Securing your application¶
Sulu is delivered with two different possiblities to protect parts of your application. The first is the permissions based on security contexts, which allow you to restrict access to entire parts of your application or Sulu. The permissions for this kind of security are managed on a roles level. In addition to that the localization for which these permissions are valid has to be defined on the assignment of the role to the user.
The second way is to protect the access on a per-object basis. These permissions are set on the specific object. The user still has to have the correct localizations assigned in order to gain access.
This tutorial will show how to use Sulu’s security functionality with your own application specific code.
Protect content using a security context¶
This section describes how to protect an entire part of your application (but not a specific object).
Define your security context¶
First of all you have to define the security context, which is represented by a
simple string. This is done in the Admin
class of your Bundle:
<?php
namespace Acme\Bundle\ExampleBundle\Admin;
use Sulu\Bundle\AdminBundle\Admin\Admin;
class AcmeExampleAdmin extends Admin
{
// ...
public function getSecurityContexts()
{
return array(
'Sulu' => array(
'Acme' => array(
'sulu.acme.example'
)
);
);
}
// ...
}
This information is defined in the getSecurityContexts
method, which should
return an array. The first level describes the system to which the security
context applies - this would either be Sulu (for stuff in the administration)
or a different context that you have defined manually.
The second level just defines the title for another separation used in the administration interface. The third and last level defines the name of the permissions themselves. This name follows a namespacing scheme based on the previously used names.
Note
Since the Admin
class is registered as a bundle, you can make use of
different services to define the available security contexts. For example
the SuluContentBundle uses a service to create an own security context for
all available webspaces in the system.
Protect your controller¶
After defining a security context, you can use it to easily protect the actions
of one of your controllers. All you have to do is to implement the
SecuredControllerInterface
telling the SuluSecuriyListener
which
security context and locale to use for the permission check:
<?php
namespace Acme\Bundle\ExampleBundle\Controller;
use FOS\RestBundle\Routing\ClassResourceInterface;
use Sulu\Component\Security\SecuredControllerInterface;
use Symfony\Component\HttpFoundation\Request;
class ExampleController implements ClassResourceInterface, SecuredControllerInterface
{
public function cgetAction()
{
// code for your get action
}
public function postAction()
{
// code for your post action
}
// ...
public function getLocale(Request $request)
{
return $request->get('locale');
}
public function getSecurityContext()
{
return 'sulu.acme.example';
}
}
The getLocale
method returns the locale, which is probably determined
somehow by the request, and the getSecurityContext
method defines which
security context is required to access this type of resource.
The SuluSecurityListener
appends the information on which type of
permission (view, add, edit, delete, …) is required, and
automatically takes care of the permission check and returns a page with a
status code of 403 in case the permissions for the currently logged in user
where not sufficient.