https://github.com/data-dog/acl-bundle
Symfony2 access control list management bundle
https://github.com/data-dog/acl-bundle
Last synced: 9 months ago
JSON representation
Symfony2 access control list management bundle
- Host: GitHub
- URL: https://github.com/data-dog/acl-bundle
- Owner: DATA-DOG
- License: other
- Created: 2015-01-28T13:46:03.000Z (over 11 years ago)
- Default Branch: master
- Last Pushed: 2015-02-27T12:18:07.000Z (over 11 years ago)
- Last Synced: 2025-07-07T08:48:29.236Z (12 months ago)
- Language: PHP
- Size: 223 KB
- Stars: 3
- Watchers: 3
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE.md
Awesome Lists containing this project
README
# ACL management bundle [](http://travis-ci.org/DATA-DOG/acl-bundle)
ACL comes without any database requirements. It is bare **ACL** manager.
The bundle only registers **resource** and **access policy** providers.
See **DOCTRINE.md** which shows how to configure database for policy management.
- Has symfony profiler bar
- Does not depend on database
- Basic resource and policy concept
## Configuration
This is the default **ACL** bundle configuration:
``` yaml
acl:
default_allowed: false # means that by default all ACL resources are denied
resource:
providers:
config: true # by default looks in bundles for ACL resources
annotations: true # looks for controller annotations
transformers:
doctrine: true # transforms entities or document resources with an ID at the end
```
## ACL resource
A resource is basically represented by a string.
``` php
$acl->isGranted("action", "app.resource.string");
```
Would be **"app.resource.string.action"**. Action is concatenated. That way
it is easier to store and match resources.
- **app.resource.string** - is a resource acccess point.
- **action** - is any action that can be done with the resource.
## ACL resource providers
Providers are used to collect all ACL resources from bundles.
The ACL provider interface:
``` php
namespace AclBundle\Resource;
interface ProviderInterface
{
/**
* Get a list of available ACL resources
*
* @return array - ['resource.string.action', ...]
*/
function resources();
}
```
All provider services must be tagged with **acl.resource.provider**. They should build
a resource map as required by interface.
### Bundle configuration
This type of ACL resource provider is enabled by default. It looks for configuration file:
**../VendorBundle/Resources/config/acl_resources.yml** and loads all resources from each bundle.
```yaml
resources:
- app_bundle.entity.page.view
- app_bundle.entity.page.edit
```
## ACL policy providers
ACL policy providers must implement **AclBundle\Access\PolicyProviderInterface** and implement
one method which return a list of policies, where key is a resource or resource branch and
value is boolean - whether the resource is granted or denied.
Given we have these resources:
```yaml
resources:
- app.user.edit
- app.user.view
- app.user.remove
- app.user.add
```
We can make policies for leaf actions:
```yaml
acl:
access:
policies:
luke@skywalker.com:
- { resource: app.user.edit, granted: true }
- { resource: app.user.view, granted: true }
- { resource: app.user.add, granted: true }
```
Or we can do the same thing by granting access to the branch and denying leaf:
```yaml
acl:
access:
policies:
luke@skywalker.com:
- { resource: app.user, granted: true }
- { resource: app.user.remove, granted: false }
```
**NOTE:** The configuration above is the **ACL** bundle extension configuration. Which should be located in
kernel configuration directory.
### Config provider
For very simple use cases, config provider may be used. To enable it, acl configuration must contain
some accesses in the map:
``` yaml
acl:
access:
policies:
admin:
- { resource: app_bundle, allow: true } # allow every action for all resources under app_bundle
someusername:
- { resource: some.resource, allow: true } # allow all actions on some.resource
- { resource: some.resource.edit, allow: false } # but deny - some.resource.edit
- { another.resource.somewhere.create } # default allowed
```
It will load this access map based on username of currently logged user from security context.
Though the user model must implement **Symfony\Component\Security\Core\User\UserInterface**
### ACL resource transformers
Sometimes it may be useful to transform an object to a specific resource with identifier for
deep permission checks. As an example we could have **form type** resources identified by name:
``` php
use AclBundle\Util;
use AclBundle\Resource\TransformerInterface;
use Symfony\Component\Form\FormTypeInterface;
class FormTransformer implements TransformerInterface
{
public function supports($object)
{
return $object instanceof FormTypeInterface;
}
public function transform($object)
{
return 'form.' . Util::underscore($object->getName());
}
}
```
This transformer service then may be registered with tag: **acl.resource.transformer**, it accepts a priority attribute.
When **acl** actions may be checked like:
``` php
$container->get('acl.access.decision_manager')->isGranted('edit', $formTypeObject);
```
**NOTE:** these resources must be provided, either through configuration or by resource provider service.
For convenience, make a service alias:
```yaml
# app/config/config.yml or other
services:
acl: @acl.access.decision_manager
```
## Questions and Answers
**Q:** Why it does not have a vendor namespace.
**A:** Hopefully, you need only one AclBundle in your projects, cheers.
## Tests
Tested with phpunit. To run all tests:
composer install
bin/phpunit