Closed core23 closed 2 years ago
Faced the same problem. The solution helped me: security.yml
security:
role_hierarchy:
ROLE_USER:
- ROLE_ADMIN_USER_ADDRESS_ALL
- ROLE_ADMIN_USER_CARGO_ALL
- ROLE_ADMIN_USER_CITY_ALL
- ROLE_ADMIN_USER_ORDER_ALL
ROLE_ADMIN:
- ROLE_ADMIN
- ROLE_ADMIN_USERS_ALL
- ROLE_ADMIN_ADDRESS_ALL
- ROLE_ADMIN_CARGO_ALL
- ROLE_ADMIN_CITY_ALL
- ROLE_ADMIN_ORDER_ALL
config.yml
sonata_admin:
security:
handler: sonata.admin.security.handler.role
Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
This issue is pretty old, is it still relevant ? Do you have a repository to reproduce the issue ?
I have a config similar to the one proposed by @Xmblr and it works fine for me.
Yes, the issue is still relevant. The solution provide by @Xmblr describes a different problem.
I updated the issue description to provide more information about the actual problem.
I've never used ACL, I'm kinda interested to debug this in order to learn more but I have a lot of question.
Seems like ACL are not recommended anymore https://github.com/sonata-project/SonataAdminBundle/issues/7303 Does it currently work for Sonata, in another way you described ?
Also can you describe how you do ?
Add a the ACME_VIEWER permission to a user or group for the ACME admin.
This seems not hard to debug: getSecurityInformation
is not used a lot in our code.
But to debug, I'd like to reproduce the issue with a project or a failing test.
Also can you describe how you do ?
Add a the ACME_VIEWER permission to a user or group for the ACME admin.
This seems not hard to debug:
getSecurityInformation
is not used a lot in our code. But to debug, I'd like to reproduce the issue with a project or a failing test.
Can you explain how to reproduce the issue @core23 ? I never used ACL before.
Also, does it means ACL are not working at all so far for SonataAdmin ? If so, it would means nobody is using this and we could deprecate/remove the feature and solve #7303
Also, does it means ACL are not working at all so far for SonataAdmin ? If so, it would means nobody is using this and we could deprecate/remove the feature and solve #7303
This is not related to the ACL itself, but the ACL security handlers works a little different than the normal role handler.
Can you explain how to reproduce the issue @core23 ? I never used ACL before.
I thought the issue description is clear enough, but I can try to explain it a little bit more.
Normally you have the following rules: CREATE, DELETE, EDIT, EXPORT, LIST and VIEW on an admin.
Given the following config, I would expect if you assign the EDITOR role for a specific admin (e.g. AcmeAdmin.php) to a user, the user would be able to receive the EDIT, LIST and CREATE roles for this admin.
sonata_admin:
security:
handler: sonata.admin.security.handler.role
information:
VIEWER: [VIEW, LIST, EXPORT]
EDITOR: [EDIT, LIST, CREATE]
ADMIN: [OPERATOR, MASTER]
This works if you use the sonata.admin.security.handler.acl
securty handler, but not if you use the sonata.admin.security.handler.role
handler.
Looking at the code, we have
$container->setParameter('sonata.admin.configuration.security.information', $config['security']['information']);
then
$definition->addMethodCall('setSecurityInformation', ['%sonata.admin.configuration.security.information%']);
And if you look at all the call of getSecurityInformation
, there is
So this seems pretty clear that the feature is ACL-related so I'm not chocked if it's only for sonata.admin.security.handler.acl
.
But we might be able to add this to the role security ; currently we're doing
return $this->isAnyGranted($this->superAdminRoles)
|| $this->isAnyGranted($attributes, $object)
|| $useAll && $this->isAnyGranted([$allRole], $object);
We could add something like
$baseRole = $this->getBaseRole($admin);
$extraRolesToCheck = [];
foreach ($attributes as $attribute) {
foreach ($admin->getSecurityInformation() as $role => $permissions) {
foreach ($permissions as $permission) {
if (sprintf($this->getBaseRole($admin), $permission) === $attribute) {
$extraRolesToCheck = sprintf($baseRole, $role);
}
}
}
array_unique($extraRolesToCheck);
WDYT @core23 ?
This works if you use the sonata.admin.security.handler.acl securty handler, but not if you use the sonata.admin.security.handler.role handler.
Looking at the sonata.admin.security.handler.acl
isGranted
method is
return $this->isAnyGranted($this->superAdminRoles) ||
$this->isAnyGranted($attributes, $object);
there is no check to $admin->getSecurityInformation()
.
Are you sure it works this way for AclHandler ?
Does giving the ROLE_SONATA_ACME_ADMIN_ACME_VIEWER
to someone allows him to have ROLE_SONATA_ACME_ADMIN_ACME_VIEW
when the AclHandler is used ?
To me it looks like over complicating a feature that is already flexible enough. If the security information is only used for ACL, imho it should stay the same
To me it looks like over complicating a feature that is already flexible enough. If the security information is only used for ACL, imho it should stay the same
To me the feature is just doing something different than what is asked here, even for the AclHandler.
If you give the ROLE_SONATA_ACME_ADMIN_ACME_VIEWER
to someone, it won't work as core would have expect even using the AclSecurityHandler.
So this is more a new feature with a new configuration key which could be something like role_hierarchy
.
Currently there is only a shortcut ALL => [ .... ]
. But this could be a way to introduce more.
But this issue/feature request was pending for 3 years without any activity so I think we can close it.
Environment
Sonata packages
Symfony packages
PHP version
Subject
When using the role security model and defining an information mapping, the mapping is ignored.
Steps to reproduce
Define the following config:
Add a the
ACME_VIEWER
permission to a user or group for the ACME admin.Expected results
The user gets the
ROLE_SONATA_ACME_ADMIN_ACME_VIEWER
role and can access the corresponding admin page.Actual results
The user gets the
ROLE_SONATA_ACME_ADMIN_ACME_VIEWER
role, but can't access the admin page, because the role is not translated to the sub roles:ROLE_SONATA_ACME_ADMIN_ACME_VIEW
,ROLE_SONATA_ACME_ADMIN_ACME_LIST
andROLE_SONATA_ACME_ADMIN_ACME_EXPORT
.Probable soltution.
The
securityInformation
is only used for ACL permissions inside theAclSecurityHandler
class. There is no special handling inside theRoleSecurityHandler
class.