0

I am building a project with symfony 3 and trying to decide between Voters and ACL. Soi have many Roles like (SUPERADMIN, ADMIN, Office, bureau, manager,user...) and my project should give the superadmin the possibility to add any other role via the interface.

Plus i have a lot of objects (Delivery note, contract, Cashing,...) and i should manage permissions to those objects here are some examples - The office can view and edit only the delevery note that are in the same city as the office

  • The user can only view the contracts

  • the manager can view and edit contracts that belongs to his office only

  • the superadmin can view and edit everything and add new roles and affect them to users

...

So it's going to be a huge project of management and i've found ACL and voters and couldn't decide which one is the adequate technology to my situation. Or maybe there is others technologies that can help me :/ thanks for your help

Chaymae
  • 427
  • 4
  • 7
  • 16
  • 2
    Personally i use ACL to ensure an existing Role is present for acessing whole path's of my app (i.E. /account/* can only be accessed with the ROLE_USER). For decisions like object based actions (i.E. user can edit a post) i use a voter. This way the ACL doesn't get exceedingly big and Voters can easily be unit-tested too. Also i find it easier to model complex decisions in a voter. In the end you can go both ways and it's a highly opinionated topic so you'll have to figure out the best way for YOUR requirements. Feel free to mix and match both types as you please – Joe Apr 21 '17 at 13:36
  • @Joe The route based authorization that you described is indeed a form of access control but the question deals with access control lists. Completely different. http://symfony.com/doc/current/security/acl.html – Cerad Apr 21 '17 at 14:48
  • @Cerad of course you are right. my bad didn't think it through. On a different note i just stumbled across this little piece in the docs: http://symfony.com/doc/current/security.html#access-control-lists-acls-securing-individual-database-objects maybe this answers the question as far as the op is concerned – Joe Apr 21 '17 at 15:03

0 Answers0