-
Notifications
You must be signed in to change notification settings - Fork 1
UserGroupSystem
Cleared for editing
The goal of this page is to explain how group rights are handled, checked and configured.
The default Symfony authorization is very powerful and allows for many use-cases but it becomes unmanageable as soon as you have many users with different levels of rights each. While it is possible to assign roles to individual users, it quickly becomes a burden when you have many of them.
The solution to this problem are groups. Symfony does support role hierarchy but that is not really suitable to be completely flexible in the decision what group can do what. The FOSUserBundle supports groups that bundle roles. So that is the first step in the right direction. But it is not yet at the destination. We need a system that allows group options that can be integers (e.g. minimum time between posts in a forum) as well.
That is where our system becomes important. It allows for the management of groups and users in a way that groups can have both boolean options (roles) and other types of options (e.g. integer, select). Furthermore a user can be member of multiple groups. The effective rights of a user are always the best that are possible: If something is allowed in one group but denied in another, it will be allowed.
For all other types of options it is determined based upon their option type. For each option type there will be a class that returns the effective value from two given values. The UserService will utilize these classes to retrieve the effective value.