13

I started to use SonataAdminBundle in a Symfony2.1 application. I developed all the Admin classes and now I wish to add roles to prevent view, list and edit actions to such user groups (e.g. non-admin users).

Notice that I don't use the SonataUserBundle (derived from FOSUserBundle) and I want to use the sonata.admin.security.handler.role security handler provided by the Sonata: ACL is too much powerful (and provides a lot of overhead) for my small project.

My own UserBundle provides User class and Group class (the last used to specify the role of each user). The role hierarchy is provided in my security.yml file, e.g.:

security:
    role_hierarchy:
        ROLE_POST_AUTHOR:            ROLE_USER
        ROLE_ADMIN:                  [ ROLE_USER, ROLE_POST_AUTHOR]
        ROLE_SUPER_ADMIN:            [ ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH ]

Now, I configured the config.yml file by specifying the security handler

sonata_admin:
    security:
        handler: sonata.admin.security.handler.role

The official docs are more focused on how using ACL and SonataUserBundle, so I don't know how to link my roles from security.yml with the SonataAdminBundle.

PS: A similar question is: SonataAdminBundle Security roles.

4

1 回答 1

18

尝试使用ROLE_<service.name>_<RIGHT>where创建角色

  • <service.name>是您的奏鸣曲管理服务名称的大写和 DOT-REPLACED-BY-UNDERSCORE 版本
  • <RIGHT>是(参考)之一:
    • CREATE
    • DELETE
    • EDIT
    • LIST
    • VIEW
    • EXPORT
    • OPERATOR
    • MASTER

例子

以下是我的security.yml的片段:

role_hierarchy:

    ROLE_MANAGER:
        - ROLE_USER
        - ROLE_SONATA_STUFF # have no effect on the UI
        - ROLE_SONATA_ADMIN # with this role you have a nice navbar with search box
        # user
        - ROLE_SONATA_ADMIN_USER_LIST
        - ROLE_SONATA_ADMIN_USER_VIEW
        # product
        - ROLE_SONATA_ADMIN_PRODUCT_LIST
        - ROLE_SONATA_ADMIN_PRODUCT_VIEW
        - ROLE_SONATA_ADMIN_PRODUCT_EDIT
        # product category
        - ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_LIST
        - ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_VIEW

    ROLE_ADMIN:
        - ROLE_SONATA_ADMIN # with this role you have a nice navbar with search box
        # user
        - ROLE_SONATA_ADMIN_USER_CREATE
        - ROLE_SONATA_ADMIN_USER_DELETE
        - ROLE_SONATA_ADMIN_USER_EDIT
        - ROLE_SONATA_ADMIN_USER_LIST
        - ROLE_SONATA_ADMIN_USER_VIEW
        - ROLE_SONATA_ADMIN_USER_EXPORT
        - ROLE_SONATA_ADMIN_USER_OPERATOR
        - ROLE_SONATA_ADMIN_USER_MASTER
        # product
        - ROLE_SONATA_ADMIN_PRODUCT_CREATE
        - ROLE_SONATA_ADMIN_PRODUCT_DELETE
        - ROLE_SONATA_ADMIN_PRODUCT_EDIT
        - ROLE_SONATA_ADMIN_PRODUCT_LIST
        - ROLE_SONATA_ADMIN_PRODUCT_VIEW
        - ROLE_SONATA_ADMIN_PRODUCT_EXPORT
        - ROLE_SONATA_ADMIN_PRODUCT_OPERATOR
        - ROLE_SONATA_ADMIN_PRODUCT_MASTER
        # product category
        - ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_CREATE
        - ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_DELETE
        - ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_EDIT
        - ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_LIST
        - ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_VIEW
        - ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_EXPORT
        - ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_OPERATOR
        - ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_MASTER
        # purchase
        - ROLE_SONATA_ADMIN_PURCHASE_CREATE
        - ROLE_SONATA_ADMIN_PURCHASE_DELETE
        - ROLE_SONATA_ADMIN_PURCHASE_EDIT
        - ROLE_SONATA_ADMIN_PURCHASE_LIST
        - ROLE_SONATA_ADMIN_PURCHASE_VIEW
        - ROLE_SONATA_ADMIN_PURCHASE_EXPORT
        - ROLE_SONATA_ADMIN_PURCHASE_OPERATOR
        - ROLE_SONATA_ADMIN_PURCHASE_MASTER
        # payment
        - ROLE_SONATA_ADMIN_PAYMENT_CREATE
        - ROLE_SONATA_ADMIN_PAYMENT_DELETE
        - ROLE_SONATA_ADMIN_PAYMENT_EDIT
        - ROLE_SONATA_ADMIN_PAYMENT_LIST
        - ROLE_SONATA_ADMIN_PAYMENT_VIEW
        - ROLE_SONATA_ADMIN_PAYMENT_EXPORT
        - ROLE_SONATA_ADMIN_PAYMENT_OPERATOR
        - ROLE_SONATA_ADMIN_PAYMENT_MASTER
        # notification: email template
        - ROLE_SONATA_ADMIN_NOTIFICATION_EMAIL_TEMPLATE_CREATE
        - ROLE_SONATA_ADMIN_NOTIFICATION_EMAIL_TEMPLATE_DELETE
        - ROLE_SONATA_ADMIN_NOTIFICATION_EMAIL_TEMPLATE_EDIT
        - ROLE_SONATA_ADMIN_NOTIFICATION_EMAIL_TEMPLATE_LIST
        - ROLE_SONATA_ADMIN_NOTIFICATION_EMAIL_TEMPLATE_VIEW
        - ROLE_SONATA_ADMIN_NOTIFICATION_EMAIL_TEMPLATE_EXPORT
        - ROLE_SONATA_ADMIN_NOTIFICATION_EMAIL_TEMPLATE_OPERATOR
        - ROLE_SONATA_ADMIN_NOTIFICATION_EMAIL_TEMPLATE_MASTER

