Search code examples
phpsymfonysilexsymfony-2.5symfony-security

How to implement an authorization system based on session variables?

I am trying to migrate my application from Silex to Symfony.

I am using the Silex before(...) method to register methods to get executed before the action itself is been exectuted to check if some session variables are set.
I can do similar with the event listener in Symfony, but the controllers needs different before methods for contained action methods.

At the moment it looks like the following with Silex:

$controllers = $app['controllers_factory'];
$controllers->before($this->guard('user'));

$controllers->get('/switch/{gameId}', $this->action('switch'))
    ->bind('game:switch')
    ->value('gameId', 0)
    ->assert('gameId', '\d+');
$controllers->match('/register', $this->action('register'))
    ->before($this->guard('player'))
    ->bind('game:register');

return $controllers;

A fully authenticated user can access some controller actions if he selects a container object before. So finally the guard methods are a kind of access control.
If the user accesses the actions without selecting the object, I want to redirect the user to the selection or similar.

One idea would be to implement it as roles and grant roles temporarily during the session.
I can combine it with a custom controller called by access_denied_url or the better way to implement an own access_denied_handler to handle Access denied by the access control handler.
But it seems that there is no possibility to store roles just temporar while the user is logged in.

Another idea is to use the allow_if expression under access_control, but there is again the point, how do I react if there is an exception (access denied, how to implement an Access Denied Handler)?

How would you implement such a system?
Thanks for any hints in advice!

Solution

  • After more research I implemented the event listener solution to have something working and an interface which defines some methods to handle the different types of checking: 

    interface GameGuardController
{
    // returns the controller level of check
    public function getControllerLevel();

    // returns an array to override level for actions
    public function getMethodLevel();
}

    Using the RouterInterface's match method I get the route data and can extract the action name from the controller to access overriding method levels.