How to use roles in SonataAdminBundle

symfony roles symfony-2.1 sonata-admin
JeanValjean picture JeanValjean · Jan 4, 2013 · Viewed 17.1k times · Source

I started to use SonataAdminBundle in a Symfony2.1 application. I developed all the Admin classes and now I wish to add roles to prevent view, list and edit actions to such user groups (e.g. non-admin users).

Notice that I don't use the SonataUserBundle (derived from FOSUserBundle) and I want to use the sonata.admin.security.handler.role security handler provided by the Sonata: ACL is too much powerful (and provides a lot of overhead) for my small project.

My own UserBundle provides User class and Group class (the last used to specify the role of each user). The role hierarchy is provided in my security.yml file, e.g.:

security:
    role_hierarchy:
        ROLE_POST_AUTHOR:            ROLE_USER
        ROLE_ADMIN:                  [ ROLE_USER, ROLE_POST_AUTHOR]
        ROLE_SUPER_ADMIN:            [ ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH ]

Now, I configured the config.yml file by specifying the security handler

sonata_admin:
    security:
        handler: sonata.admin.security.handler.role

The official docs are more focused on how using ACL and SonataUserBundle, so I don't know how to link my roles from security.yml with the SonataAdminBundle.

PS: A similar question is: SonataAdminBundle Security roles.

Answer

vbarbarosh picture vbarbarosh · Apr 3, 2014

Try to create roles with ROLE_<service.name>_<RIGHT> where

  • <service.name> is UPPER-CASE-ed and DOT-REPLACED-BY-UNDERSCORE version of your sonata admin service names
  • <RIGHT> is one of (reference):
    • CREATE
    • DELETE
    • EDIT
    • LIST
    • VIEW
    • EXPORT
    • OPERATOR
    • MASTER

Example

The following is a snippet from my security.yml:

role_hierarchy:

    ROLE_MANAGER:
        - ROLE_USER
        - ROLE_SONATA_STUFF # have no effect on the UI
        - ROLE_SONATA_ADMIN # with this role you have a nice navbar with search box
        # user
        - ROLE_SONATA_ADMIN_USER_LIST
        - ROLE_SONATA_ADMIN_USER_VIEW
        # product
        - ROLE_SONATA_ADMIN_PRODUCT_LIST
        - ROLE_SONATA_ADMIN_PRODUCT_VIEW
        - ROLE_SONATA_ADMIN_PRODUCT_EDIT
        # product category
        - ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_LIST
        - ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_VIEW

    ROLE_ADMIN:
        - ROLE_SONATA_ADMIN # with this role you have a nice navbar with search box
        # user
        - ROLE_SONATA_ADMIN_USER_CREATE
        - ROLE_SONATA_ADMIN_USER_DELETE
        - ROLE_SONATA_ADMIN_USER_EDIT
        - ROLE_SONATA_ADMIN_USER_LIST
        - ROLE_SONATA_ADMIN_USER_VIEW
        - ROLE_SONATA_ADMIN_USER_EXPORT
        - ROLE_SONATA_ADMIN_USER_OPERATOR
        - ROLE_SONATA_ADMIN_USER_MASTER
        # product
        - ROLE_SONATA_ADMIN_PRODUCT_CREATE
        - ROLE_SONATA_ADMIN_PRODUCT_DELETE
        - ROLE_SONATA_ADMIN_PRODUCT_EDIT
        - ROLE_SONATA_ADMIN_PRODUCT_LIST
        - ROLE_SONATA_ADMIN_PRODUCT_VIEW
        - ROLE_SONATA_ADMIN_PRODUCT_EXPORT
        - ROLE_SONATA_ADMIN_PRODUCT_OPERATOR
        - ROLE_SONATA_ADMIN_PRODUCT_MASTER
        # product category
        - ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_CREATE
        - ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_DELETE
        - ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_EDIT
        - ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_LIST
        - ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_VIEW
        - ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_EXPORT
        - ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_OPERATOR
        - ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_MASTER
        # purchase
        - ROLE_SONATA_ADMIN_PURCHASE_CREATE
        - ROLE_SONATA_ADMIN_PURCHASE_DELETE
        - ROLE_SONATA_ADMIN_PURCHASE_EDIT
        - ROLE_SONATA_ADMIN_PURCHASE_LIST
        - ROLE_SONATA_ADMIN_PURCHASE_VIEW
        - ROLE_SONATA_ADMIN_PURCHASE_EXPORT
        - ROLE_SONATA_ADMIN_PURCHASE_OPERATOR
        - ROLE_SONATA_ADMIN_PURCHASE_MASTER
        # payment
        - ROLE_SONATA_ADMIN_PAYMENT_CREATE
        - ROLE_SONATA_ADMIN_PAYMENT_DELETE
        - ROLE_SONATA_ADMIN_PAYMENT_EDIT
        - ROLE_SONATA_ADMIN_PAYMENT_LIST
        - ROLE_SONATA_ADMIN_PAYMENT_VIEW
        - ROLE_SONATA_ADMIN_PAYMENT_EXPORT
        - ROLE_SONATA_ADMIN_PAYMENT_OPERATOR
        - ROLE_SONATA_ADMIN_PAYMENT_MASTER
        # notification: email template
        - ROLE_SONATA_ADMIN_NOTIFICATION_EMAIL_TEMPLATE_CREATE
        - ROLE_SONATA_ADMIN_NOTIFICATION_EMAIL_TEMPLATE_DELETE
        - ROLE_SONATA_ADMIN_NOTIFICATION_EMAIL_TEMPLATE_EDIT
        - ROLE_SONATA_ADMIN_NOTIFICATION_EMAIL_TEMPLATE_LIST
        - ROLE_SONATA_ADMIN_NOTIFICATION_EMAIL_TEMPLATE_VIEW
        - ROLE_SONATA_ADMIN_NOTIFICATION_EMAIL_TEMPLATE_EXPORT
        - ROLE_SONATA_ADMIN_NOTIFICATION_EMAIL_TEMPLATE_OPERATOR
        - ROLE_SONATA_ADMIN_NOTIFICATION_EMAIL_TEMPLATE_MASTER

