Sonata Admin: Let users only edit entities they own (ACL)

5
votes

I have Sonata Admin set up with ACLs. I have different users, groups and permissions which work fine. To achieve this, i followed the Sonata Admin documentation on ACLs.

So here is my question: What is a clean way to ensure that backend (admin) users can only view, edit and delete the entities they created with Symfony's and Sonata Admin's built-in ACL mechanisms? Sonata Admin automatically stores the owner (creator) of the object once it is persisted in the ACL tables (from the Sonata docs):

Owner: when an object is created, the currently logged in user is set as owner for that object and is granted all access for that object;

The same question has already been answered on Stackoverflow, but the answer does not explain in detail how to solve it with ACLs.

3
symfonyaclsonata-admin
@pulzarraider, I saw you already answered this question here, but may I ask you to go into detail about how to implement that with ACLs in Sonata Admin? I don't know how to limit the list of objects in the list view of Sonata Admin to the ones the currently logged-in user owns.thomaskonrad

3 Answers

4
votes

There is a new Symfony bundle doing just that: https://github.com/coopTilleuls/CoopTilleulsAclSonataAdminExtensionBundle

All you need to do is enable ACL in Sonata Admin, install the bundle and activate it. Pretty easy and effective, I use it in my Symfony2 project with Sonata Admin 2.2.

3
votes

I saw 2 ways to do that:

I was not able to do any of these for doing the very simple thing that I needed, but I think this is the idea.

Actually this is one of many Symfony things on which I spent many hours and thousands lines of code without big success... Such simple needs should not be as much pain in the arse...

2
votes

Don't grant the EDIT permission to the users. They can edit the instances they own but not others' instances.

I use this configuration:

#app/config/config.yml
sonata_admin:
    security:
        information:
            STAFF:    [VIEW, LIST, CREATE]
            EDITOR:   [OPERATOR, EXPORT]
            ADMIN:    [MASTER]

Documentation