Symfony 2 - ACL check permission based on 'separate' roles

The default role system of Symfony is role bound to user. Having a role field in your manyToMany table crew_members does not make sense from this point of view.

What you want is authorization based on the user AND on the crew, so you should probably use ACL functionality, and use role only for global permission.

    $objectIdentity = ObjectIdentity::fromDomainObject($forumTopic);    $acl = $aclProvider->createAcl($objectIdentity);    $securityIdentity = UserSecurityIdentity::fromAccount($user);    // grant owner access    $acl->insertObjectAce($securityIdentity, MaskBuilder::MASK_EDIT);    $aclProvider->updateAcl($acl);

(You can check further docs on http://symfony.com/doc/current/cookbook/security/acl.html. You can also use the excellent https://github.com/Problematic/ProblematicAclManagerBundle)

You combine it with a voter :

function vote(TokenInterface $token, $object, array $attributes){    if ($object instanceof ObjectIdentityInterface) {        if ($object->getType() == 'Entity\\ForumTopic') {            /**             * @var Member $member             */            $member = $token->getUser();            if(in_array('ROLE_MODERATOR', $member->getRoles() && empty($object->getCrew()) {                return self::ACCESS_GRANTED;            }            // inject security component via dependecy injection            // delegate further check to ACL            if ($this->container['security']->isGranted('EDIT', $object)) {                return self::ACCESS_GRANTED;            }        }    }

You can touch the solution !You just have to do some few things if you want to check the roles.First, register your Voter as a service in order to construct it with the security context :

Add this in your services.yml file :

services:    your_app.security.voter.forum_topic_owner:        class: Your\AppBundle\Security\Authorization\Voter\ForumTopicOwnerVoter        arguments: ["@security.context"]        tags:            - { name: security.vote

Now, you will have to define a constructor to get the securityContext and to use it in the vote method :

<?phpnamespace Your\AppBundle\Security\Authorization\Voter;use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;use Symfony\Component\Security\Core\SecurityContext;class ForumTopicOwnerVoter implements VoterInterface{    /** @var SecurityContext */    protected $securityContext;    /**     * @param SecurityContext     $securityContext SecurityContext is the main entry point of the Security component.     */    public function __construct(SecurityContext $securityContext)    {        $this->securityContext = $securityContext;    }    /**     * {@inheritDoc}     */    public function supportsAttribute($attribute)    {        return 'FORUM_TOPIC_OWNER' === $attribute;    }    /**     * {@inheritDoc}     */    public function supportsClass($class)    {        return $class->getType() == 'Entity\\ForumTopic';    }    /**     * {@inheritDoc}     */    public function vote(TokenInterface $token, $forumTopic, array $attributes)    {        foreach ($attributes as $attribute) {            if ($this->supportsAttribute($attribute) && $this->supportsClass($forumTopic)) {                $user = $token->getUser();                if ($user->hasRole('ROLE_CREW_BOSS')                    or $this->securityContext->isGranted('ROLE_LEFTHAND')                    ) {                        return VoterInterface::ACCESS_GRANTED;                }            }        }        return VoterInterface::ACCESS_DENIED;    }}

Now, you have a Voter, you have to call it on a ForumTopic object, apparently you know how to do this and it was not your problem, may I suggest you anyway to look around the SecureParam annotation of the well known Jms/SecurityExtraBundle. Here is a way to use it in your controller action :

namespace Your\AppBundle\Controller;use Symfony\Bundle\FrameworkBundle\Controller\Controller;use Sensio\Bundle\FrameworkExtraBundle\Configuration\ParamConverter;use JMS\SecurityExtraBundle\Annotation\Secure;use JMS\SecurityExtraBundle\Annotation\SecureParam;/** * ForumTopic controller. * */class ForumTopicController extends Controller/** * Edit an existing forum topic entity. * * @param Request    $request    An HTTP request. * @param ForumTopic $forumTopic A forumTopic entity. * * @Secure(roles="ROLE_CREW") * @SecureParam(name="forumTopic", permissions="FORUM_TOPIC_OWNER") * @ParamConverter("forumTopic", class="YourAppBundle:ForumTopic") */public function editAction(Request $request, ForumTopic $forumTopic){    //Add here your logic}

I hope it has been helpful to you!

Good luck !

Cheers.

I would use Symfony acl:

// creating the ACL$aclProvider = $this->get('security.acl.provider');$objectIdentity = ObjectIdentity::fromDomainObject($comment);$acl = $aclProvider->createAcl($objectIdentity);$roleSecurityIdentity = new RoleSecurityIdentity('ROLE_CREW');$securityIdentity = $roleSecurityIdentity;// grant owner access$acl->insertObjectAce($securityIdentity, MaskBuilder::MASK_OWNER);$aclProvider->updateAcl($acl);