Controller's view access with Symfony 2 ACL

Question

I need a way to implement with Symfony 2.1 a list of permissions (the built-in permission map should be fine) that should act as global permissions. What I have to do is limit what views a group or users can see. For example, I have two controllers (controllerA and controllerB) and two users (userA and userB). The first user should be able to see the view managed by controllerA but he shouldn't be able to view controllerB's view. Instead, userB should be able to see both controllers. I found in the book/cookbook of Symfony the tutorial about the ACL but it seems to only talk about permissions applied to entities, instead controllers aren't entities. Any suggestion?

UPDATE 1 I found that the ObjectIdentity interface can be created also not by objects but by Ids. This means that I can check permissions against an entire controller's class by using:

class MyController extends Controller
{
    public function getId()
    {
        return 'my_controller';
    }

    public function indexAction()
    {
        if ($this->get('security.context')->isGranted('MY_PERMISSION', $this) === false)
        {
            throw new AccessDeniedException();
        }

        ...
    }
}

and using the following code to insert in the database the acl entries:

$aclProvider = $this->get('security.acl.provider');
$objectIdentity = ObjectIdentity::fromDomainObject($this);
$acl = $aclProvider->createAcl($objectIdentity);

$securityContext = $this->get('security.context');
$user = $securityContext->getToken()->getUser();
$securityIdentity = UserSecurityIdentity::fromAccount($user);

$builder = new MaskBuilder();
$builder->add('MY_PERMISSION');
$mask = $builder->get();

$acl->insertObjectAce($securityIdentity, $mask);
$aclProvider->updateAcl($acl);

this seems to work, I have two users. At the first I gave the permissions to view the controller's class with the code above and it works, instead the second user with no permissions set get a denied access exception. However, I still have to figure out how to give permissions to single controller's actions. A obvious solution would be to have a controller's class for each route entry but this is not reasonable

Answer 1

There is no common pattern for what you're requesting.Symfony2 Security http://symfony.com/doc/current/book/security.html

Did you suggest just to check users role or group before granting access to actions?

if (false === $this->get('security.context')->isGranted('ROLE_ADMIN')) {
        throw new AccessDeniedException();
}

The exception might render some custom error page.

What about:

access_control:
    - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/, role: ROLE_USER } 

in your security.yml