    ROLE_SUPER_ADMIN:
        - ROLE_ADMIN
        - ROLE_ALLOWED_TO_SWITCH

access_control:
    - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/admin/, role: ROLE_SONATA_ADMIN }

The following is a snippet from my @AdminBundle/Resources/config/service.yml (only service names are relevant here):

sonata.admin.user:
    class: Acme\AdminBundle\Admin\UserAdmin
    tags:
        - { name: sonata.admin, manager_type: orm, group: "User", label: "User" }
    arguments:
        - ~
        - Acme\UserBundle\Entity\User
        - ~
    calls:
        - [ setTranslationDomain, [AcmeAdminBundle]]

sonata.admin.product:
    class: Acme\AdminBundle\Admin\ProductAdmin
    tags:
        - { name: sonata.admin, manager_type: orm, group: "Store", label: "Product" }
    arguments:
        - ~
        - Acme\StoreBundle\Entity\Product
        - ~
    calls:
        - [ setTranslationDomain, [AcmeAdminBundle]]

sonata.admin.product_category:
    class: Acme\AdminBundle\Admin\ProductCategoryAdmin
    tags:
        - { name: sonata.admin, manager_type: orm, group: "Store", label: "Category" }
    arguments:
        - ~
        - Acme\StoreBundle\Entity\ProductCategory
        - ~
    calls:
        - [ setTranslationDomain, [AcmeAdminBundle]]

sonata.admin.purchase:
    class: Acme\AdminBundle\Admin\PurchaseAdmin
    tags:
        - { name: sonata.admin, manager_type: orm, group: "Store", label: "Purchase" }
    arguments:
        - ~
        - Acme\StoreBundle\Entity\Purchase
        - ~
    calls:
        - [ setTranslationDomain, [AcmeAdminBundle]]

sonata.admin.payment:
    class: Acme\AdminBundle\Admin\PaymentAdmin
    tags:
        - { name: sonata.admin, manager_type: orm, group: "Payment", label: "Payment" }
    arguments:
        - ~
        - Acme\PaymentBundle\Entity\Payment
        - ~
    calls:
        - [ setTranslationDomain, [AcmeAdminBundle]]

sonata.admin.notification.email_template:
    class: Acme\AdminBundle\Admin\Notification\EmailTemplateAdmin
    tags:
        - { name: sonata.admin, manager_type: orm, group: "Notification", label: "Email Template" }
    arguments:
        - ~
        - Acme\NotificationBundle\Entity\EmailTemplate
        - ~
    calls:
        - [ setTranslationDomain, [AcmeAdminBundle]]

Reference

  1. Role Based Security in Sonata Admin

Related questions

When are user roles refreshed and how to force it?

First off, I'm not using FOSUserBundle and I can't because I'm porting a legacy system which has its own Model layer (no Doctrine/Mongo/whatsoever here) and other very custom behavior. I'm trying to connect my legacy role system with …

Read More
Symfony2 - array to string conversion error

I've read the other subjects but it doesn't solve my problem so: I've got this ->add('role', 'choice', array( 'label' => 'I am:', 'mapped' => true, 'expanded' => true, 'multiple' => false, 'choices' => array( 'ROLE_NORMAL' =&…

Read More
Symfony granting path access to multiple roles in security.yml

Hi I would like to be able to allow access to a path in security.yml based on the user either having ROLE_TEACHER, or ROLE_ADMIN. According to the question in Multiple roles required for same url in symfony 2 …

Read More