0

I have an application where a user can be linked to several companies. The manyToMany relationship with the company is a distinguished entity called Associate.

I'd like to give to this Associate entity the exact same role functionnality as my FOSUserBundle User entity has. Important : if a user has a role_manager for one company, it should not be given the rights to access specific features of another company he belongs to too.

Is there a clean way to do this? I'd like to check for instance if $this->getUser->getAssociate->hasRole('ROLE_MANAGER') is true.

What if I give a role array to my entity Associate? I've read it's not secure enough? Why? What could someone do to break that security if anyway my users have to pass through FOS security login checks?

I've found an article where using a voter is suggested. But I don't want to filter routes, I really want to check the condition against the link between a user and a company, so if a voter is the solution, how would I use it?

EDIT: if a better solution not involving roles or with different logic exists, I am interested in learning about it!!

Wouter J
  • 41,455
  • 15
  • 107
  • 112
Sébastien
  • 5,263
  • 11
  • 55
  • 116
  • I don't have a direct answer for you. But I do have some ideas on how to achieve this. My first thought was to use the ROLE_ALLOWED_TO_SWITCH, and create a custom switchUserListener. In there you put your logic to determine who is allowed to switch to who. – Nico Kaag Dec 09 '14 at 10:08
  • My second idea is based on the fact that roles are just strings. And it can be set to anything you want. You will have to make the roles you check for dynamic. They will look like: ROLE_MANAGER_COMPANY1. And in your user, you override the getRoles method so that it generates all possible roles it might have access to. – Nico Kaag Dec 09 '14 at 10:16
  • Good thoughts! I actually found a way that makes it easier given my constraints, see my next answer – Sébastien Dec 09 '14 at 11:42

1 Answers1

0

So in my case, I actually one user can actually be only linked to a maximum of 4 companies, each of a different kind defined by its category.

The official doc would suggest using ACL, defining a role for every company or store the data in the entity. cf first paragraphs of : http://symfony.com/doc/current/cookbook/security/acl.html

I used a combination of roles and business logic. I've created roles for every type of company and since one user can only have one company per type, I just had to check for the type and the role-manager associated to the type.

See my voter here: symfony2 call is_granted in voter : how to avoid an infinite loop?

Community
  • 1
  • 1
Sébastien
  • 5,263
  • 11
  • 55
  • 116