It's no secret ACLs can be tricky. Since seem to be the alternative to ACLs recommended by Symfony, I recently decided that I'd write my own easy-to-use Symfony 5 bundle to manage access control lists (ACL) in my applications. voters was originally written to be used in a JWT-authenticated API for single page applications (SPA) but it can also help out in multiple different scenarios provided it does not require the component -- which in most cases would be, in my humble opinion, especially suitable for multi-page applications (MPA) handling sessions. programarivm/easy-acl-bundle Security purely relies on Doctrine entities and repositories to do its stuff, meaning the permissions are just stored in a database. It is agnostic in terms of your app's architecture. EasyAclBundle Having said that, here is how JWT tokens are easily authenticated and authorised in an with the help of the so-called easy ACL repositories. event subscriber \ ; \ \ ; \ \ ; \ \ ; \ \ \ ; \ \ \ \ ; \ \ \ \ ; \ \ \ ; { { ->em = $em;
    } {
        $controller = $event->getController(); (is_array($controller)) {
            $controller = $controller[ ];
        } ($controller AccessTokenController) {
            $jwt = substr($event->getRequest()->headers->get( ), ); {
                $decoded = JWT::decode($jwt, getenv( ), [ ]);
            } (\ $e) { AccessDeniedHttpException( );
            }

            $user = ->em->getRepository( )
                        ->findOneBy([ => $decoded->sub]);

            $identity = ->em->getRepository( )
                            ->findBy([ => $user]);

            $rolename = $identity[ ]->getRole()->getName();
            $routename = $event->getRequest()->get( );

            $isAllowed = ->em->getRepository( )
                            ->isAllowed($rolename, $routename); (!$isAllowed) { AccessDeniedHttpException( );
            }
        }
    } { [
            KernelEvents::CONTROLLER => ,
        ];
    }
} // src/EventSubscriber/TokenSubscriber.php namespace App EventSubscriber use App Controller AccessTokenController use Doctrine ORM EntityManagerInterface use Firebase JWT JWT use Symfony Component EventDispatcher EventSubscriberInterface use Symfony Component HttpKernel Event ControllerEvent use Symfony Component HttpKernel Exception AccessDeniedHttpException use Symfony Component HttpKernel KernelEvents class TokenSubscriber implements EventSubscriberInterface public function __construct (EntityManagerInterface $em) $this public function onKernelController (ControllerEvent $event) // when a controller class defines multiple action methods, the controller // is returned as [$controllerInstance, 'methodName'] if 0 if instanceof 'Authorization' 7 try 'JWT_SECRET' 'HS256' catch Exception throw new 'Whoops! Access denied.' $this 'App:User' 'id' $this 'EasyAclBundle:Identity' 'user' 0 '_route' $this 'EasyAclBundle:Permission' if throw new 'Whoops! Access denied.' public static function getSubscribedEvents () return 'onKernelController' Most of this code will be self-explanatory if you're a seasoned developer; basically, if the incoming access token is decoded successfully, which means a given user is authenticated, the code tries to figure out if they have the right permissions to access the current route. ...

$user = ->em->getRepository( )
        ->findOneBy([ => $decoded->sub]);

$identity = ->em->getRepository( )
            ->findBy([ => $user]);

$rolename = $identity[ ]->getRole()->getName();
$routename = $event->getRequest()->get( );

$isAllowed = ->em->getRepository( )
            ->isAllowed($rolename, $routename);

... $this 'App:User' 'id' $this 'EasyAclBundle:Identity' 'user' 0 '_route' $this 'EasyAclBundle:Permission' Only two easy ACL repositories are required ( and ) to determine if the user can access the current route. Identity Permission Configuration Let's now take a look at how the magic works. In a nutshell, it's all about defining your app's routes: # config/routes.yaml api_post_create: path: /api/posts controller: App\Controller\Post\CreateController::index methods: POST api_post_delete: path: /api/posts/{id} controller: App\Controller\Post\DeleteController::index methods: DELETE api_post_edit: path: /api/posts/{id} controller: App\Controller\Post\EditController::index methods: PUT As well as permissions: # config/packages/programarivm_easy_acl.yaml programarivm_easy_acl: target: App\Entity\User permission: - role: Superadmin routes: - api_post_create - api_post_delete - api_post_edit - role: Admin routes: - api_post_create - api_post_edit - role: Basic routes: - api_post_create So, if your database schema is now updated: php bin/console doctrine:schema:update --force Four empty tables will be added to your database: easy_acl_identity easy_acl_permission easy_acl_role easy_acl_route Those four go hand in hand with the following entities: Programarivm\EasyAclBundle\Entity\Identity Programarivm\EasyAclBundle\Entity\Permission Programarivm\EasyAclBundle\Entity\Role Programarivm\EasyAclBundle\Entity\Route And repositories: Programarivm\EasyAclBundle\Repository\IdentityRepository Programarivm\EasyAclBundle\Repository\PermissionRepository Programarivm\EasyAclBundle\Repository\RoleRepository Programarivm\EasyAclBundle\Repository\RouteRepository Finally, the console command is to populate the easy ACL tables. easy-acl:setup php bin/console easy-acl:setup
This will reset the ACL. Are you sure to ? (y) y continue MySQL console: mysql> select * from easy_acl_identity;
Empty set (0.01 sec)

