[WIP] create voters_data_permission.rst article #3138
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,173 @@ | ||
| .. index:: | ||
| single: Security; Data Permission Voters | ||
|
|
||
| How to implement your own Voter to check the permission for a object agains a user | ||
|
There was a problem hiding this comment. to check user permissions for accessing a given object |
||
| ================================================================================== | ||
|
|
||
| In Symfony2 you can check the permission to access data by the | ||
| :doc:`ACL module </cookbook/security/acl>` which is a bit overhelming | ||
|
|
||
| for many applications. A much easier solution is working with custom | ||
|
|
||
| voters, which are like simple conditional statements. Voters can be | ||
| also used to check for permission as a part or even the whole | ||
|
There was a problem hiding this comment. can also be used ... for permissions ... |
||
| application: :doc:`cookbook/security/voters`. | ||
|
There was a problem hiding this comment. use absolute paths (start with a slash) and put it inside double quotes There was a problem hiding this comment. so like |
||
|
|
||
| .. tip:: | ||
|
|
||
| It is good to understand the basics about what and how | ||
|
There was a problem hiding this comment. why is it good? need to connect it |
||
| :doc:`authorization </components/security/authorization>` works. | ||
|
There was a problem hiding this comment. please link to the correct section into the book/security article instead There was a problem hiding this comment. Well the book covers not the same information like in /components/security/authorization, which is in my opinion much more relevant. While the book entry covers more the parts and bits to secure the whole application, does the components entry explain the tools that we are using here. |
||
|
|
||
| How symfony works with voters | ||
|
|
||
| ----------------------------- | ||
|
|
||
| In order to use voters you have to understand how symfony works with them. | ||
|
There was a problem hiding this comment. voters, you have to understand how Symfony works with them. |
||
| In general all registered custom voters will be called every time you ask | ||
|
|
||
| symfony about permission (ACL). In general there are three different | ||
|
|
||
| approaches on how to handle the feedback from all voters: | ||
| :ref:`components-security-access-decision-manager`. | ||
|
|
||
|
|
||
| The Voter Interface | ||
| ------------------- | ||
|
|
||
| A custom voter must implement | ||
| :class:`Symfony\\Component\\Security\\Core\\Authorization\\Voter\\VoterInterface`, | ||
| which requires the following three methods: | ||
|
|
||
|
|
||
| .. code-block:: php | ||
|
There was a problem hiding this comment. Sorry, I don't know hat you mean exactly? |
||
|
|
||
| interface VoterInterface | ||
| { | ||
| public function supportsAttribute($attribute); | ||
| public function supportsClass($class); | ||
| public function vote(TokenInterface $token, $object, array $attributes); | ||
| } | ||
|
|
||
| The ``supportsAttribute()`` method is used to check if the voter supports | ||
|
There was a problem hiding this comment. Use: The :method:`Symfony\\Component\\Security\\Core\\Authorization\\Voter\\VoterInterface::supportsAttribute`
method is used to check if the voter supports |
||
| the given user attribute (i.e: a role, an acl, etc.). | ||
|
|
||
| The ``supportsClass()`` method is used to check if the voter supports the | ||
|
|
||
| current user token class. | ||
|
|
||
| The ``vote()`` method must implement the business logic that verifies whether | ||
|
|
||
| or not the user is granted access. This method must return one of the following | ||
| values: | ||
|
There was a problem hiding this comment. You mean line 44 to 52, covering each point as a list entry? There was a problem hiding this comment. Yes, and this can also be added to the included file, I guess. |
||
|
|
||
| * ``VoterInterface::ACCESS_GRANTED``: The user is allowed to access the application | ||
| * ``VoterInterface::ACCESS_ABSTAIN``: The voter cannot decide if the user is granted or not | ||
| * ``VoterInterface::ACCESS_DENIED``: The user is not allowed to access the application | ||
|
|
||
| In this example, you'll check if the user will have access to a specific object according to your custom conditions (e.g. he must be the owner of the object). If the condition fails, you'll return | ||
