Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

[Security] [WCM] Use placeholders in role hierarchy#19079

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Open
squrious wants to merge1 commit intosymfony:6.4
base:6.4
Choose a base branch
Loading
fromsqurious:security/role_hierarchy_placeholder
Open
Changes fromall commits
Commits
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
84 changes: 84 additions & 0 deletionssecurity.rst
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -2194,6 +2194,90 @@ Users with ``ROLE_SUPER_ADMIN``, will automatically have ``ROLE_ADMIN``,
:doc:`security voter </security/voters>` that looks for the user roles
in the database.

You can also use the special ``*`` placeholder character to define hierarchy dynamically:

.. configuration-block::

.. code-block:: yaml

# config/packages/security.yaml
security:
# ...

role_hierarchy:
ROLE_*: ROLE_USER
ROLE_*_MODERATOR: ROLE_MODERATOR

ROLE_BLOG_*: ROLE_BLOG_READER
ROLE_BLOG_MODERATOR: [ROLE_BLOG_DELETE_POST, ROLE_BLOG_LOCK_POST]

ROLE_SHOP_*: ROLE_SHOP_USER
ROLE_SHOP_MODERATOR: [ROLE_SHOP_DELETE_ITEM, ROLE_SHOP_DELETE_REVIEW]

.. code-block:: xml

<!-- config/packages/security.xml -->
<?xml version="1.0" encoding="UTF-8" ?>
<srv:container xmlns="http://symfony.com/schema/dic/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:srv="http://symfony.com/schema/dic/services"
xsi:schemaLocation="http://symfony.com/schema/dic/services
https://symfony.com/schema/dic/services/services-1.0.xsd
http://symfony.com/schema/dic/security
https://symfony.com/schema/dic/security/security-1.0.xsd">

<config>
<!-- ... -->

<role id="ROLE_*">ROLE_USER</role>
<role id="ROLE_*_MODERATOR">ROLE_MODERATOR</role>

<role id="ROLE_BLOG_*">ROLE_BLOG_READER</role>
<role id="ROLE_BLOG_MODERATOR">ROLE_BLOG_DELETE_POST, ROLE_BLOG_LOCK_POST</role>

<role id="ROLE_SHOP_*">ROLE_SHOP_USER</role>
<role id="ROLE_SHOP_MODERATOR">ROLE_SHOP_DELETE_ITEM, ROLE_SHOP_DELETE_REVIEW</role>
</config>
</srv:container>

.. code-block:: php

// config/packages/security.php
use Symfony\Config\SecurityConfig;

return static function (SecurityConfig $security): void {
// ...

$security->roleHierarchy('ROLE_*', ['ROLE_USER']);
$security->roleHierarchy('ROLE_*_MODERATOR', ['ROLE_MODERATOR']);

$security->roleHierarchy('ROLE_BLOG_*', ['ROLE_BLOG_READER']);
$security->roleHierarchy('ROLE_BLOG_MODERATOR', ['ROLE_BLOG_DELETE_POST', 'ROLE_BLOG_LOCK_POST']);

$security->roleHierarchy('ROLE_SHOP_*', ['ROLE_SHOP_USER']);
$security->roleHierarchy('ROLE_SHOP_MODERATOR', ['ROLE_SHOP_DELETE_ITEM', 'ROLE_SHOP_DELETE_REVIEW']);
};

With this configuration, you can easily configure that:

- Having a role grants ``ROLE_USER``.
- All moderators have ``ROLE_MODERATOR``.
- Anyone with the ``ROLE_BLOG_*`` can access the blog.
- Anyone with the ``ROLE_SHOP_*`` can access the shop.

Even if a role is not explicitly defined in the hierarchy, if it is matched by a placeholder it will inherit the roles of this placeholder:

- Users with the ``ROLE_BLOG_ADMIN`` will also have the ``ROLE_BLOG_READER``
- Users with the ``ROLE_NEWS_MODERATOR`` will also have the ``ROLE_MODERATOR``

.. caution::

The ``*`` placeholder character can only be used after a ``_`` and before a ``_`` or the end of the role name. That means role names like ``ROLE_BLOG*`` and ``ROLE_*BLOG`` will not be considered as valid placeholders.

.. versionadded:: 6.4

The placeholder syntax was introduced in Symfony 6.4.

.. _security-role-authorization:

Add Code to Deny Access
Expand Down
[8]ページ先頭
©2009-2025 Movatter.jp