PermissionsBundle icon indicating copy to clipboard operation
PermissionsBundle copied to clipboard

verified publisher icon Orbitale

Metadata

Use expression based permissions instead of roles or voters to simplify your security in Symfony. Feel free to contribute ! :+1: Project was initiated after this discussion: https://github.com/symfony...

Permissions bundle

The goal of this bundle is to add simple ExpressionLanguage based permissions to Symfony, to rely on something with more logic than Roles and less heavy than creating Voters.

Install

  • Require it with composer

    $ composer require orbitale/permissions-bundle

  • Add the bundle to your kernel

    <?php

class AppKernel extends Kernel
{
    public function registerBundles()
    {
        $bundles = [
            // ...
            new Orbitale\Bundle\PermissionsBundle\PermissionsBundle(),
        ];

        return $bundles;
    }
}

  • Setup your desired permissions:

    # app/config/security.yml
permissions:
    rules:
        ADMIN_EDIT: 'user and user.getStatus() === constant("AppBundle\\Entity\\User::STATUS_ADMIN")'
        SUBSCRIBE: 'user and user.isMemberOfTheTeam()'
        CHUCK_NORRIS: 'user and user.getUsername() === "Chuck Norris"'

  • Use them in your controllers

    <?php

namespace AppBundle\Controller;

use Symfony\Bundle\FrameworkBundle\Controller\Controller;

class DefaultController extends Controller
{
    public function badassAction()
    {
        $this->denyAccessUnlessGranted('CHUCK_NORRIS');

        // ...
    }
}

Configuration reference

permissions:
    defaults:
        # Variables to add to ExpressionLanguage, for easier access if you need
        expression_variables: []

        # Will be added to all not already set "supports" attributes
        supports:             null
    rules:
        # Full prototype
        # Key names *must* be uppercase
        PERMISSION_KEY_NAME:
            supports: null
            on_vote: null   # Required

        # Allow expression with a single string, if you don't care of "supports":
        PERMISSION_KEY_NAME: 'on_vote expression'

Real life example

permissions:
    defaults:
        expression_variables:
            user_class: AppBundle\Entity\User
            post_class: AppBundle\Entity\Post
        supports: 'instanceof(user, user_class)'
    rules:
        ADMIN: 'user.isAdmin()'
        EDIT_POST:
            supports: 'instanceof(user, user_class) and instanceof(subject, post_class)'
            on_vote: 'user.isAdmin() and subject.getAuthor().getId() === user.getId()'

Metadata

18
Stars
1
Forks
Watchers

Owner

verified publisher icon Orbitale

Metadata

Use expression based permissions instead of roles or voters to simplify your security in Symfony. Feel free to contribute ! :+1: Project was initiated after this discussion: https://github.com/symfony...

Back