On 10/9/10 5:49 PM, Jordi Boggiano wrote:
Heya,
Sadly I couldn't attend sfday, but I just read the slides, and I have a
question regarding the Security/Firewall thingy.
Why are all the patterns defined on urls? Why not using routes (as we do
in templates to reference URLs)? Can't we define security on a
per-controller/action basis rather than trying to pinpoint URLs?
The access control rules choice is based on a RequestMatcher object. If
you have a look at the slide, you will see an example on the controller
class name, one on the IP address, ... So, this is quite flexible.
I guess we'll be able to access the user's role from the controller to
assess more fine-grained rights, like the guy can edit an article, but
not that last field of the form.
Yes
$this['security.context']->getUser()->getRoles();
I also guess a user can have multiple roles, if not I think this should
be adjusted.
Yes, multiple roles are possible: roles="ROLE_USER,ROLE_REMOTE"
And the roles are hierarchically stored.
Fabien
Cheers
--
If you want to report a vulnerability issue on symfony, please send it to
security at symfony-project.com
You received this message because you are subscribed to the Google
Groups "symfony developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/symfony-devs?hl=en
