add ACL documentation, add ACL check inside template files

Command/ListAdminCommand.php

@@ -29,7 +29,6 @@ public function configure()
 
     public function execute(InputInterface $input, OutputInterface $output)
     {
-
         $pool = $this->container->get('sonata.admin.pool');
 
         $output->writeln("<info>Admin services:</info>");

Resources/doc/conf.py

@@ -92,15 +92,15 @@
 
 # The theme to use for HTML and HTML Help pages.  See the documentation for
 # a list of builtin themes.
-html_theme = 'default'
+html_theme = 'basic'
 
 # Theme options are theme-specific and customize the look and feel of a theme
 # further.  For a list of options available for each theme, see the
 # documentation.
 #html_theme_options = {}
 
 # Add any paths that contain custom themes here, relative to this directory.
-#html_theme_path = []
+html_theme_path = ['/Users/thomas/Projects/']
 
 # The name for this set of Sphinx documents.  If None, it defaults to
 # "<project> v<release> documentation".

Resources/doc/index.rst

@@ -24,6 +24,7 @@ Reference Guide
    reference/saving_hooks
    reference/routing
    reference/dashboard
+   reference/security
 
 Doctrine ORM
 ------------

Resources/doc/reference/installation.rst

@@ -74,3 +74,4 @@ At this point you can access to the dashboard with the url:
     the above configuration and routing will actually be placed in those
     files, with the correct format (i.e. XML or PHP).
 
+The last important step is security, please refer to the dedicated section.

Resources/doc/reference/security.rst

@@ -0,0 +1,126 @@
+Security
+========
+
+The current ``AdminBundle`` implementation uses ACL and ROLES to handle permissions.
+
+If you want an easy way to handle users, please use :
+
+ - https://github.com/FriendsOfSymfony/UserBundle : handle users and group stored from RDMS or MongoDB
+ - https://github.com/sonata-project/UserBundle : integrate the ``FriendsOfSymfony/UserBundle`` with
+   the ``AdminBundle``
+
+The security integration is a work in progress and have some knows issues :
+ - ACL permissions are immutables
+ - Only one PermissionMap can be defined
+
+
+Configuration
+-------------
+
+
+    - The following configuration defines :
+
+        - the ``FriendsOfSymfony/UserBundle`` as a security provider
+        - the login form for authentification
+        - the access control : resources with related required roles, the important part is the admin configuration
+        - the ``acl`` option enable the ACL.
+
+.. code-block:: yaml
+
+    parameters:
+        # ... other parameters
+        security.acl.permission.map.class: Sonata\AdminBundle\Security\Acl\Permission\AdminPermissionMap
+
+    security:
+        providers:
+            fos_userbundle:
+                id: fos_user.user_manager
+
+        firewalls:
+            main:
+                pattern:      .*
+                form-login:
+                    provider:       fos_userbundle
+                    login_path:     /login
+                    use_forward:    false
+                    check_path:     /login_check
+                    failure_path:   null
+                logout:       true
+                anonymous:    true
+
+        access_control:
+            # The WDT has to be allowed to anonymous users to avoid requiring the login with the AJAX request
+            - { path: ^/wdt/, role: IS_AUTHENTICATED_ANONYMOUSLY }
+            - { path: ^/profiler/, role: IS_AUTHENTICATED_ANONYMOUSLY }
+
+            # AsseticBundle paths used when using the controller for assets
+            - { path: ^/js/, role: IS_AUTHENTICATED_ANONYMOUSLY }
+            - { path: ^/css/, role: IS_AUTHENTICATED_ANONYMOUSLY }
+
+            # URL of FOSUserBundle which need to be available to anonymous users
+            - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
+            - { path: ^/login_check$, role: IS_AUTHENTICATED_ANONYMOUSLY } # for the case of a failed login
+            - { path: ^/user/new$, role: IS_AUTHENTICATED_ANONYMOUSLY }
+            - { path: ^/user/check-confirmation-email$, role: IS_AUTHENTICATED_ANONYMOUSLY }
+            - { path: ^/user/confirm/, role: IS_AUTHENTICATED_ANONYMOUSLY }
+            - { path: ^/user/confirmed$, role: IS_AUTHENTICATED_ANONYMOUSLY }
+            - { path: ^/user/request-reset-password$, role: IS_AUTHENTICATED_ANONYMOUSLY }
+            - { path: ^/user/send-resetting-email$, role: IS_AUTHENTICATED_ANONYMOUSLY }
+            - { path: ^/user/check-resetting-email$, role: IS_AUTHENTICATED_ANONYMOUSLY }
+            - { path: ^/user/reset-password/, role: IS_AUTHENTICATED_ANONYMOUSLY }
+
+            # Secured part of the site
+            # This config requires being logged for the whole site and having the admin role for the admin part.
+            # Change these rules to adapt them to your needs
+            - { path: ^/admin/, role: ROLE_ADMIN }
+            - { path: ^/.*, role: IS_AUTHENTICATED_ANONYMOUSLY }
+
+
+        role_hierarchy:
+            ROLE_ADMIN:       ROLE_USER
+            ROLE_SUPERADMIN: [ROLE_ADMIN, ROLE_SONATA_ADMIN, ROLE_ALLOWED_TO_SWITCH]
+
+        acl:
+            connection: default
+
+- Install the ACL tables ``php app/console init:acl``
+
+- Create a new user :
+
+.. code-block::
+
+    # php app/console fos:user:create
+    Please choose a username:root
+    Please choose an email:[email protected]
+    Please choose a password:root
+    Created user root
+
+
+- Promote an user as super admin :
+
+.. code-block::
+
+    # php app/console fos:user:promote root
+    User "root" has been promoted as a super administrator.
+
+If you have Admin classes, you can install the related CRUD ACL rules :
+
+.. code-block::
+
+    # php app/console sonata:admin:setup-acl
+    Starting ACL AdminBundle configuration
+    > install ACL for sonata.media.admin.media
+       - add role: ROLE_SONATA_MEDIA_ADMIN_MEDIA_EDIT, ACL: ["EDIT"]
+       - add role: ROLE_SONATA_MEDIA_ADMIN_MEDIA_LIST, ACL: ["LIST"]
+       - add role: ROLE_SONATA_MEDIA_ADMIN_MEDIA_CREATE, ACL: ["CREATE"]
+       - add role: ROLE_SONATA_MEDIA_ADMIN_MEDIA_DELETE, ACL: ["DELETE"]
+       - add role: ROLE_SONATA_MEDIA_ADMIN_MEDIA_OPERATOR, ACL: ["OPERATOR"]
+    ... skipped ...
+
+If you try to access to the admin class you should see the login form, just logon with the ``root`` user.
+
+Usage
+-----
+
+Everytime you create a new ``Admin`` class, you should create start the command ``php app/console sonata:admin:setup-acl``
+so the ACL database will be updated with the latest masks and roles informations.

