I started to use SonataAdminBundle in a Symfony2.1 application. I developed all the Admin
classes and now I wish to add roles to prevent view, list and edit actions to such user groups (e.g. non-admin users).
Notice that I don't use the SonataUserBundle (derived from FOSUserBundle) and I want to use the sonata.admin.security.handler.role
security handler provided by the Sonata: ACL is too much powerful (and provides a lot of overhead) for my small project.
My own UserBundle provides User class and Group class (the last used to specify the role of each user). The role hierarchy is provided in my security.yml file, e.g.:
security:
role_hierarchy:
ROLE_POST_AUTHOR: ROLE_USER
ROLE_ADMIN: [ ROLE_USER, ROLE_POST_AUTHOR]
ROLE_SUPER_ADMIN: [ ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH ]
Now, I configured the config.yml file by specifying the security handler
sonata_admin:
security:
handler: sonata.admin.security.handler.role
The official docs are more focused on how using ACL and SonataUserBundle, so I don't know how to link my roles from security.yml with the SonataAdminBundle.
PS: A similar question is: SonataAdminBundle Security roles.
Try to create roles with ROLE_<service.name>_<RIGHT>
where
<service.name>
is UPPER-CASE-ed and DOT-REPLACED-BY-UNDERSCORE version of your sonata admin service names<RIGHT>
is one of (reference):
CREATE
DELETE
EDIT
LIST
VIEW
EXPORT
OPERATOR
MASTER
The following is a snippet from my security.yml:
role_hierarchy:
ROLE_MANAGER:
- ROLE_USER
- ROLE_SONATA_STUFF # have no effect on the UI
- ROLE_SONATA_ADMIN # with this role you have a nice navbar with search box
# user
- ROLE_SONATA_ADMIN_USER_LIST
- ROLE_SONATA_ADMIN_USER_VIEW
# product
- ROLE_SONATA_ADMIN_PRODUCT_LIST
- ROLE_SONATA_ADMIN_PRODUCT_VIEW
- ROLE_SONATA_ADMIN_PRODUCT_EDIT
# product category
- ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_LIST
- ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_VIEW
ROLE_ADMIN:
- ROLE_SONATA_ADMIN # with this role you have a nice navbar with search box
# user
- ROLE_SONATA_ADMIN_USER_CREATE
- ROLE_SONATA_ADMIN_USER_DELETE
- ROLE_SONATA_ADMIN_USER_EDIT
- ROLE_SONATA_ADMIN_USER_LIST
- ROLE_SONATA_ADMIN_USER_VIEW
- ROLE_SONATA_ADMIN_USER_EXPORT
- ROLE_SONATA_ADMIN_USER_OPERATOR
- ROLE_SONATA_ADMIN_USER_MASTER
# product
- ROLE_SONATA_ADMIN_PRODUCT_CREATE
- ROLE_SONATA_ADMIN_PRODUCT_DELETE
- ROLE_SONATA_ADMIN_PRODUCT_EDIT
- ROLE_SONATA_ADMIN_PRODUCT_LIST
- ROLE_SONATA_ADMIN_PRODUCT_VIEW
- ROLE_SONATA_ADMIN_PRODUCT_EXPORT
- ROLE_SONATA_ADMIN_PRODUCT_OPERATOR
- ROLE_SONATA_ADMIN_PRODUCT_MASTER
# product category
- ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_CREATE
- ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_DELETE
- ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_EDIT
- ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_LIST
- ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_VIEW
- ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_EXPORT
- ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_OPERATOR
- ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_MASTER
# purchase
- ROLE_SONATA_ADMIN_PURCHASE_CREATE
- ROLE_SONATA_ADMIN_PURCHASE_DELETE
- ROLE_SONATA_ADMIN_PURCHASE_EDIT
- ROLE_SONATA_ADMIN_PURCHASE_LIST
- ROLE_SONATA_ADMIN_PURCHASE_VIEW
- ROLE_SONATA_ADMIN_PURCHASE_EXPORT
- ROLE_SONATA_ADMIN_PURCHASE_OPERATOR
- ROLE_SONATA_ADMIN_PURCHASE_MASTER
# payment
- ROLE_SONATA_ADMIN_PAYMENT_CREATE
- ROLE_SONATA_ADMIN_PAYMENT_DELETE
- ROLE_SONATA_ADMIN_PAYMENT_EDIT
- ROLE_SONATA_ADMIN_PAYMENT_LIST
- ROLE_SONATA_ADMIN_PAYMENT_VIEW
- ROLE_SONATA_ADMIN_PAYMENT_EXPORT
- ROLE_SONATA_ADMIN_PAYMENT_OPERATOR
- ROLE_SONATA_ADMIN_PAYMENT_MASTER
# notification: email template
- ROLE_SONATA_ADMIN_NOTIFICATION_EMAIL_TEMPLATE_CREATE
- ROLE_SONATA_ADMIN_NOTIFICATION_EMAIL_TEMPLATE_DELETE
- ROLE_SONATA_ADMIN_NOTIFICATION_EMAIL_TEMPLATE_EDIT
- ROLE_SONATA_ADMIN_NOTIFICATION_EMAIL_TEMPLATE_LIST
- ROLE_SONATA_ADMIN_NOTIFICATION_EMAIL_TEMPLATE_VIEW
- ROLE_SONATA_ADMIN_NOTIFICATION_EMAIL_TEMPLATE_EXPORT
- ROLE_SONATA_ADMIN_NOTIFICATION_EMAIL_TEMPLATE_OPERATOR
- ROLE_SONATA_ADMIN_NOTIFICATION_EMAIL_TEMPLATE_MASTER
ROLE_SUPER_ADMIN:
- ROLE_ADMIN
- ROLE_ALLOWED_TO_SWITCH
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_SONATA_ADMIN }
The following is a snippet from my @AdminBundle/Resources/config/service.yml (only service names are relevant here):
sonata.admin.user:
class: Acme\AdminBundle\Admin\UserAdmin
tags:
- { name: sonata.admin, manager_type: orm, group: "User", label: "User" }
arguments:
- ~
- Acme\UserBundle\Entity\User
- ~
calls:
- [ setTranslationDomain, [AcmeAdminBundle]]
sonata.admin.product:
class: Acme\AdminBundle\Admin\ProductAdmin
tags:
- { name: sonata.admin, manager_type: orm, group: "Store", label: "Product" }
arguments:
- ~
- Acme\StoreBundle\Entity\Product
- ~
calls:
- [ setTranslationDomain, [AcmeAdminBundle]]
sonata.admin.product_category:
class: Acme\AdminBundle\Admin\ProductCategoryAdmin
tags:
- { name: sonata.admin, manager_type: orm, group: "Store", label: "Category" }
arguments:
- ~
- Acme\StoreBundle\Entity\ProductCategory
- ~
calls:
- [ setTranslationDomain, [AcmeAdminBundle]]
sonata.admin.purchase:
class: Acme\AdminBundle\Admin\PurchaseAdmin
tags:
- { name: sonata.admin, manager_type: orm, group: "Store", label: "Purchase" }
arguments:
- ~
- Acme\StoreBundle\Entity\Purchase
- ~
calls:
- [ setTranslationDomain, [AcmeAdminBundle]]
sonata.admin.payment:
class: Acme\AdminBundle\Admin\PaymentAdmin
tags:
- { name: sonata.admin, manager_type: orm, group: "Payment", label: "Payment" }
arguments:
- ~
- Acme\PaymentBundle\Entity\Payment
- ~
calls:
- [ setTranslationDomain, [AcmeAdminBundle]]
sonata.admin.notification.email_template:
class: Acme\AdminBundle\Admin\Notification\EmailTemplateAdmin
tags:
- { name: sonata.admin, manager_type: orm, group: "Notification", label: "Email Template" }
arguments:
- ~
- Acme\NotificationBundle\Entity\EmailTemplate
- ~
calls:
- [ setTranslationDomain, [AcmeAdminBundle]]