eZ Community » Forums » eZ Publish 5 Platform » Roles/Policies for own controllers?
expandshrink

Roles/Policies for own controllers?

Roles/Policies for own controllers?

Tuesday 10 September 2013 12:28:12 pm - 4 replies

Hello eZ community,

is it possible to protect own developed controllers using the eZ roles and policies system? In eZ 4 it was protected by design using the module.php. To give a user access, the role must be assigned to the user resp. group.

Now the controllers are developed as stand alone Symfony controllers, but the essential role system from eZ is required for us. At the moment, we assume, it's not possible, as a Symfony controller is not handled as a content or location and therefore the limitation system is not applicable.

We thought of a workaround using the legacy functionality (creating legacy extension with "emtpy" modules in module.php, creating a service with legacy closure to call "$user->hasAccessTo()" ).

But maybe there is a better solution?

Thanks in advance!

Thursday 20 February 2014 2:25:21 pm

you can check directly the legacy roles using

$repository->canUser( 'content', 'read', $user )

Thursday 20 February 2014 2:50:05 pm

Hi

No need to use the repository. You can also use Symfony built-in tools, and that's highly recommended ! 

use eZ\Publish\Core\MVC\Symfony\Security\Authorization\Attribute as AuthorizationAttribute;
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 
// ...
 
// Inside a controller extending eZ\Bundle\EzPublishCoreBundle\Controller
 
if ( !$this->isGranted( new AuthorizationAttribute( 'my_module', 'my_function' ) )
{
    throw new AccessDeniedException();
}

As of 2014.01 / 5.3, you can even specify a value object (e.g. a Content or Location) for limitation checks :

use eZ\Publish\Core\MVC\Symfony\Security\Authorization\Attribute as AuthorizationAttribute;
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 
// ...
 
// Inside a controller extending eZ\Bundle\EzPublishCoreBundle\Controller
 
if ( !$this->isGranted( new AuthorizationAttribute( 'my_module', 'my_function', array( 'valueObject' => $content ) ) )
{
    throw new AccessDeniedException();
}

 

Only current limitation is that you still need to define custom permission functions list in a legacy module (module.php).

Modified on Thursday 20 February 2014 2:51:21 pm by Jérôme Vieilledent

Thursday 27 February 2014 11:22:21 am

Hi Jérôme,

thanks alot, that's exactly, what I was searching for.

So I think, I just will add "dummy" functions in the legacy module.php and use your mentioned functionality.

Can't wait, to realize it happy.gif Emoticon

Thanks alot!

Friday 14 March 2014 12:59:40 pm

Hi Jérôme,
sorry, that I need to re-open this thread, but unfortunately the isGranted() method always returns true for my cases. It even returns true, if the module and/or function is not defined in any module.php.

 <?php
 
// ...
use eZ\Bundle\EzPublishCoreBundle\Controller;
use eZ\Publish\Core\MVC\Symfony\Security\Authorization\Attribute as AuthorizationAttribute;
 
class MyController extends Controller
{
    public function grantedAction(Request $request)
    {
        // $granted always true, even neither module "xyz" nor function "xyz" is defined
        $granted = $this->isGranted(new AuthorizationAttribute('xyz','xyz'));
        
        return new Response();
    }
}

Best regards!

Edit: It's eZ 5.2 EE if this is important...

Modified on Friday 14 March 2014 1:05:33 pm by Ryad-Marcel El-Dajani

expandshrink

You must be logged in to post messages in this topic!

36 542 Users on board!

Forums menu

Proudly Developed with from