0

I need to implement a user permission system for my Symfony 4 application. All permissions and possible method calls are stored inside a separate database table, and there is also a cross-reference table which decides which of the CRUD operations can be performed by every user. So far I would go with the voter system from Symfony, however I'm not sure if I could build a global voter which simply takes an attribute (let's say "EDIT") for a given method call passed to the voter class as subject? I would like to do something like the following my controller classes:

$this->denyAccessUnlessGranted('CREATE', 'METHOD_A');

In the symfony documentation there is an advice to create one voter per entity. But due to the current architecture of my application (support of external plugins, other developers may extend it etc.) I cannot predict what entities maybe installed in future, therefore I cannot create voters for unknown entities.

So I would like to know if it is possible to use a global voter to handle these permission checks?

SieGeL
  • 303
  • 2
  • 6
  • is it possible? yes. advisable? it depends. you should at least use an interface to check if the functions you might call on the object (maybe a `getUser()` method) actually is defined. and there might still be entities being created your voter cannot safely vote on. so essentially, whoever adds an entity also has to check (or just write!) a voter ... so ... I would follow symfony's advice in general to write specific voters. also YAGNI. – Jakumi Oct 12 '19 at 10:10
  • Hmm okay...I'm currently testing a global voter, but have some implementation problems with it. So far I need some kind of ACL for my application which uses fully dynamic access checks for existing and furthcoming plugins. Maybe it is better to implement my own ACL functionality and extend TWIG to have my own ACL commands available. Will check this out and update here accordingly. Thanks for your answer! – SieGeL Oct 14 '19 at 06:16
  • I've implemented a global voter to extend the security system of symfony. The voter uses a service which actually implements the ACL logic. This way i can combine symfony's own role system with my module-based ACL checks. So all controller classes use the "IsGranted("ROLE_USER")" annotation to make sure the user is logged in, and all CRUD operations defined in my controller use "$this->denyAccessUnlessGranted("R|W|E|D","")" method to check if current user has permission to call this method. This works also without any problems in Symfony 5.1.x – SieGeL Aug 17 '20 at 07:57

0 Answers0