How to differentiate rights in Symfony2 for REST API routes?

Q

Quber2014-10-31 02:36:28

symfony

Quber, 2014-10-31 02:36:28

Installed FOSUserBundle.
Default security settings for routes:

/* app/config/secutiry.yml */

access_control:
    - { path: ^/login$,   role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/admin/,   roles: ['ROLE_ADMIN'] }
    - { path: ^/,         role: IS_AUTHENTICATED_REMEMBERED }

There are routes for creating, deleting, editing, getting an entity.
And so all users should have the rights to receiving. And the administrators have everything else (editing, deleting, creating). All API routes I start with site.ru/api
Of course, you can do something like:

/* app/config/secutiry.yml */

access_control:
    - { path: ^/api/entity/delete$,   roles: ['ROLE_ADMIN'] }
    - { path: ^/api/entity/create$,   roles: ['ROLE_ADMIN'] }
    - { path: ^/api/entity/update$,   roles: ['ROLE_ADMIN'] }

But what if there are many of these entities? About 15. Is it necessary to prescribe this for each? Something tells me that this is not the best way. In the controller, checking rights is also not correct, I think this is the task of the router.
Can I prefix site.ru/api/admin ?
Then it will turn out like this:

/* app/config/secutiry.yml */

access_control:
    - { path: ^/api/admin/,   roles: ['ROLE_ADMIN'] }

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

S

Sergey, 2014-10-31
Protko @Fesor

- { path: ^/api/\w+/(create|update|delete)$,   roles: ['ROLE_ADMIN'] }

Although in fact you should not have these update/delete/create. You must have a POST/PUT/DELETE method.
I usually write this business in the controller (through annotations), or resolve it in the service. If everything is very complicated with us, you can implement a waterer (starting with Syfony2.4, it seems like).