symfony2 在 voter 中调用 is_granted:如何避免无限循环?
我已经建立了一个投票者,我需要在其中对用户调用 is_granted.
I have built a voter where I need to invoke is_granted on a user.
在我的选民中注入 security.authorization_checker 服务时,我收到以下错误
When injecting the security.authorization_checker service in my voter I get the following error
CheckCircularReferencesPass.php 中的 ServiceCircularReferenceException第 69 行:检测到服务manager_voter"的循环引用,路径:manager_voter -> security.authorization_checker ->security.access.decision_manager -> manager_voter".
ServiceCircularReferenceException in CheckCircularReferencesPass.php line 69: Circular reference detected for service "manager_voter", path: "manager_voter -> security.authorization_checker -> security.access.decision_manager -> manager_voter".
除了注入整个容器之外,没有其他选择吗?这正常吗?
Is there no alternative to injecting the whole container? Is this normal?
我正在从控制器呼叫选民:
I am calling a voter from a controller :
if (false === $this->get('security.authorization_checker')->isGranted('manage', $associate)) {
throw new AccessDeniedException('Unauthorised access!');
}
在这个选民中,我需要验证用户的角色:
In this voter I need to verify a user's roles:
if ($this->container->get('security.authorization_checker')->isGranted('ROLE_COMPANY_MANAGER'))
{
return true;
}
这当然会导致循环.如何不得到那个循环?如果我没记错的话,对用户调用 $user->getRoles 不会考虑角色层次结构.
Which of course leads to a loop. How to not get that Loop? Calling $user->getRoles on the user won't take into consideration role hierarchy if I'm not mistaking.
推荐答案
感谢@Cerad,我找到了答案:
So i found the answer thanks to @Cerad:
精度:您不能扩展 abstractVoter 类,因为您需要访问令牌.只需实现抽象选民正在实现的相同接口即可.
Precision: you can't extend the abstractVoter class cause you need access to the token. Just implement the same interface the abstract voter is implementing.
Cerad 命题:Symfony2 自定义选民角色层次结构
我的:
<?php
namespace AppBundleSecurityVoter;
use AppBundleEntityUserAssociate;
use SymfonyComponentSecurityCoreAuthenticationTokenTokenInterface;
use SymfonyComponentSecurityCoreAuthorizationVoterVoterInterface;
use SymfonyComponentSecurityCoreRoleRoleHierarchy;
use SymfonyComponentSecurityCoreUserUserInterface;
class ManagerVoter implements VoterInterface
{
const SELECT_ASSOCIATES = 'select_associates';
private $roleHierarchy;
public function __construct(RoleHierarchy $roleHierarchy)
{
$this->roleHierarchy = $roleHierarchy;
}
protected function hasRole(TokenInterface $token, $targetRole)
{
$reachableRoles = $this->roleHierarchy->getReachableRoles($token->getRoles());
foreach($reachableRoles as $role)
{
if ($role->getRole() == $targetRole) return true;
}
return false;
}
protected function getSupportedClasses()
{
return array(
'AppBundleEntityUserAssociate',
);
}
protected function getSupportedAttributes()
{
return array(self::SELECT_ASSOCIATES);
}
/**
* Iteratively check all given attributes by calling isGranted
*
* This method terminates as soon as it is able to return ACCESS_GRANTED
* If at least one attribute is supported, but access not granted, then ACCESS_DENIED is returned
* Otherwise it will return ACCESS_ABSTAIN
*
* @param TokenInterface $token A TokenInterface instance
* @param object $object The object to secure
* @param array $attributes An array of attributes associated with the method being invoked
*
* @return int either ACCESS_GRANTED, ACCESS_ABSTAIN, or ACCESS_DENIED
*/
public function vote(TokenInterface $token, $object, array $attributes)
{
if (!$object || !$this->supportsClass(get_class($object))) {
return self::ACCESS_ABSTAIN;
}
// abstain vote by default in case none of the attributes are supported
$vote = self::ACCESS_ABSTAIN;
foreach ($attributes as $attribute) {
if (!$this->supportsAttribute($attribute)) {
continue;
}
// as soon as at least one attribute is supported, default is to deny access
$vote = self::ACCESS_DENIED;
if ($this->isGranted($attribute, $object, $token)) {
// grant access as soon as at least one voter returns a positive response
return self::ACCESS_GRANTED;
}
}
return $vote;
}
/**
* Perform a single access check operation on a given attribute, object and (optionally) user
* It is safe to assume that $attribute and $object's class pass supportsAttribute/supportsClass
* $user can be one of the following:
* a UserInterface object (fully authenticated user)
* a string (anonymously authenticated user)
*
* @param string $attribute
* @param object $object
* @param $token
* @internal param string|UserInterface $user
*
* @return bool
*/
protected function isGranted($attribute, $object, TokenInterface $token)
{
$user = $token->getUser();
/** @var $object Associate */
$associateRoles = $object->getRoles();
// make sure there is a user object (i.e. that the user is logged in)
if (!$user instanceof UserInterface) {
return false;
}
// if ($this->hasRole($token, 'ROLE_ADMIN'))
// {
// return true;
// }
if ($attribute == self::SELECT_ASSOCIATES) {
if (in_array('ROLE_COMPANY_STAFF',$associateRoles))
{
if ($this->hasRole($token, 'ROLE_COMPANY_MANAGER'))
{
return true;
}
}
elseif (in_array('ROLE_BOUTIQUE_STAFF',$associateRoles))
{
if ($this->hasRole($token, 'ROLE_BOUTIQUE_MANAGER'))
{
return true;
}
}
elseif (in_array('ROLE_SCHOOL_STAFF',$associateRoles))
{
if ($this->hasRole($token, 'ROLE_PROFESSOR'))
{
return true;
}
}
}
return false;
}
/**
* {@inheritdoc}
*/
public function supportsAttribute($attribute)
{
return in_array($attribute, $this->getSupportedAttributes());
}
/**
* {@inheritdoc}
*/
public function supportsClass($class)
{
foreach ($this->getSupportedClasses() as $supportedClass) {
if ($supportedClass === $class || is_subclass_of($class, $supportedClass)) {
return true;
}
}
return false;
}
}
相关文章