Symfony2 : controlling access to a ressource

Question

I'm working on an application where each user may have access to many Project(s) and where each Project may contain many Campaign(s) and so on and so forth. Then my URLs look like:

/project/{project}/member

/project/{project}/member/{member}

/project/{project}/campaign

/project/{project}/campaign/{campaign}

/project/{project}/campaign/{campaign}/plot

/project/{project}/campaign/{campaign}/plot/{plot}

I've read that @ParamConverter can handle these URLs to suit my needs.

--Problem--

I'm looking for a way to very that any user accessing a project is authorized to... without copy the code inside each controller. One user can be bounded to many projects, granted with (ROLE_MEMBER or ROLE_ADMIN).

Answer 1

I would suggest making yourself a KernelEvents::CONTROLLER listener per http://symfony.com/doc/current/cookbook/service_container/event_listener.html

Your listener will be called after the route is matched to a controller but before the controller's action method is called. The request argument will have your project/campaign etc variables set.

I would then suggest letting this listener load in your project and campaign instead of using param converter. I just think it will be a bit cleaner. All you need to do is to retrieve them then store them back into your request object. They will then end up in your controller action method.

Once you have your objects then you can use the security context to check the roles and just toss an AccessDenied exception if needed.

I would actually move the permission checking stuff to one or more security voters http://symfony.com/doc/current/cookbook/security/voters_data_permission.html .

This will give you more fine grained access control without resorting to a full blown access control list. It also means that you can do the role checking in other places such as templates if need be.