I want to add new role as ROLE_PUBLISHER which only have access to one action in symfony

Question

In my security.yml I added the role ROLE_PUBLISHER. I set it up so that ROLE_USER inherits the ROLE_PUBLISHER:

security:
    role_hierarchy:
        ROLE_USER:   ROLE_PUBLISHER

Controller code as follows.

/**
 * @Route("/{id}", requirements={"id" = "\d+"}, name="note_update", options={"expose"=true})

 * @Method("PUT")
 * @Secure(roles="ROLE_PUBLISHER")
 *
 * @param $id
 *
 * @return Response|JsonResponse
 */
public function updateAction($id)
{
    // Some code...
}

But when I login as ROLE_PUBLISHER, I will also have access to ROLE_USER actions. How can I avoid this?

If you are using FOSUserBundle then all users get ROLE_USER by default https://github.com/FriendsOfSymfony/FOSUserBundle/blob/1.2.x/Model/User.php — Luke, Jun 24 '13 at 09:51

score 0 · Answer 1 · answered Jun 24 '13 at 09:38

No need to define the ROLE_PUBLISHER role in your security.yml since you don't want any role hierarchy. Roles (prefixed with ROLE_) can be used and invented on the fly and don't need to be defined anywhere.

See the Roles section of the Symfony2 documentation.

Further: in your security example you defined ROLE_USER to inherit the role ROLE_PUBLISHER and not vice versa. Make sure the logged-in user only has the role ROLE_PUBLISHER.

I want to add new role as ROLE_PUBLISHER which only have access to one action in symfony

1 Answers1