|
There was a problem hiding this comment. missing line breaks after the first word that crosses the 72th character |
||
| ``VoterInterface::ACCESS_DENIED``, otherwise you'll return | ||
|
|
||
| ``VoterInterface::ACCESS_GRANTED``. In case the responsebility for this decision belong not to this voter, he will return | ||
|
|
||
| ``VoterInterface::ACCESS_ABSTAIN``. | ||
|
|
||
| Creating the Custom Voter | ||
| ------------------------- | ||
|
|
||
| You could store your Voter for the view and edit method of a post within ACME/DemoBundle/Security/Authorization/Document/PostVoter.php. | ||
|
There was a problem hiding this comment. also, use a literal (double quotes) and I don't think the filename needed, because you already add it to the example |
||
|
|
||
| .. code-block:: php | ||
|
There was a problem hiding this comment. should I not declare somewhere that it is php? Is it maybe then, wourl that work?: ... view and edit action like following:: php There was a problem hiding this comment. no, the default language is PHP for the Symfony docs. So just |
||
|
|
||
| // src/Acme/DemoBundle/Security/Authorization/Document/PostVoter.php | ||
|
There was a problem hiding this comment. we always use the ORM in the docs, so please use the Entity namespace instead of the Document namespace |
||
| namespace Acme\DemoBundle\Security\Authorization\Document; | ||
|
|
||
|
There was a problem hiding this comment. use Acme\DemoBundle\Entity\Post(see below) |
||
| use Symfony\Component\DependencyInjection\ContainerInterface; | ||
| use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface; | ||
| use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; | ||
|
|
||
| class PostVoter implements VoterInterface | ||
| { | ||
| private $container; | ||
|
|
||
| public function __construct(ContainerInterface $container) | ||
|
There was a problem hiding this comment. teaching to inject the container is outrageous at this date and age |
||
| { | ||
| $this->container = $container; | ||
| } | ||
|
|
||
|
|
||
| public function supportsAttribute($attribute) | ||
| { | ||
| return in_array($attribute, array( | ||
|
|
||
| 'view', | ||
| 'edit' | ||
|
There was a problem hiding this comment. always add a comma after multi-line array items |
||
| )); | ||
| } | ||
|
|
||
| public function supportsClass($class) | ||
| { | ||
| // could be "ACME\DemoBundle\Entity\Post" as well | ||
| $array = array("ACME\DemoBundle\Document\Post"); | ||
|
|
||
|
|
||
| foreach ($array as $item) { | ||
| // check with stripos in case doctrine is using a proxy class for this object | ||
|
There was a problem hiding this comment. This is not the right way to check for Doctrine proxies (you can have lots of false positive with your stripos detection).
There was a problem hiding this comment. Ah cool, I didn't know that. I will change that to be more proper. There was a problem hiding this comment. i think there is even a util in doctrine common for this, but i may be wrong There was a problem hiding this comment. yes this will be replaced by a better solution, please wait till tomorrow |
||
| if (stripos($s, $item) !== FALSE) { | ||
|
There was a problem hiding this comment. use lowercase php constants: false |
||
| return true; | ||
| } | ||
| } | ||
| return false; | ||
|
There was a problem hiding this comment. add new line before return statement There was a problem hiding this comment. why not simplify this to? return $obj instanceof Post; |
||
| } | ||
|
|
||
| public function vote(TokenInterface $token, $object, array $attributes) | ||
| { | ||
| // get current logged in user | ||
| $user = $token->getUser(); | ||
|
|
||
| // check if class of this object is supported by this voter | ||
| if ( !($this->supportsClass(get_class($object))) ) { | ||
|
|
||
| return VoterInterface::ACCESS_ABSTAIN; | ||
| } | ||
|
|
||
| // check if the given attribute is covered by this voter | ||
| foreach ($attributes as $attribute) { | ||
|
There was a problem hiding this comment. Maybe I'm missing something but I don't see the point of checking the whole array if you are only using the first element after that. There was a problem hiding this comment. I agree. Personally, I only ever allow 1 attribute to be passed - passing an array is confusing to me, because we could internally implement it using OR or AND logic. So, I like just using the first attribute, but we should throw an exception if there is more than 1 attribute and then grab the first attribute so that we don't need this There was a problem hiding this comment. Alright, as the interface is forcing us to have a array parameter as the last one, I will do use always the first array element as described earlier: #3138 (comment) |
