New in Symfony 2.6: The acl:set command
Warning: This post is about an unsupported Symfony version. Some of this information may be out of date. Read the most recent Symfony Docs.
Symfony applications usually check user permissions with security voters. However, if your security needs are complex and involve both the person who is requesting access and the domain object that access is being request, you may need to use the Symfony ACL (Access Control List).
The major drawback of ACL is that the code required to deal with permissions
is too verbose. To help you manage and debug ACL, Symfony 2.6 will introduce a
new command called
After having initialized the ACL with the
init:acl command, you can use this
new command to grant permissions to the application users. For instance, the
following command grants the
VIEW permission to
kevin on the
id = 42:
$ php app/console acl:set --user=Symfony/Component/Security/Core/User/User:kevin VIEW Acme/MyClass:42
Similarly, to grant
VIEW permissions to the same user
on the same object as before, execute the following command:
$ php app/console acl:set --user=Symfony/Component/Security/Core/User/User:kevin DELETE EDIT VIEW Acme/MyClass:42
acl:set command allows to use the
--role option in order to grant
permissions to any user that has an specific role. The following command sets the
EDIT permission to any editor of the application:
$ php app/console acl:set --role=ROLE_EDITOR EDIT Acme/MyClass:42
The previous examples use the object scope of the ACL, which sets permissions for specific objects or instances of a class. However, Symfony ACL supports other scopes for access control entries. The class scope allows to set permissions to all objects with the same class.
For instance, this command grants
OWNER permission on any object
of the class
$ php app/console acl:set --class-scope --user=Symfony/Component/Security/Core/User/User:anne OWNER Acme/MyClass:42
When using the class scope, you must pass a valid
id for the class type
(that's why the command uses
Acme/MyClass:42 instead of
Moreover, the permissions are not applied to all the objects of the same class
but only to the objects of this class already present in the ACL table.
acl:set command makes you more productive and improves the experience
of using Symfony. If you have any other idea or suggestion to improve this
experience, check out the DX initiative recently introduced by Symfony.
Comments are closed.
To ensure that comments stay relevant, they are closed for old posts.