如何在 SonataAdminBundle 中使用角色

Question

我开始在 Symfony2.1 应用程序中使用SonataAdminBundle。我开发了所有Admin 类，现在我希望添加角色以防止对此类用户组执行view、list 和edit 操作（例如非管理员用户）。

请注意，我不使用 SonataUserBundle（派生自 FOSUserBundle）并且我想使用 Sonata 提供的 sonata.admin.security.handler.role 安全处理程序：ACL 也是对我的小项目来说功能强大（并提供大量开销）。

我自己的UserBundle提供了User类和Group类（最后用来指定每个用户的角色）。我的 security.yml 文件中提供了角色层次结构，例如：

security:
    role_hierarchy:
        ROLE_POST_AUTHOR:            ROLE_USER
        ROLE_ADMIN:                  [ ROLE_USER, ROLE_POST_AUTHOR]
        ROLE_SUPER_ADMIN:            [ ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH ] 

现在，我通过指定安全处理程序配置了 config.yml 文件

sonata_admin:
    security:
        handler: sonata.admin.security.handler.role

official docs 更侧重于如何使用 ACL 和 SonataUserBundle，所以我不知道如何将我的角色从 security.yml 与 SonataAdminBundle 联系起来。

PS：类似的问题是：SonataAdminBundle Security roles。

Answer 1

尝试使用ROLE_<service.name>_<RIGHT> where 创建角色

• <service.name> 是您的奏鸣曲管理服务名称的大写和 DOT-REPLACED-BY-UNDERSCORE 版本
• <RIGHT> 是 (reference) 之一：
  • CREATE
  • DELETE
  • EDIT
  • LIST
  • VIEW
  • EXPORT
  • OPERATOR
  • MASTER

示例

以下是我的 security.yml 中的一个 sn-p：

role_hierarchy:

    ROLE_MANAGER:
        - ROLE_USER
        - ROLE_SONATA_STUFF # have no effect on the UI
        - ROLE_SONATA_ADMIN # with this role you have a nice navbar with search box
        # user
        - ROLE_SONATA_ADMIN_USER_LIST
        - ROLE_SONATA_ADMIN_USER_VIEW
        # product
        - ROLE_SONATA_ADMIN_PRODUCT_LIST
        - ROLE_SONATA_ADMIN_PRODUCT_VIEW
        - ROLE_SONATA_ADMIN_PRODUCT_EDIT
        # product category
        - ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_LIST
        - ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_VIEW

    ROLE_ADMIN:
        - ROLE_SONATA_ADMIN # with this role you have a nice navbar with search box
        # user
        - ROLE_SONATA_ADMIN_USER_CREATE
        - ROLE_SONATA_ADMIN_USER_DELETE
        - ROLE_SONATA_ADMIN_USER_EDIT
        - ROLE_SONATA_ADMIN_USER_LIST
        - ROLE_SONATA_ADMIN_USER_VIEW
        - ROLE_SONATA_ADMIN_USER_EXPORT
        - ROLE_SONATA_ADMIN_USER_OPERATOR
        - ROLE_SONATA_ADMIN_USER_MASTER
        # product
        - ROLE_SONATA_ADMIN_PRODUCT_CREATE
        - ROLE_SONATA_ADMIN_PRODUCT_DELETE
        - ROLE_SONATA_ADMIN_PRODUCT_EDIT
        - ROLE_SONATA_ADMIN_PRODUCT_LIST
        - ROLE_SONATA_ADMIN_PRODUCT_VIEW
        - ROLE_SONATA_ADMIN_PRODUCT_EXPORT
        - ROLE_SONATA_ADMIN_PRODUCT_OPERATOR
        - ROLE_SONATA_ADMIN_PRODUCT_MASTER
        # product category
        - ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_CREATE
        - ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_DELETE
        - ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_EDIT
        - ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_LIST
        - ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_VIEW
        - ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_EXPORT
        - ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_OPERATOR
        - ROLE_SONATA_ADMIN_PRODUCT_CATEGORY_MASTER
        # purchase
        - ROLE_SONATA_ADMIN_PURCHASE_CREATE
        - ROLE_SONATA_ADMIN_PURCHASE_DELETE
        - ROLE_SONATA_ADMIN_PURCHASE_EDIT
        - ROLE_SONATA_ADMIN_PURCHASE_LIST
        - ROLE_SONATA_ADMIN_PURCHASE_VIEW
        - ROLE_SONATA_ADMIN_PURCHASE_EXPORT
        - ROLE_SONATA_ADMIN_PURCHASE_OPERATOR
        - ROLE_SONATA_ADMIN_PURCHASE_MASTER
        # payment
        - ROLE_SONATA_ADMIN_PAYMENT_CREATE
        - ROLE_SONATA_ADMIN_PAYMENT_DELETE
        - ROLE_SONATA_ADMIN_PAYMENT_EDIT
        - ROLE_SONATA_ADMIN_PAYMENT_LIST
        - ROLE_SONATA_ADMIN_PAYMENT_VIEW
        - ROLE_SONATA_ADMIN_PAYMENT_EXPORT
        - ROLE_SONATA_ADMIN_PAYMENT_OPERATOR
        - ROLE_SONATA_ADMIN_PAYMENT_MASTER
        # notification: email template
        - ROLE_SONATA_ADMIN_NOTIFICATION_EMAIL_TEMPLATE_CREATE
        - ROLE_SONATA_ADMIN_NOTIFICATION_EMAIL_TEMPLATE_DELETE
        - ROLE_SONATA_ADMIN_NOTIFICATION_EMAIL_TEMPLATE_EDIT
        - ROLE_SONATA_ADMIN_NOTIFICATION_EMAIL_TEMPLATE_LIST
        - ROLE_SONATA_ADMIN_NOTIFICATION_EMAIL_TEMPLATE_VIEW
        - ROLE_SONATA_ADMIN_NOTIFICATION_EMAIL_TEMPLATE_EXPORT
        - ROLE_SONATA_ADMIN_NOTIFICATION_EMAIL_TEMPLATE_OPERATOR
        - ROLE_SONATA_ADMIN_NOTIFICATION_EMAIL_TEMPLATE_MASTER

