Reputation: 28541
Where to implement the security filter for dynamic groups
First I'll describe rougthly the context. I want to have a symfony application where I can create various areas. In each of the areas, you can have different kinds of users (or roles). Each user can have multiple roles in different areas.
To illustrate the question, we'll define:
- 2 areas: "Area 1" and "Area 2".
- 2 users: "User 1" and "User 2".
- 2 roles: "seller" and "buyer".
- "User 1" is a seller and a buyer in "Area 1"
- "User 2" is a seller and a buyer in "Area 1" and a buyer only in "Area 2"
My question is: which is the best way to check in restricted pages if a user belongs to a given area and if he has the required role in that area.
After thinking a bit about it, I have done the following:
- When an area is created, I also create one sfGuardGroup per role and one global sfGuardGroup for the area, each suffixed with the area id. So in our example, we'll have the roles:
- area-1, sellers-1, buyers-1 for area 1
- area-2, sellers-2, buyers-2 for area 2
- The users are added to the relevant groups. So in our example:
- User 1 will belong to the groups area-1, sellers-1 and buyers-1
- User 2 will belong to the groups area-1, sellers-1, buyers-1, area-2 and buyers-2
- From the URL, I know in which area we are, for instance:
- http://example.com/area-1/sellers-restricted-page (accessible to users in the group area-1 and sellers-1)
- http://example.com/area-2/buyers-restricted-page (accessible to users in the group area-2 and buyers-2)
- http://example.com/area-2/ (accessible to users in the group area-2)
At that point, I am kind of stuck as I cannot make out the best place to implement the permission check: modify the guard filter? Change the actions?
Upvotes: 2
Views: 241
Answers (1)
Reputation: 629
Your required implementation is not supported by sfGuard so I would recommend creating a new, additional, security filter.
You can create a brand new filter that extends sfFilter, then add it into filter.yml after the existing security filter. This means that all existing security functionality provided by sfGuard continues.
You can then determine what area is being requested by looking at the current module name and action name (how you access these is different dependent on which version of symfony you are using, look in sfBasicSecurityFilter for a clue) then compare that with the roles that the current user has using sfGuardSecurityUser.
Upvotes: 1
Related Questions
- Symfony2 - Dynamic Role Management
- Create new users with the same group(s) as the user logged in
- Assign groups based on logged user credentials
- Login based on user groups Symfony 1.4.20 and sfDoctrineGuard
- with Symfony sfDoctrineGuardPlugin, i need to have user group and some settings for permissions etc
- symfony drop down with sfguardusers from a specific group
- get all groups from the Users - sfDoctrineGuardPlugin
- advanced / dynamic permissions on sfguard - symfony
- Symfony : How to use permission / groups with sfGuardAuth
- Symfony sfGuardPlugin (group, permissions and credentials) question