0

With Sonata, I'm trying to use the role based security.

I want to give a group, rights for listing, editing & creating users, so I created a role with

ROLE_MANAGE_USERS:
    - ROLE_SONATA_USER_ADMIN_USER_EDIT
    - ROLE_SONATA_USER_ADMIN_USER_LIST
    - ROLE_SONATA_USER_ADMIN_USER_CREATE

This works fine, but according to the doc, I'm understanding that a user granted with

ROLE_SONATA_USER_STAFF

Should already inherit rights for [EDIT, LIST, CREATE], but that does not seem to be the case

I also tried with

ROLE_SONATA_USER_ADMIN_USER_STAFF

Is there something I misunderstood ?

Pierre de LESPINAY
  • 44,700
  • 57
  • 210
  • 307

1 Answers1

1

I guess that's not the case. First of all, the name of the main roles for edit depends on the services names. For example, if the service of the admin is sonata.user.admin, then the roles will be, for example:

ROLE_SONATA_USER_ADMIN_LIST
ROLE_SONATA_USER_ADMIN_VIEW

As you can see, the prefix is always ROLE (symfony 2 requirement), followed by the service name (but having the dots exchanged with underscores, and all capital letters), and ended with the prefix for the specific permission:

  • LIST: view the list of objects
  • VIEW: view the detail of one object
  • CREATE: create a new object
  • EDIT: update an existing object
  • DELETE: delete an existing object
  • EXPORT: (for the native Sonata export links)

As I can understand, there is no ROLE_SONATA_USER_STAFF predefined for edit, list and create. However, you can define it in the hierarchy, in the security.yml file:

security:
    role_hierarchy:
        # Setting up 
        ROLE_SONATA_USER_STAFF:
            - ROLE_SONATA_USER_ADMIN_EDIT
            - ROLE_SONATA_USER_ADMIN_LIST
            - ROLE_SONATA_USER_ADMIN_CREATE
        # using the staff role to create new roles
        ROLE_MANAGE_USERS:             [ROLE_SONATA_USER_STAFF]
Guillermo Gutiérrez
  • 17,273
  • 17
  • 89
  • 116