How to use roles in SonataAdminBundle

JeanValjean picture JeanValjean · Jan 4, 2013 · Viewed 17.1k times · Source

I started to use SonataAdminBundle in a Symfony2.1 application. I developed all the Admin classes and now I wish to add roles to prevent view, list and edit actions to such user groups (e.g. non-admin users).

Notice that I don't use the SonataUserBundle (derived from FOSUserBundle) and I want to use the sonata.admin.security.handler.role security handler provided by the Sonata: ACL is too much powerful (and provides a lot of overhead) for my small project.

My own UserBundle provides User class and Group class (the last used to specify the role of each user). The role hierarchy is provided in my security.yml file, e.g.:

security:
    role_hierarchy:
        ROLE_POST_AUTHOR:            ROLE_USER
        ROLE_ADMIN:                  [ ROLE_USER, ROLE_POST_AUTHOR]
        ROLE_SUPER_ADMIN:            [ ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH ] 

Now, I configured the config.yml file by specifying the security handler

sonata_admin:
    security:
        handler: sonata.admin.security.handler.role

The official docs are more focused on how using ACL and SonataUserBundle, so I don't know how to link my roles from security.yml with the SonataAdminBundle.

PS: A similar question is: SonataAdminBundle Security roles.

Answer

vbarbarosh picture vbarbarosh · Apr 3, 2014

Try to create roles with ROLE_<service.name>_<RIGHT> where

  • <service.name> is UPPER-CASE-ed and DOT-REPLACED-BY-UNDERSCORE version of your sonata admin service names
  • <RIGHT> is one of (reference):
    • CREATE
    • DELETE
    • EDIT
    • LIST
    • VIEW
    • EXPORT
    • OPERATOR
    • MASTER

Example

The following is a snippet from my security.yml:

role_hierarchy:

    ROLE_MANAGER:
        - ROLE_USER
        - ROLE_SONATA_STUFF # have no effect on the UI
        - ROLE_SONATA_ADMIN # with this role you have a nice navbar with search box
        # user
        - ROLE_SONATA_ADMIN_USER_LIST
        - ROLE_SONATA_ADMIN_USER_VIEW
        # product
        - ROLE_SONATA_ADMIN_PRODUCT_LIST
        - ROLE_SONATA_ADMIN_PRODUCT_VIEW
        - ROLE_SONATA_ADMIN_PRODUCT_EDIT
        # product category
        - ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_LIST
        - ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_VIEW

    ROLE_ADMIN:
        - ROLE_SONATA_ADMIN # with this role you have a nice navbar with search box
        # user
        - ROLE_SONATA_ADMIN_USER_CREATE
        - ROLE_SONATA_ADMIN_USER_DELETE
        - ROLE_SONATA_ADMIN_USER_EDIT
        - ROLE_SONATA_ADMIN_USER_LIST
        - ROLE_SONATA_ADMIN_USER_VIEW
        - ROLE_SONATA_ADMIN_USER_EXPORT
        - ROLE_SONATA_ADMIN_USER_OPERATOR
        - ROLE_SONATA_ADMIN_USER_MASTER
        # product
        - ROLE_SONATA_ADMIN_PRODUCT_CREATE
        - ROLE_SONATA_ADMIN_PRODUCT_DELETE
        - ROLE_SONATA_ADMIN_PRODUCT_EDIT
        - ROLE_SONATA_ADMIN_PRODUCT_LIST
        - ROLE_SONATA_ADMIN_PRODUCT_VIEW
        - ROLE_SONATA_ADMIN_PRODUCT_EXPORT
        - ROLE_SONATA_ADMIN_PRODUCT_OPERATOR
        - ROLE_SONATA_ADMIN_PRODUCT_MASTER
        # product category
        - ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_CREATE
        - ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_DELETE
        - ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_EDIT
        - ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_LIST
        - ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_VIEW
        - ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_EXPORT
        - ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_OPERATOR
        - ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_MASTER
        # purchase
        - ROLE_SONATA_ADMIN_PURCHASE_CREATE
        - ROLE_SONATA_ADMIN_PURCHASE_DELETE
        - ROLE_SONATA_ADMIN_PURCHASE_EDIT
        - ROLE_SONATA_ADMIN_PURCHASE_LIST
        - ROLE_SONATA_ADMIN_PURCHASE_VIEW
        - ROLE_SONATA_ADMIN_PURCHASE_EXPORT
        - ROLE_SONATA_ADMIN_PURCHASE_OPERATOR
        - ROLE_SONATA_ADMIN_PURCHASE_MASTER
        # payment
        - ROLE_SONATA_ADMIN_PAYMENT_CREATE
        - ROLE_SONATA_ADMIN_PAYMENT_DELETE
        - ROLE_SONATA_ADMIN_PAYMENT_EDIT
        - ROLE_SONATA_ADMIN_PAYMENT_LIST
        - ROLE_SONATA_ADMIN_PAYMENT_VIEW
        - ROLE_SONATA_ADMIN_PAYMENT_EXPORT
        - ROLE_SONATA_ADMIN_PAYMENT_OPERATOR
        - ROLE_SONATA_ADMIN_PAYMENT_MASTER
        # notification: email template
        - ROLE_SONATA_ADMIN_NOTIFICATION_EMAIL_TEMPLATE_CREATE
        - ROLE_SONATA_ADMIN_NOTIFICATION_EMAIL_TEMPLATE_DELETE
        - ROLE_SONATA_ADMIN_NOTIFICATION_EMAIL_TEMPLATE_EDIT
        - ROLE_SONATA_ADMIN_NOTIFICATION_EMAIL_TEMPLATE_LIST
        - ROLE_SONATA_ADMIN_NOTIFICATION_EMAIL_TEMPLATE_VIEW
        - ROLE_SONATA_ADMIN_NOTIFICATION_EMAIL_TEMPLATE_EXPORT
        - ROLE_SONATA_ADMIN_NOTIFICATION_EMAIL_TEMPLATE_OPERATOR
        - ROLE_SONATA_ADMIN_NOTIFICATION_EMAIL_TEMPLATE_MASTER

