0

I need some help setting up some ROLE hierarchy configuration under Symfony2 project. I have two areas frontend where users with ROLE_CHAT should be able to login and backend where only ROLE_ADMIN is allowed. I have two more roles: ROLE_EXECUTIVE and ROLE_LOADER1 but this can't access to all the areas under the backend as the table below shows:

Item            ROLE_ADMIN  ROLE_CHAT ROLE_EXECUTIVE ROLE_LOADER1
User                x                                                       
Category            x                                                   
Command             x                       x               x
Alias               x                       x                           
Report              x                       x               x

I am having some problems because I don't know how to properly setup the role_hierarchy under security.yml to allow the permissions shown above. This is what I have right now:

security: encoders: FOS\UserBundle\Model\UserInterface: bcrypt

role_hierarchy:
    ROLE_CHAT:        ROLE_USER
    ROLE_LOADER1:     [ROLE_USER, ROLE_ADMIN]
    ROLE_LOADER2:     [ROLE_USER, ROLE_ADMIN]
    ROLE_EXECUTIVE:   [ROLE_USER, ROLE_ADMIN]
    ROLE_ADMIN:       [ROLE_USER, ROLE_CHAT, ROL_EXECUTIVE, ROLE_LOADER1, ROLE_LOADER2]
    ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
    fos_userbundle:
        id: fos_user.user_provider.username_email

firewalls:
    dev:
        pattern:  ^/(_(profiler|wdt)|css|images|js)/
        security: false

    main:
        pattern: ^/
        anonymous: ~
        provider: fos_userbundle
        form_login:
            csrf_token_generator: security.csrf.token_manager
            always_use_default_target_path: true
            default_target_path: root
            use_referer: false
            remember_me: true
        logout:
            path: fos_user_security_logout
            target: root
        remember_me:
            secret:   '%secret%'
            lifetime: 604800 # 1 week in seconds
            path:     /

access_control:
    - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }

    - { path: ^/chat/, role: ROLE_CHAT }
    - { path: ^/admin/, role: ROLE_ADMIN }

My doubt here is: in order to access backend area ROLE_CHAT,ROLE_EXECUTIVE,ROLE_LOADER1 needs ROLE_ADMIN also? Is there any other way to setup this? I don't know if this can be fixed using access_control or even goes beyond and uses ACL which makes all more complex, any advice around this setup? Ideas? How would you do that?

Jason Aller
  • 3,541
  • 28
  • 38
  • 38
ReynierPM
  • 17,594
  • 53
  • 193
  • 363
  • Why would you need the `ROLE_ADMIN` role to access the back-end in your setup? This role should only be needed if you want to manage users ir categories. Otherwise this looks like you misconfigured your access control rules. – xabbuh Jan 21 '16 at 09:57
  • @xabbuh that's what I am trying to get, the right configuration, how would you do that? – ReynierPM Jan 21 '16 at 13:11
  • Please show your current configuration so we can check what is going wrong. – xabbuh Jan 21 '16 at 13:54
  • @xabbuh this is a work in progress I haven't tested this setup I am just looking the right way to do it. I should probably add some PHPUnit test for this but I am not sure how so I am testing on the old fashion way, open a browser and test – ReynierPM Jan 21 '16 at 13:59
  • I suggest you then start configuring your access control rules and when you get stuck at some point you us your configuration at that point and ask with a concrete problem. – xabbuh Jan 21 '16 at 14:26

0 Answers0