knplabs/rad-security

Provide RAD security components

v3.0.0 2020-06-24 09:05 UTC

This package is auto-updated.

Last update: 2020-08-24 09:28:47 UTC


README

Provide RAD security components

Build Status

Official maintainers:

Installation

composer require knplabs/rad-security ~2.1
class AppKernel
{
    function registerBundles()
    {
        $bundles = array(
            //...
            new Knp\Rad\Security\Bundle\SecurityBundle(),
            //...
        );

        //...

        return $bundles;
    }
}

Use

IS_OWNER voter

You now have access to a voter that checks if the authenticated user is the owner of an object.

The user contained inside the security token must implement Knp\Rad\Security\OwnerInterface.

The object you're about to test ownership must implement Knp\Rad\Security\OwnableInterface.

Example

<?php

namespace App\Model;

use Knp\Rad\Security\OwnerInterface;

class User implements OwnerInterface
{
}
<?php

namespace App\Model;

use Knp\Rad\Security\OwnableInterface;
use App\Model\User;

class Book implements OwnableInterface
{
    /** @var App\Model\User */
    protected $writtenBy;

    public function __construct(User $writtenBy)
    {
        $this->writtenBy = $writtenBy;
    }

    public function getOwner()
    {
        return $this->writtenBy;
    }
}
$zola = new \App\Model\User(); // He is the current authenticated user
$hugo = new \App\Model\User();

$germinal = new \App\Model\Book($zola);
$miserables = new \App\Model\Book($hugo);

$authorizationChecker = $container->get(/* ... */);
$authorizationChecker->isGranted(array('IS_OWNER'), $germinal); // true
$authorizationChecker->isGranted(array('IS_OWNER'), $miserables); // false

Security from routing

You can specify security constraints directly from your routing by providing a role or an array of roles with the roles parameter. If you specify an array, it will be passed as is to the authorization checker, and that means the authorization strategy depends on your configuration of the security component.

Example

acme_demo:
    path: /demo
    defaults:
        _controller: FrameworkBundle:Template:template
        template: Acme:demo:index.html.twig
        _security:
            - roles: IS_AUTHENTICATED_FULLY

The main advantage comes when used with the rad-resource-resolver component & the ParamConverter from SensioLabs. You can provide a subject previously resolved and available in the request attributes. If you have many objects resolved against which you can check security constraints, you can specify many rules.

Example

acme_group_update:
    path: /team/{tid}/group/{gid}/update
    defaults:
        _controller: AcmeBundle:Group:update
        template: Acme:Group:update.html.twig
        _resources:
            team:
                # ...
            group:
                # ...
        _security:
            -
                roles: [IS_MEMBER, ANOTHER_ROLE]
                subject: team
            -
                roles: IS_OWNER
                subject: group