Symfony:如何查找已连接用户可以访问的不同URL的列表

编程问答 2022-06-13

问题描述

我想组成一个索引页面,向登录用户显示分配给他的角色可以访问的资源URL列表

我找到了一个解决方案,方法是使用Yaml组件解析security.yaml文件,然后遍历security.acces_control部分:

security:
    ......
    access_control:
        - {path: ^/admin,roles: ROLE_ADMIN}
        - {path: ^/profile,roles: ROLE_USER}
        - {path: ^/login,roles: IS_AUTHENTICATED_ANONYMOUSLY}
        - {path: ^/register,roles: IS_AUTHENTICATED_ANONYMOUSLY}
        - {path: ^/resetting,roles: IS_AUTHENTICATED_ANONYMOUSLY}
        - {path: ^/path1,roles: ROLE_USER}
        - {path: ^/path2,roles: ROLE_CONTRIBUTOR}
        - .....
        - {path: ^/pathn,roles: ROLE_CONTRIBUTOR}

因此,如果登录用户仅具有ROLE_USER角色,则他将仅在索引页面上看到/ profile和/ path1。

但是我知道这种做法是不好的做法。 您是否有一个更好的Symfony组件解决方案来避免解析security.yaml?

我曾考虑过使用AccesMap,但是'security.acces_map'服务是私有的,无法使用。

解决方法

我找到了基于 AccessMap AccessDecisionManager 类的解决方案。

由于AccessMap没有自动接线,因此有必要编写并声明允许手动接线的服务。

在services.yaml中声明此服务:

App\Security\Util\AccessControlInterface:
    class: App\Security\Util\AccessControl
    arguments:
        - '@security.access_map'

服务代码:

namespace App\Security\Util;

<? php declare (strict_types = 1);

interface AccessControlInterface {

    / **
    * Checks if the connected user can access to $path.
    *
    * @param string $path
    *
    * @return bool
    * /
    public function isPathAuthorized (string $path);

}


<? php declare (strict_types = 1);

namespace App\Security\Util;

use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\RequestStack;
use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
use Symfony\Component\Security\Http\AccessMapInterface;

class AccessControl implements AccessControlInterface
{

    / **
    * @var array
    * /
    protected $server;

    / **
    * @var string
    * /
    protected $baseUrl;

    / **
    * @var\Symfony\Component\Security\Http\AccessMapInterface
    * /
    protected $accessMap;

    / **
    * @var\Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface
    * /
    protected $tokenStorage;

    / **
    * @var\Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface
    * /
    protected $accessDecisionManager;

    public function __construct (
        AccessMapInterface $accessMap,RequestStack $requestStack,TokenStorageInterface $tokenStorage,AccessDecisionManagerInterface $accessDecisionManager
    )
    {
        $this->accessMap = $accessMap;
        $this->server = $requestStack->getCurrentRequest()->server->all();
        $this->baseUrl = $requestStack->getCurrentRequest()->getBaseUrl();
        $this->tokenStorage = $tokenStorage;
        $this->accessDecisionManager = $accessDecisionManager;
    }

    public function isPathAuthorized (string $path)
    {
        $request = Request::create ($this->baseUrl. $path,'GET',[],$this->server);
        $token = $this->tokenStorage->getToken();
        [$attributes] = $this->accessMap->getPatterns ($request);
        if (null === $attributes) {
            $attributes = ['IS_AUTHENTICATED_ANONYMOUSLY'];
        }
        return $this->accessDecisionManager->decide($token,$attributes,$request);
    }
}

可能通过控制器使用:

use App\Security\Util\AccessControlInterface;
...

class IndexController extends AbstractController {

    public function index (Request $request,AccessControlInterface $accessControl)
    {
        if ($accessControl->isPathAuthorized("/path1")) {
            // do stuff
        }
    }
}
access-control