mysql> select * from easy_acl_permission;
+----+------------+-----------------+
| id | rolename   | routename       |
+----+------------+-----------------+
|  1 | Superadmin | api_post_create |
|  2 | Superadmin | api_post_delete |
|  3 | Superadmin | api_post_edit   |
|  4 | Admin      | api_post_create |
|  5 | Admin      | api_post_edit   |
|  6 | Basic      | api_post_create |
+----+------------+-----------------+
6 rows in set (0.00 sec)

mysql> select * from easy_acl_role;
+----+------------+
| id | name       |
+----+------------+
|  1 | Superadmin |
|  2 | Admin      |
|  3 | Basic      |
+----+------------+
3 rows in set (0.00 sec)

mysql> select * from easy_acl_route;
+----+-----------------+---------+-----------------+
| id | name            | methods | path            |
+----+-----------------+---------+-----------------+
|  1 | api_post_create | POST    | /api/posts      |
|  2 | api_post_delete | DELETE  | /api/posts/{id} |
|  3 | api_post_edit   | PUT     | /api/posts/{id} |
+----+-----------------+---------+-----------------+
3 rows in set (0.00 sec) Adding user identities The concept of user identity makes it possible for the bundle to not interfere with your database at all, which is not changed by it. As you can see, three tables are populated with data, but of course it is up to you to dynamically define your users' identities as in the data fixtures example shown below. EasyAcl \ \ ; \ \ ; \ \ \ ; \ \ \ ; \ \ \ ; \ \ \ ; \ \ ; \ \ \ ; { $easyAcl; { ->easyAcl = $easyAcl;
    } { ($i = ; $i < UserFixtures::N; $i++) {
            $index = rand( , count( ->easyAcl->getPermission()) );
            $user = ->getReference( );
            $role = ->getReference( );
            $manager->persist(
                ( Identity())
                    ->setUser($user)
                    ->setRole($role)
            );
        }

        $manager->flush();
    } { [ ,
        ];
    } { [
            RoleFixtures::class,
            UserFixtures::class,
        ];
    }
} // src/DataFixtures/EasyAcl/IdentityFixtures.php namespace App DataFixtures EasyAcl use App DataFixtures UserFixtures use Doctrine Bundle FixturesBundle Fixture use Doctrine Bundle FixturesBundle FixtureGroupInterface use Doctrine Common DataFixtures DependentFixtureInterface use Doctrine Common Persistence ObjectManager use Programarivm EasyAclBundle EasyAcl use Programarivm EasyAclBundle Entity Identity , class IdentityFixtures extends Fixture implements FixtureGroupInterface DependentFixtureInterface private public function __construct (EasyAcl $easyAcl) $this public function load (ObjectManager $manager) for 0 0 $this -1 $this "user-$i" $this "role-$index" new public static : function getGroups () array return 'easy-acl' public : function getDependencies () array return For further details, the guides you through the process of how to install and set up the easy ACL bundle. documentation And this is how today's post comes to an end. Was it helpful? I hope so. Tell us in the comments below! You may also be interested in... Writing CASL React Abilities in a JSON File With a Laravel Artisan Command An SPA GUI Session as a Non-HttpOnly Cookie A Tip for Lazy Symfony Developers

Target

All things web and more.

Read My Stories

Too Long; Didn't Read

Cassandra Forward a free Cassandra-focused community event

How to Manage ACLs in Symfony the Easy Peasy Way

Too Long; Didn't Read

Company Mentioned

@Bassaganas

RELATED STORIES