||
| if ( !$this->supportsAttribute($attribute) ) { | ||
|
|
||
| return VoterInterface::ACCESS_ABSTAIN; | ||
| } | ||
| } | ||
|
There was a problem hiding this comment. this implementation looks weird to me: you are abstaining even if some of the attributes are supported. None of the core voters are behaving this way (most of the time, you are checking a single attribute so it is not a common case though) There was a problem hiding this comment. You are right, I am going to allow one Attribute only. |
||
|
|
||
| // check if given user is instance of user interface | ||
|
|
||
| if ( !($user instanceof UserInterface) ) { | ||
|
There was a problem hiding this comment. missing use statement for UserInterface |
||
| return VoterInterface::ACCESS_DENIED; | ||
| } | ||
|
|
||
| switch($this->attributes[0]) { | ||
|
|
||
|
|
||
|
|
||
| case 'view': | ||
| if($object->isPrivate() === false) { | ||
|
There was a problem hiding this comment. if (!$object->isPrivate()) {
}(space between if and open ( and removing === false) |
||
| return VoterInterface::ACCESS_GRANTED; | ||
| } | ||
| break; | ||
|
|
||
| case 'edit': | ||
| if($object->getOwner()->getId() === $user->getId()) { | ||
|
There was a problem hiding this comment. space after if and switch |
||
| return VoterInterface::ACCESS_GRANTED; | ||
| } | ||
| break; | ||
|
|
||
| default: | ||
|
There was a problem hiding this comment. This case can be remove because we are already out with !$this->supportsAttribute($attribute) from https://github.com/symfony/symfony-docs/pull/3138/files#diff-70c7f0c16e0c51e7dc991ab9b801ff73R107 |
||
| // otherwise denied access | ||
| return VoterInterface::ACCESS_DENIED; | ||
|
There was a problem hiding this comment. I'd rather throw an exception here - because of the |
||
| } | ||
|
|
||
|
There was a problem hiding this comment. remove this line break and you did not even use the container 👎 |
||
| } | ||
| } | ||
|
|
||
| That's it! The voter is done. The next step is to inject the voter into | ||
| the security layer. This can be done easily through the service container. | ||
|
There was a problem hiding this comment. remove the part for service container since you already removed it in the code example There was a problem hiding this comment. As it was spotted: #3138 (comment), I simply reused parts from http://symfony.com/doc/current/cookbook/security/voters.html#creating-a-custom-voter |
||
|
|
||
| Declaring the Voter as a Service | ||
| -------------------------------- | ||
|
|
||
| To inject the voter into the security layer, you must declare it as a service, | ||
|
|
||
| and tag it as a "security.voter": | ||
|
|
||
|
|
||
| .. configuration-block:: | ||
|
|
||
| .. code-block:: yaml | ||
|
|
||
| # src/Acme/AcmeBundle/Resources/config/services.yml | ||
|
There was a problem hiding this comment.
|
||
| services: | ||
| security.access.post_document_voter: | ||
| class: Acme\DemoBundle\Security\Authorization\Document\PostVoter | ||
|
There was a problem hiding this comment. also it seems you are using mongodb from the Document folder name |
||
| public: false | ||
| arguments: [@service_container] | ||
|
|
||
| # we need to assign this service to be a security voter | ||
|
There was a problem hiding this comment. this is not needed, we can just say it gets tagged to be a voter |
||
| tags: | ||
| - { name: security.voter } | ||
|
There was a problem hiding this comment. missing xml and php: <?xml version="1.0" encoding="UTF-8" ?>
<container xmlns="http://symfony.com/schema/dic/services">
<services>
<service id="security.access.post_document_voter"
class="Acme\DemoBundle\Security\Authorization\Document\PostVoter"
public="false">
<tag name="security.voter" />
</service>
</services>
</container>$container
->register('security.access.post_document_voter', 'Acme\DemoBundle\Security\Authorization\Document\PostVoter')
->addTag('security.voter')
; |
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This new document needs to be referenced in
/cookbook/map.rstand/cookbook/security/index.rst.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added them right under the voter article.