    ROLE_SUPER_ADMIN:
        - ROLE_ADMIN
        - ROLE_ALLOWED_TO_SWITCH

access_control:
    - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/admin/, role: ROLE_SONATA_ADMIN }

以下是来自我的 @AdminBundle/Resources/config/service.yml 的 sn-p（此处仅与服务名称相关）：

sonata.admin.user:
    class: Acme\AdminBundle\Admin\UserAdmin
    tags:
        - { name: sonata.admin, manager_type: orm, group: "User", label: "User" }
    arguments:
        - ~
        - Acme\UserBundle\Entity\User
        - ~
    calls:
        - [ setTranslationDomain, [AcmeAdminBundle]]

sonata.admin.product:
    class: Acme\AdminBundle\Admin\ProductAdmin
    tags:
        - { name: sonata.admin, manager_type: orm, group: "Store", label: "Product" }
    arguments:
        - ~
        - Acme\StoreBundle\Entity\Product
        - ~
    calls:
        - [ setTranslationDomain, [AcmeAdminBundle]]

sonata.admin.product_category:
    class: Acme\AdminBundle\Admin\ProductCategoryAdmin
    tags:
        - { name: sonata.admin, manager_type: orm, group: "Store", label: "Category" }
    arguments:
        - ~
        - Acme\StoreBundle\Entity\ProductCategory
        - ~
    calls:
        - [ setTranslationDomain, [AcmeAdminBundle]]

sonata.admin.purchase:
    class: Acme\AdminBundle\Admin\PurchaseAdmin
    tags:
        - { name: sonata.admin, manager_type: orm, group: "Store", label: "Purchase" }
    arguments:
        - ~
        - Acme\StoreBundle\Entity\Purchase
        - ~
    calls:
        - [ setTranslationDomain, [AcmeAdminBundle]]

sonata.admin.payment:
    class: Acme\AdminBundle\Admin\PaymentAdmin
    tags:
        - { name: sonata.admin, manager_type: orm, group: "Payment", label: "Payment" }
    arguments:
        - ~
        - Acme\PaymentBundle\Entity\Payment
        - ~
    calls:
        - [ setTranslationDomain, [AcmeAdminBundle]]

sonata.admin.notification.email_template:
    class: Acme\AdminBundle\Admin\Notification\EmailTemplateAdmin
    tags:
        - { name: sonata.admin, manager_type: orm, group: "Notification", label: "Email Template" }
    arguments:
        - ~
        - Acme\NotificationBundle\Entity\EmailTemplate
        - ~
    calls:
        - [ setTranslationDomain, [AcmeAdminBundle]]

参考

1. Role Based Security in Sonata Admin