    ROLE_SUPER_ADMIN:
        - ROLE_ADMIN
        - ROLE_ALLOWED_TO_SWITCH

access_control:
    - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/admin/, role: ROLE_SONATA_ADMIN }

以下是我的@AdminBundle/Resources/config/service.yml的一个片段(这里只有服务名称是相关的):

sonata.admin.user:
    class: Acme\AdminBundle\Admin\UserAdmin
    tags:
        - { name: sonata.admin, manager_type: orm, group: "User", label: "User" }
    arguments:
        - ~
        - Acme\UserBundle\Entity\User
        - ~
    calls:
        - [ setTranslationDomain, [AcmeAdminBundle]]

sonata.admin.product:
    class: Acme\AdminBundle\Admin\ProductAdmin
    tags:
        - { name: sonata.admin, manager_type: orm, group: "Store", label: "Product" }
    arguments:
        - ~
        - Acme\StoreBundle\Entity\Product
        - ~
    calls:
        - [ setTranslationDomain, [AcmeAdminBundle]]

sonata.admin.product_category:
    class: Acme\AdminBundle\Admin\ProductCategoryAdmin
    tags:
        - { name: sonata.admin, manager_type: orm, group: "Store", label: "Category" }
    arguments:
        - ~
        - Acme\StoreBundle\Entity\ProductCategory
        - ~
    calls:
        - [ setTranslationDomain, [AcmeAdminBundle]]

sonata.admin.purchase:
    class: Acme\AdminBundle\Admin\PurchaseAdmin
    tags:
        - { name: sonata.admin, manager_type: orm, group: "Store", label: "Purchase" }
    arguments:
        - ~
        - Acme\StoreBundle\Entity\Purchase
        - ~
    calls:
        - [ setTranslationDomain, [AcmeAdminBundle]]

sonata.admin.payment:
    class: Acme\AdminBundle\Admin\PaymentAdmin
    tags:
        - { name: sonata.admin, manager_type: orm, group: "Payment", label: "Payment" }
    arguments:
        - ~
        - Acme\PaymentBundle\Entity\Payment
        - ~
    calls:
        - [ setTranslationDomain, [AcmeAdminBundle]]

sonata.admin.notification.email_template:
    class: Acme\AdminBundle\Admin\Notification\EmailTemplateAdmin
    tags:
        - { name: sonata.admin, manager_type: orm, group: "Notification", label: "Email Template" }
    arguments:
        - ~
        - Acme\NotificationBundle\Entity\EmailTemplate
        - ~
    calls:
        - [ setTranslationDomain, [AcmeAdminBundle]]

参考

  1. Sonata Admin 中基于角色的安全性
于 2014-04-03T14:20:21.160 回答