User specific content in Symfony

Question

I am currently working on a webapplication in Symfony. The application involves many clients which all have their own account to login with. For the user management I use Friends of Symfony User Bundle which I'm more than happy with.

In the application an Admin needs to see the information belonging to all the clients, where a client needs to get restricted to only be able to see his own information.

At this point FOS assigns the role "User" to all the accounts I register. I have considered to only give the client access to information belonging to him by using a query like;

    $query = $this->getEntityManager()
        ->createQuery(
            'SELECT c FROM clientsBundle:client c
             WHERE c.name LIKE :string'
            )->setParameter('string', '%'.$string.'%');

Then give var clientID the value of the clients id, and then get all the information needed according to that value (id).

But to be honest I don't really think this is the best practice.

I was wondering if there is maybe an (easier) option to not only allow the user to access certain pages through security.yml in Symfony, but also make the content in that page user specific.

Any help would be much appreciated.

Answer 1

we're currently working on a large web app that holds accounting information for users. So a similar thing where you only want your user to have access to their own data.

we simply write a number of verifyAccessTo methods that check that the entity that theyre trying to access belongs to their organisation (in our case a school) by assigning a relationship to that entity.

It might look something like this.

public function verifyAccessToTag( School $school, Tag $entry ) {
    return $entry->getSchool()->getId() == $school->getId();
}

then when we're listing out data, we'll query specifically for entities relating to that school.

If you have specific area of a site that need particular access, such as admin areas, then in the firewall is the place to do it (security.yml).

If you need to sift and restrict on data, then the way you query and validate access on the specific data is probably the only way.

The whole world of security is a massive one, but heres some resources that might help.

securing services <-- this is really useful for ranked systems

deny access to content

voters

Hope that helps.

Answer 2

You can get the user's id and use that:

$user = $this->container->get('security.context')->getToken()->getUser();
$user->getId();