login:
            provider:      fos_userbundle
            csrf_provider: form.csrf_provider
        logout:     true
        anonymous:  true

access_control:
    - { path: ^/admin, role: ROLE_ADMIN }

  7. Created user with `php app/console fos:user:create sa --super-admin

  8. Modified DefaultController:default.html.twig in Mahok\SecurityBundle, checking for {% is_granted('ROLE_MODERATOR') %}:

    Hello {{ name }}!
{% if is_granted('ROLE_MODERATOR') %}
<ul>
    {% for role in app.user.roles %}
    <li>{{ role }}</li>
    {% endfor %}
</ul>
{% else %}
    oh noes!
{% endif %}

edit: When going to localhost/example/app_dev.php/hello/User (after logging in as "sa"), I get the following output:

Hello User!
* ROLE_SUPER_ADMIN
* ROLE_USER