Document how to grant a role to a user (Security)

[jbruni]

Although the Security section dives deep into a few minor details, it does not mention at all how to grant a role to a user: https://github.com/symfony/symfony-docs/blob/2.4/book/security.rst

It mentions several lots of times how important the ROLES are. Suddenly, the section "Access Control" begins, stating:

Now that you have a User and Roles, you can go further than URL-pattern based authorization.

And the topic moves on advanced protection of resources.

Yes: we have Users in one side. We have Roles in the other side. Nothing was mentioned about attaching Users to Roles! While much more advanced stuff is discussed.

[jbruni]

Ok. I've just moved on and found the detailed information at http://symfony.com/doc/current/cookbook/security/entity_provider.html

This is great. I was not believing in such a big fault... So, the case is much easier to resolve than it could be.

We really need (this is a must) to have one of that pretty boxes clearly and briefly mentioning the issue (granting roles to users), linking to the proper doc page.

Please, someone who has the availability and skills, include this very important but missing piece of info there. It will certainly help people, and you will earn several reputation and service points!

Thank you.

[javiereguiluz]

The security chapter was recently revamped from scratch by Ryan. I've re-read it carefully and I think this issue is no longer relevant because roles are correctly explained in the new access control section: http://symfony.com/doc/2.3/book/security.html#denying-access-roles-and-other-authorization

@jbruni if you agree with this, I think we can close this issue as fixed. Thanks.

[cordoval]

actually after skimming over i think this triggers still the same doubt. Can you please point exactly where it was resolved within the text?

[jbruni]

@javiereguiluz - Well, this issue is from quite some time, and I haven't been using Symfony lately. But I took a brief look right now, and as @cordoval points, it seems the issue remains.

We have explanation on Users and Roles and how to set a required Role for a Controller and so on... but we still do not have nothing saying how to set Roles to Users - the most important, vital, and BASIC piece of info which should be there (and still isn't) is the getRoles method of the User class. This is where we define which Roles a given user have.

So, it seems that no, the issue has not been fixed...

[wouterj]

These users are coming from a user provider. This is discussed somewhere at the beginning of the article in "Configuring how Users are Loaded". This first paragraph of this section already links to the entity provider and custom provider articles, both explain how to grant roles to a user.

I believe such things are complex logic and should not live inside the book documentation.

Is there anything left we can do here?

[jbruni]

Yes, there is:

• While browsing the security page, if CTRL+F is used to find text on it, and "getRoles" is typed, it must find, at least, one occurrence of it.

I believe this is a humble request.

Nevertheless, in my opinion, if this single and minimal goal is reached, great progess will have been done.

(Come on... read this - http://symfony.com/doc/master/book/security.html#roles - I ask myself how in the world is it possible that one needs to search up to despair to discover the "getRoles" secret - which seems to be hidden from there on purpose!) - please do not take this seriously, I'm using a bit of irony here, just as a mean to share my perspective

[javiereguiluz]

I'm closing this as fixed by the huge security doc refactorization done in #10423. As you can see, getRoles() is now mentioned and explained in the main security article: https://symfony.com/doc/master/security.html#denying-access-roles-and-other-authorization