How to Define Access Control List

Access control is composed of two steps:

  • Creating ACL resources
  • Enforcing the permissions

Creating ACL resources

You can create two types of ACL resources: action and entity.

There are two ways of defining the ACL:

  1. In YourCustomBundle/Resources/config/acl.yml

    # YourCustomBundle/Resources/config/acl.yml
    your_custom_entity_edit:
        type: entity
        class: YourCustomBundle:CustomEntity
        permission: EDIT
    
    your_custom_action:
        type: action
        label: Your custom action
    
    // YourCustomBundle/Controller/CustomController.php
    use Oro\Bundle\SecurityBundle\Annotation\AclAncestor;
    
    class CustomController extends AbstractDoctrineController
    {
        /**
         * @AclAncestor("your_custom_entity_edit")
         */
        public function editAction()
        {
        }
    
        /**
         * @AclAncestor("your_custom_action")
         */
        public function customAction()
        {
        }
    }
    
  2. Directly in the controller using annotations

    // YourCustomBundle/Controller/CustomController.php
    use Oro\Bundle\SecurityBundle\Annotation\Acl;
    
    class CustomController extends AbstractDoctrineController
    {
        /**
         * @Acl(
         *      id="your_custom_entity_edit",
         *      type="entity",
         *      class="YourCustomBundle:CustomEntity",
         *      permission="EDIT"
         * )
         */
        public function editAction()
        {
        }
    
        /**
         * @Acl(
         *      id="your_custom_action",
         *      type="action",
         *      label="Your custom action"
         * )
         */
        public function customAction()
        {
        }
    }
    

For a more complete explanation of the ACL options, refer to OroSecurityBundle.

Enforcing the permissions

Controller actions with @Acl or @AclAncestor annotations are already protected. To allow conditional access to other resources, you can either use the SecurityFacade component or enforce permissions directly in templates.

  • Using SecurityFacade:
    # YourCustomBundle/Resources/config/services.yml
    your_custom.controller.custom:
        class: YourCustomBundle\Controller\CustomController
        parent: pim_catalog.controller.abstract_doctrine
        calls:
            - [ setSecurityFacade, ['@oro_security.security_facade'] ]
    
    // YourCustomBundle/Controller/CustomController.php
    use Oro\Bundle\SecurityBundle\SecurityFacade;
    
    class CustomController extends AbstractDoctrineController
    {
        private $securityFacade;
    
        public function setSecurityFacade(SecurityFacade $securityFacade)
        {
            $this->securityFacade = $securityFacade;
        }
    
        public function removeAction()
        {
            if ($this->securityFacade->isGranted('your_custom_action')) {
                // Access is granted, execute the custom action
            }
        }
    }
    
  • In Twig templates:
    {% if resource_granted('your_custom_action') %}
        {# Some protected content here #}
    {% endif %}