Resources/views/CRUD/action.html.twig

@@ -14,8 +14,12 @@ file that was distributed with this source code.
 {% block actions %}
     <div class="sonata-actions">
         <ul>
-            <li class="sonata-action-element"><a href="{{ admin.generateUrl('create') }}">{% trans from 'SonataAdminBundle' %}link_action_create{% endtrans %}</a></li>
-            <li class="sonata-action-element"><a href="{{ admin.generateUrl('list') }}">{% trans from 'SonataAdminBundle' %}link_action_list{% endtrans %}</a></li>
+            {% if admin.isGranted('CREATE')%}
+                <li class="sonata-action-element"><a href="{{ admin.generateUrl('create') }}">{% trans from 'SonataAdminBundle' %}link_action_create{% endtrans %}</a></li>
+            {% endif %}
+            {% if admin.isGranted('LIST')%}
+                <li class="sonata-action-element"><a href="{{ admin.generateUrl('list') }}">{% trans from 'SonataAdminBundle' %}link_action_list{% endtrans %}</a></li>
+            {% endif %}
         </ul>
     </div>
 {% endblock %}

Resources/views/CRUD/base_edit.html.twig

@@ -14,8 +14,12 @@ file that was distributed with this source code.
 {% block actions %}
     <div class="sonata-actions">
         <ul>
-            <li class="sonata-action-element"><a href="{{ admin.generateUrl('create') }}">{% trans from 'SonataAdminBundle' %}link_action_create{% endtrans %}</a></li>
-            <li class="sonata-action-element"><a href="{{ admin.generateUrl('list') }}">{% trans from 'SonataAdminBundle' %}link_action_list{% endtrans %}</a></li>
+            {% if admin.isGranted('CREATE')%}
+                <li class="sonata-action-element"><a href="{{ admin.generateUrl('create') }}">{% trans from 'SonataAdminBundle' %}link_action_create{% endtrans %}</a></li>
+            {% endif %}
+            {% if admin.isGranted('LIST')%}
+                <li class="sonata-action-element"><a href="{{ admin.generateUrl('list') }}">{% trans from 'SonataAdminBundle' %}link_action_list{% endtrans %}</a></li>
+            {% endif %}
         </ul>
     </div>
 {% endblock %}

