Table of Contents

Creative Commons License
This work is licensed under a
Creative Commons
Attribution-Share Alike 3.0
Unported License.

Master Symfony2 fundamentals

Be trained by SensioLabs experts (2 to 6 day sessions -- French or English).
trainings.sensiolabs.com

Discover the SensioLabs Support

Access to the SensioLabs Competency Center for an exclusive and tailor-made support on Symfony
sensiolabs.com

@Security

Usage

The @Security annotation restricts access on controllers:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security;

class PostController extends Controller
{
    /**
     * @Security("has_role('ROLE_ADMIN')")
     */
    public function indexAction()
    {
        // ...
    }
}

The expression can use all functions that you can use in the access_control section of the security bundle configuration, with the addition of the is_granted() function.

The expression has access to the following variables:

  • token: The current security token;
  • user: The current user object;
  • request: The request instance;
  • roles: The user roles;
  • and all request attributes.

The is_granted() function allows you to restrict access based on variables passed to the controller:

1
2
3
4
5
6
/**
 * @Security("is_granted('POST_SHOW', post)")
 */
public function showAction(Post $post)
{
}

Note

Defining a Security annotation has the same effect as defining an access control rule, but it is more efficient as the check is only done when this specific route is accessed.

Tip

You can also add a @Security annotation on a controller class.