@Security

@Security

Usage

The @Security annotation restricts access on controllers:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security;

class PostController extends Controller
{
    /**
     * @Security("has_role('ROLE_ADMIN')")
     */
    public function indexAction()
    {
        // ...
    }
}

The expression can use all functions that you can use in the access_control section of the security bundle configuration, with the addition of the is_granted() function.

The expression has access to the following variables:

  • token: The current security token;
  • user: The current user object;
  • request: The request instance;
  • roles: The user roles;
  • and all request attributes.

The is_granted() function allows you to restrict access based on variables passed to the controller:

1
2
3
4
5
6
/**
 * @Security("is_granted('POST_SHOW', post)")
 */
public function showAction(Post $post)
{
}

Note

Defining a Security annotation has the same effect as defining an access control rule, but it is more efficient as the check is only done when this specific route is accessed.

Tip

You can also add a @Security annotation on a controller class.

This work is licensed under a Creative Commons Attribution-Share Alike 3.0 Unported License .