How to retrieve full role hierarchy in Symfony

Question

I'm using symfony2 role hierarchy, it works well, but in order to perform some changes, i have to retrieve the role_hierarchy set up in my security.yml.

role_hierarchy:
ROLE_USER: [ROLE_ACCESS_USER, ROLE_ACCESS_DATA, ROLE_ACCESS_PRODUCT]

Using getRoles() just return ROLE_USER, how can i know in my code that ROLE_USER is made with ROLE_ACCESS_USER, ROLE_ACCESS_DATA, ROLE_ACCESS_PRODUCT?

thanks for helping.

Answer 1

With auto wiring enabled, you can also directly inject the RoleHierarchy object filled with the global role hierarchy. Simply inject the RoleHierarchyInterface in your controller or service by using dependency injection:

use Symfony\Component\Security\Core\Role\RoleHierarchyInterface;

public function __construct(RoleHierarchyInterface $roleHierarchy)
{
    $this->roleHierarchy = $roleHierarchy;
}

Note: This also allows you to call getReachableRoles() on the RoleHierarchy object, which could be useful in your case:

use Symfony\Component\Security\Core\Role\Role;

$this->roleHierarchy->getReachableRoles([new Role('ROLE_USER')]);

$this->roleHierarchy->getReachableRoleNames(['ROLE_USER']); // Symfony 5+

---

As of Symfony4 you have to add an alias for security.role_hierarchy in your config/services.yml by adding the following line:

services:
    # creating alias for RoleHierarchyInterface
    Symfony\Component\Security\Core\Role\RoleHierarchyInterface: '@security.role_hierarchy'

Answer 2

Symfony 5 answer

namespace App\Controller;

...
use Symfony\Component\Security\Core\Role\RoleHierarchyInterface;
use Symfony\Component\Security\Core\Role\RoleHierarchy;

class UserController extends AbstractController
{
    private $roleHierarchy;

    /**
     * @Route("/users", name="users")
     */
    public function usersIndex(RoleHierarchyInterface $roleHierarchy)
    {
        $this->roleHierarchy = $roleHierarchy;

        // your user service or your Doctrine code here
        $users = ...

        foreach ($users as $user) {
            if ($this->isGranted($user, 'ROLE_SUPER_ADMIN')) {
                ...
            }
        }
        ...
    }

    private function isGranted(User $user, string $role): bool 
    {
        $reachableRoles = $this->roleHierarchy->getReachableRoleNames($user->getRoles());

        foreach ($reachableRoles as $reachableRole) {
            if ($reachableRole === $role) {
                return true;
            }
        }

        return false;
    }
}

Note: I put everything in the controller for the sake of simplicity here, but of course I'd recommend to move the Role Management code into your own dedicated role service.

Answer 3

For a correct representation of your roles, you need recursion. Roles can extend other roles.

Here is an example: https://stackoverflow.com/a/36900807/3635680

Answer 4

security.role_hierarchy.roles is all security roles defined in security.yml

If you want to include Sonata Admin roles, you could check code in SonataUserBundle\Form\Type\SecurityRolesType

foreach ($this->pool->getAdminServiceIds() as $id) {
            try {
                $admin = $this->pool->getInstance($id);
            } catch (\Exception $e) {
                continue;
            }

            $securityHandler = $admin->getSecurityHandler();

            foreach ($securityHandler->buildSecurityInformation($admin) as $role => $acls) {
                $roles[$role] = $role;
            }
        }