You are browsing the Symfony 4 documentation, which changes significantly from Symfony 3.x. If your app doesn't use Symfony 4 yet, browse the Symfony 3.4 documentation.

How to Secure any Service or Method in your Application

4.3 version

Maintained

3.4 4.4 master

Unmaintained

2.7 2.8 3.0 3.1 3.2 3.3 4.0 4.1 4.2

edit this page

How to Secure any Service or Method in your Application¶

In the security article, you learned how to secure a controller via a shortcut method.

But, you can check access anywhere in your code by injecting the Security service. For example, suppose you have a SalesReportManager service and you want to include extra details only for users that have a ROLE_SALES_ADMIN role:

// src/Newsletter/NewsletterManager.php

// ...
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
+ use Symfony\Component\Security\Core\Security;

class SalesReportManager
{
+     private $security;

+     public function __construct(Security $security)
+     {
+         $this->security = $security;
+     }

    public function sendNewsletter()
    {
        $salesData = [];

+         if ($this->security->isGranted('ROLE_SALES_ADMIN')) {
+             $salesData['top_secret_numbers'] = rand();
+         }

        // ...
    }

    // ...
}

If you're using the default services.yaml configuration, Symfony will automatically pass the security.helper to your service thanks to autowiring and the Security type-hint.

You can also use a lower-level AuthorizationCheckerInterface service. It does the same thing as Security, but allows you to type-hint a more-specific interface.

This work, including the code samples, is licensed under a Creative Commons BY-SA 3.0 license.