Resources/views/CRUD/base_list.html.twig

@@ -14,7 +14,9 @@ file that was distributed with this source code.
 {% block actions %}
     <div class="sonata-actions">
         <ul>
-            <li class="sonata-action-element"><a href="{{ admin.generateUrl('create') }}">{% trans from 'SonataAdminBundle' %}link_action_create{% endtrans %}</a></li>
+            {% if admin.isGranted('CREATE')%}
+                <li class="sonata-action-element"><a href="{{ admin.generateUrl('create') }}">{% trans from 'SonataAdminBundle' %}link_action_create{% endtrans %}</a></li>
+            {% endif %}
         </ul>
     </div>
 {% endblock %}

Resources/views/CRUD/base_list_field.html.twig

@@ -10,7 +10,7 @@ file that was distributed with this source code.
 #}
 
 <td class="sonata-ba-list-field sonata-ba-list-field-{{ field_description.type }}" objectId="{{ object.id }}">
-    {% if field_description.options.identifier is defined %}
+    {% if field_description.options.identifier is defined and admin.isGranted('EDIT') %}
         <a href="{{ admin.generateUrl('edit', {'id': object.id}) }}">
             {% block field %}{{ value }}{% endblock %}
         </a>

Resources/views/CRUD/edit_orm_many_to_many.html.twig

@@ -21,7 +21,9 @@ file that was distributed with this source code.
             <a
                 href="{{ field_description.associationadmin.generateUrl('create') }}"
                 onclick="start_field_dialog_form_add_{{ field_element.vars.id }}(event)"
-                class="sonata-ba-action">
+                class="sonata-ba-action"
+                style="{% if not field_description.associationadmin.isGranted('CREATE')%}display:none{% endif %}"
+                >
                     <img
                         src="{{ asset('bundles/sonataadmin/famfamfam/add.png') }}"
                         alt="{% trans from 'SonataAdminBundle' %}btn_add{% endtrans %}"

Resources/views/CRUD/edit_orm_many_to_one.html.twig

@@ -45,7 +45,9 @@ file that was distributed with this source code.
                 {% if field_description.options.edit == 'list' %}
                     <a  href="{{ field_description.associationadmin.generateUrl('list') }}"
                         onclick="start_field_dialog_form_list_{{ field_element.vars.id }}(event)"
-                        class="sonata-ba-action">
+                        class="sonata-ba-action"
+                        style="{% if not field_description.associationadmin.isGranted('LIST')%}display:none{% endif %}"
+                        >
                         <img src="{{ asset('bundles/sonataadmin/famfamfam/application_view_list.png') }}"
                              alt="{% trans from 'SonataAdminBundle' %}btn_add{% endtrans %}"
                         />
@@ -54,7 +56,9 @@ file that was distributed with this source code.
 
                 <a  href="{{ field_description.associationadmin.generateUrl('create') }}"
                     onclick="start_field_dialog_form_add_{{ field_element.vars.id }}(event)"
-                    class="sonata-ba-action">
+                    class="sonata-ba-action"
+                    style="{% if not field_description.associationadmin.isGranted('CREATE')%}display:none{% endif %}"
+                    >
                         <img src="{{ asset('bundles/sonataadmin/famfamfam/add.png') }}"
                             alt="{% trans from 'SonataAdminBundle' %}btn_add{% endtrans %}"
                         />

Resources/views/CRUD/edit_orm_one_to_many.html.twig

@@ -70,7 +70,9 @@ file that was distributed with this source code.
                 <a
                     href="{{ field_description.associationadmin.generateUrl('create') }}"
                     onclick="start_field_retrieve_{{ field_element.vars.id }}(event)"
-                    class="sonata-ba-action">
+                    class="sonata-ba-action"
+                    style="{% if not field_description.associationadmin.isGranted('CREATE')%}display:none{% endif %}"
+                    >
                     <img
                         src="{{ asset('bundles/sonataadmin/famfamfam/add.png') }}"
                         alt="{% trans from 'SonataAdminBundle' %}btn_add{% endtrans %}"
@@ -121,7 +123,9 @@ file that was distributed with this source code.
                 <a
                     href="{{ field_description.associationadmin.generateUrl('create') }}"
                     onclick="start_field_dialog_form_add_{{ field_element.vars.id }}(event)"
-                    class="sonata-ba-action">
+                    class="sonata-ba-action"
+                    style="{% if not field_description.associationadmin.isGranted('CREATE')%}display:none{% endif %}"
+                    >
                     <img
                         src="{{ asset('bundles/sonataadmin/famfamfam/add.png') }}"
                         alt="{% trans from 'SonataAdminBundle' %}btn_add{% endtrans %}"