I have lack of knowledge how Symfony ACL works, especially using Sonata...
Sonata has some permissions like:
LIST - view the list of objects
VIEW - view the detail of one object
CREATE - create a new object
EDIT - update an existing object
DELETE - delete an existing object
EXPORT - (for the native Sonata export links)
ALL- grants LIST, VIEW, CREATE, EDIT, DELETE and EXPORT
I also assigned my own created permissions for my own custom actions:
protected $accessMapping = array(
'VERIFY' => 'EDIT',
'UNVALIDATE' => 'EDIT',
'CLOSE' => 'EDIT'
);
As I understand I just need to grant user EDIT permission to be able to VERIFY, UNVALIDATE and CLOSE.
Admin users can have 3 roles:
security:
role_hierarchy:
ROLE_ADMIN: ROLE_SONATA_ADMIN
ROLE_SUPER_ADMIN: ROLE_ADMIN
Now depending on a role user should be able to have certain permissions.
E.g. ROLE_ADMIN should have LIST, VIEW, EDIT, EXPORT and ROLE_SUPER_ADMIN should be granted ALL.
How could I manage it?
P.S. I am NOT using SonataUserBundle!
What i usually do it just use SecurityVoters
http://www.branchbit.be/blog/using-custom-voters-in-sonata-admin
This gives you a simple way of checking roles, permissions, and object properties, and decide if a specific action, is allowed on a specififc object, by a specific user.