Restricting an entire symfony admin generator page according to credentials

Question

I have a website with a large number of admin generators to take care of an assortment of tables. Within the realm of authenticated users, I want to be able to deny access, not just to individual actions or fields, but an entire admin module.

There doesn't appear to be a global credentials parameter for generator.yml, and putting stuff in security.yml at the module level doesn't appear to have any effect.

I've browsed the generated code and looked at cache/front/dev/modules/autoFoo/actions/actions.class.php, and at preExecute() in particular, but I don't know what to do.

I suppose I have to overwrite preExecute() in my own actions.class.php file, but I'm a bit unsure about what needs to be one, e.g., when to call parent::preExecute() (if in fact I need to or not).

Answer 1

Answering my own question, with the results of some preliminary investigations, it would appear that:

class fooActions extends autoFooActions
{
  public function preExecute() {
    if (!sfContext::getInstance()->getUser()->hasCredential('can_do_foo')) {
        $this->redirect('@homepage');
    }
    parent::preExecute();
  }
}

...will at least prevent people for hacking URLs to get at the admin function. But I am led to believe that sfContext::getInstance() is evil. Hence I'm still looking for the Right Way To Do It.

Answer 2

I believe you can set the credentials inside of the module level security.yml by setting the "all" value. That is, inside of <module>/config/security.yml, put:

all:
  credentials: ModuleAccess

Answer 3

your security.yml file in your model/config folder should look like this:

default:
  is_secure: on
  credentials: [ moduel_access ]