在哪里实施动态组的安全过滤器
首先我将大致描述一下上下文。我想要一个 symfony 应用程序,可以在其中创建各种区域。在每个区域中,您可以拥有不同类型的用户(或角色)。每个用户可以在不同区域担任多个角色。
为了说明这个问题,我们将定义:
- 2 个区域:“区域 1”和“区域 2”。
- 2 个用户:“用户 1”和“用户 2”。
- 2个角色:“卖家”和“买家”。
- “用户 1”是“区域 1”的卖家和买家
- “用户 2”是“区域 1”的卖家和买家,仅是“区域 2”的买家
我的问题是:哪个是最好的方法来检查受限制的页面,如果用户属于给定区域以及他是否在该区域具有所需的角色。
经过一番思考后,我做了以下操作:
- 创建区域时,我还为每个角色创建一个 sfGuardGroup,并为该区域创建一个全局 sfGuardGroup,每个 sfGuardGroup 后缀均带有区域 id。因此,在我们的示例中,我们将拥有以下角色:
- 区域 1 的区域 1、卖家 1、买家 1
- 区域 2 的区域 2、卖家 2、买家 2
- 用户将被添加到相关组中。所以在我们的例子中:
- 用户 1 将属于组area-1、sellers-1 和buyers-1
- 用户 2 将属于组area-1、sellers-1、buyers-1、area-2 和buyers-2
- 2 URL,我知道我们在哪个区域,例如:
那时,我有点陷入困境,因为我无法弄清楚实施权限检查的最佳位置:修改守卫过滤器?改变动作?
First I'll describe rougthly the context. I want to have a symfony application where I can create various areas. In each of the areas, you can have different kinds of users (or roles). Each user can have multiple roles in different areas.
To illustrate the question, we'll define:
- 2 areas: "Area 1" and "Area 2".
- 2 users: "User 1" and "User 2".
- 2 roles: "seller" and "buyer".
- "User 1" is a seller and a buyer in "Area 1"
- "User 2" is a seller and a buyer in "Area 1" and a buyer only in "Area 2"
My question is: which is the best way to check in restricted pages if a user belongs to a given area and if he has the required role in that area.
After thinking a bit about it, I have done the following:
- When an area is created, I also create one sfGuardGroup per role and one global sfGuardGroup for the area, each suffixed with the area id. So in our example, we'll have the roles:
- area-1, sellers-1, buyers-1 for area 1
- area-2, sellers-2, buyers-2 for area 2
- The users are added to the relevant groups. So in our example:
- User 1 will belong to the groups area-1, sellers-1 and buyers-1
- User 2 will belong to the groups area-1, sellers-1, buyers-1, area-2 and buyers-2
- From the URL, I know in which area we are, for instance:
- http://example.com/area-1/sellers-restricted-page (accessible to users in the group area-1 and sellers-1)
- http://example.com/area-2/buyers-restricted-page (accessible to users in the group area-2 and buyers-2)
- http://example.com/area-2/ (accessible to users in the group area-2)
At that point, I am kind of stuck as I cannot make out the best place to implement the permission check: modify the guard filter? Change the actions?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
sfGuard 不支持您所需的实现,因此我建议创建一个新的附加安全过滤器。
您可以创建一个扩展sfFilter的全新过滤器,然后将其添加到filter.yml中现有安全过滤器之后。这意味着 sfGuard 提供的所有现有安全功能将继续存在。
然后,您可以通过查看当前模块名称和操作名称来确定正在请求的区域(根据您使用的 symfony 版本,访问这些区域的方式有所不同,请查看sfBasicSecurityFilter以获取线索)然后将其与当前用户使用 sfGuardSecurityUser 拥有的角色进行比较。
Your required implementation is not supported by sfGuard so I would recommend creating a new, additional, security filter.
You can create a brand new filter that extends sfFilter, then add it into filter.yml after the existing security filter. This means that all existing security functionality provided by sfGuard continues.
You can then determine what area is being requested by looking at the current module name and action name (how you access these is different dependent on which version of symfony you are using, look in sfBasicSecurityFilter for a clue) then compare that with the roles that the current user has using sfGuardSecurityUser.