    ROLE_SUPER_ADMIN:
        - ROLE_ADMIN
        - ROLE_ALLOWED_TO_SWITCH

access_control:
    - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/admin/, role: ROLE_SONATA_ADMIN }

The following is a snippet from my @AdminBundle/Resources/config/service.yml (only service names are relevant here):

sonata.admin.user:
    class: Acme\AdminBundle\Admin\UserAdmin
    tags:
        - { name: sonata.admin, manager_type: orm, group: "User", label: "User" }
    arguments:
        - ~
        - Acme\UserBundle\Entity\User
        - ~
    calls:
        - [ setTranslationDomain, [AcmeAdminBundle]]

sonata.admin.product:
    class: Acme\AdminBundle\Admin\ProductAdmin
    tags:
        - { name: sonata.admin, manager_type: orm, group: "Store", label: "Product" }
    arguments:
        - ~
        - Acme\StoreBundle\Entity\Product
        - ~
    calls:
        - [ setTranslationDomain, [AcmeAdminBundle]]

sonata.admin.product_category:
    class: Acme\AdminBundle\Admin\ProductCategoryAdmin
    tags:
        - { name: sonata.admin, manager_type: orm, group: "Store", label: "Category" }
    arguments:
        - ~
        - Acme\StoreBundle\Entity\ProductCategory
        - ~
    calls:
        - [ setTranslationDomain, [AcmeAdminBundle]]

sonata.admin.purchase:
    class: Acme\AdminBundle\Admin\PurchaseAdmin
    tags:
        - { name: sonata.admin, manager_type: orm, group: "Store", label: "Purchase" }
    arguments:
        - ~
        - Acme\StoreBundle\Entity\Purchase
        - ~
    calls:
        - [ setTranslationDomain, [AcmeAdminBundle]]

sonata.admin.payment:
    class: Acme\AdminBundle\Admin\PaymentAdmin
    tags:
        - { name: sonata.admin, manager_type: orm, group: "Payment", label: "Payment" }
    arguments:
        - ~
        - Acme\PaymentBundle\Entity\Payment
        - ~
    calls:
        - [ setTranslationDomain, [AcmeAdminBundle]]

sonata.admin.notification.email_template:
    class: Acme\AdminBundle\Admin\Notification\EmailTemplateAdmin
    tags:
        - { name: sonata.admin, manager_type: orm, group: "Notification", label: "Email Template" }
    arguments:
        - ~
        - Acme\NotificationBundle\Entity\EmailTemplate
        - ~
    calls:
        - [ setTranslationDomain, [AcmeAdminBundle]]

Reference

  1. Role Based Security in Sonata Admin