diff --git a/best_practices/security.rst b/best_practices/security.rst index 77f23f562e6..bde6ef7f123 100644 --- a/best_practices/security.rst +++ b/best_practices/security.rst @@ -74,15 +74,13 @@ Authorization (i.e. Denying Access) ----------------------------------- Symfony gives you several ways to enforce authorization, including the ``access_control`` -configuration in :doc:`security.yml `, the -:ref:`@Security annotation ` and using -:ref:`isGranted ` on the ``security.context`` +configuration in :doc:`security.yml ` and +using :ref:`isGranted ` on the ``security.context`` service directly. .. best-practice:: * For protecting broad URL patterns, use ``access_control``; - * Whenever possible, use the ``@Security`` annotation; * Check security directly on the ``security.context`` service whenever you have a more complex situation. @@ -95,44 +93,14 @@ with a custom security voter or with ACL. * For restricting access to *any* object by *any* user via an admin interface, use the Symfony ACL. -.. _best-practices-security-annotation: - -The @Security Annotation ------------------------- - -For controlling access on a controller-by-controller basis, use the ``@Security`` -annotation whenever possible. It's easy to read and is placed consistently -above each action. - -In our application, you need the ``ROLE_ADMIN`` in order to create a new post. -Using ``@Security``, this looks like: - -.. code-block:: php - - use Sensio\Bundle\FrameworkExtraBundle\Configuration\Route; - use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security; - // ... - - /** - * Displays a form to create a new Post entity. - * - * @Route("/new", name="admin_post_new") - * @Security("has_role('ROLE_ADMIN')") - */ - public function newAction() - { - // ... - } - .. _best-practices-directly-isGranted: +.. _checking-permissions-without-security: -Checking Permissions without @Security --------------------------------------- +Manually Checking Permissions +----------------------------- -The above example with ``@Security`` only works because we're using the -:ref:`ParamConverter `, which gives the expression -access to the a ``post`` variable. If you don't use this, or have some other -more advanced use-case, you can always do the same security check in PHP: +If you cannot control the access based on URL patterns, you can always do +the security checks in PHP: .. code-block:: php @@ -220,21 +188,7 @@ To enable the security voter in the application, define a new service: tags: - { name: security.voter } -Now, you can use the voter with the ``@Security`` annotation: - -.. code-block:: php - - /** - * @Route("/{id}/edit", name="admin_post_edit") - * @Security("is_granted('edit', post)") - */ - public function editAction(Post $post) - { - // ... - } - -You can also use this directly with the ``security.context`` service or via -the even easier shortcut in a controller: +Now, you can use the voter with the ``security.context`` service: .. code-block:: php @@ -268,5 +222,4 @@ If your company uses a user login method not supported by Symfony, you can develop :doc:`your own user provider ` and :doc:`your own authentication provider `. -.. _`@Security annotation`: http://symfony.com/doc/current/bundles/SensioFrameworkExtraBundle/annotations/security.html .. _`FOSUserBundle`: https://github.com/FriendsOfSymfony/FOSUserBundle pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy