@@ -387,20 +387,24 @@ generated earlier, the roles are an array that's stored in the database, and
387387every user is *always * given at least one role: ``ROLE_USER ``::
388388
389389 // src/Entity/User.php
390- // ...
391-
392- /**
393- * @ORM\Column(type="json")
394- */
395- private $roles = [];
396390
397- public function getRoles(): array
391+ // ...
392+ class User
398393 {
399- $roles = $this->roles;
400- // guarantee every user at least has ROLE_USER
401- $roles[] = 'ROLE_USER';
394+ /**
395+ * @ORM\Column(type="json")
396+ */
397+ private $roles = [];
402398
403- return array_unique($roles);
399+ // ...
400+ public function getRoles(): array
401+ {
402+ $roles = $this->roles;
403+ // guarantee every user at least has ROLE_USER
404+ $roles[] = 'ROLE_USER';
405+
406+ return array_unique($roles);
407+ }
404408 }
405409
406410This is a nice default, but you can do *whatever * you want to determine which roles
@@ -655,6 +659,16 @@ Securing other Services
655659
656660See :doc: `/security/securing_services `.
657661
662+ Securing Individual Objects
663+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
664+
665+ Most applications require more specific access rules. For instance, a user
666+ should be able to only edit their own comments on a blog. Voters allow you
667+ to write *whatever * business logic you need to determine access. Using
668+ these voters is similar to the role-based access checks implemented in the
669+ previous chapters. Read :doc: `/security/voters ` to learn how to implement
670+ your own voter.
671+
658672Checking to see if a User is Logged In (IS_AUTHENTICATED_FULLY)
659673~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
660674
@@ -692,22 +706,6 @@ like this:
692706 this - this is useful when *whitelisting * URLs to guarantee access - some
693707 details are in :doc: `/security/access_control `.
694708
695- .. _security-secure-objects :
696-
697- Access Control Lists (ACLs): Securing individual Database Objects
698- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
699-
700- Imagine you are designing a blog where users can comment on your posts. You
701- also want a user to be able to edit their own comments, but not those of
702- other users. Also, as the admin user, you want to be able to edit *all * comments.
703-
704- :doc: `Voters </security/voters >` allow you to write *whatever * business logic you
705- need (e.g. the user can edit this post because they are the creator) to determine
706- access. That's why voters are officially recommended by Symfony to create ACL-like
707- security systems.
708-
709- If you still prefer to use traditional ACLs, refer to the `Symfony ACL bundle `_.
710-
711709.. _retrieving-the-user-object :
712710
7137115a) Fetching the User Object
@@ -1043,6 +1041,5 @@ Authorization (Denying Access)
10431041
10441042.. _`FrameworkExtraBundle documentation` : https://symfony.com/doc/current/bundles/SensioFrameworkExtraBundle/index.html
10451043.. _`HWIOAuthBundle` : https://github.com/hwi/HWIOAuthBundle
1046- .. _`Symfony ACL bundle` : https://github.com/symfony/acl-bundle
10471044.. _`Symfony Security screencast series` : https://symfonycasts.com/screencast/symfony-security
10481045.. _`MakerBundle` : https://symfony.com/doc/current/bundles/SymfonyMakerBundle/index.html
0 commit comments