A short blurb on using sfGuardPlugin credentials : Beutelevision

(Here are a few notes I made to myself about the credential system.)

Credentials are part of the sfGuardPlugin security system for Symfony. For some reason, Symfony also refers to credentials as permissions. As far as I can tell, the two terms are used interchangeably.

sfGuardUser records are stored in the sf_guard_user table.

The tables in the sfGuard permission system are:

sf_guard_permission <- represents a permission (credential)
sf_guard_group <- represents a group.
sf_guard_group_permission <- associates permissions to groups
sf_guard_user_group <- associates users to groups

Typcially, users belong to one or more groups, and groups are associated to permissions. This is the preferred method, and the above 4 tables are all that is needed to associate permissions to users, via groups.

It is possible (but not usually advisable) to associate a user directly with a permission by using the following table:

sf_guard_user_permission <- associates users to permissions

Permissions

Permissions typically represent what a user can do, as opposed to representing a “type” of user. Examples of proper permissions are:

can_view_items
can_edit_items

The following are improper permissions because they represent user types:

paying_clients
non_paying_clients

Restricting actions via security.yml

For credentials to work, the user must be logged in. Since an application is divided into modules, it is conventional to divide modules into those that don’t require a logged-in user (i.e. fully public pages, such as main/aboutUs or main/termsAndConditions), and those modules that do require a logged-in user.

To require a login for a module, add the following into the module’s config/security.yml file:

 all:
   secure: on

For the most part, permissions are assigned to specific actions. For example:

 listItems:
   credential: can_view_items

 editItem:
   credential: can_edit_items

Using permissions within actions

 public function executeIndex( )
 {
   $user = $this->getUser();

   if($user->has_credential('can_view_items') )
   {
     // get the item list
     ...
   }

   ... and so forth
 }

resume building

test
Benoit

thanks that's the poin I missed in SF doc & tutorials
Benoit

thanks that's the poin I missed in SF doc & tutorials
acidventure

thank u!!

I have 2 Tips:

1) for get the sfGuardUser on the Action:
$user = $this->getUser()->getGuardUser();
2) and on the Layout:
$user = $sf_user->getGuardUser();

This is most powerful and we can return a Doctrine-Object with all his relationships

, Best!! 😉
Severin

credentials are from sfBasicSecurity user

permissions are from sfGuardPlugin

permissions and credentials are NOT interchangeable at all UNLESS you overwrite hasCredential in myUser.class.php

class myUser extends sfGuardSecurityUser
{
public function hasCredential($credential, $useAnd = true) {
if ($p = parent::hasCredential($credential, $useAnd)) { return $p;}
if (is_string($credential) && ($p = parent::hasPermission($credential))) { return $p;};
return $p;
}
}hasCredential is passing all kinds of arrays arround and is iteratively calling itself … when it is a string we also check hasPermission
Catalin Popescu

Sorry, but I still didn't quite get the difference between credentials and permissions. They both are one string/identifier limiting access to a resource. Am I right? So as far as words are concerned, they can be used interchangeably, maybe as far as concepts are concerned they differ, as belonging to different contexts (sfBasicSecurity, and sfBasicSecurity respectively).
I'm not sure if I explained clearly my point.
As always, an example would surely clarify on this issue… would you be so kind to provide one? As this is also a foggy issue for me…
Thanks in advance

Beutelevision