Using multiple roles

[olivier3400]

When you specifiy several roles une the @secure annotation an AND is done beetwen the roles.
It is more logical to do an OR as done int the JMS bundle because you can filter it in the controller function.

To do it you must change in the Lsw\SecureControllerBundle\Security\ControllerListener onKernelController function

            if (!$this->securityContext->isGranted($role)) {
                throw new AccessDeniedException(
                    'Current user is not granted required role "'.$role.'".'
                );
            }
        }

by

            if ($this->securityContext->isGranted($role)) return;
        }
        throw new AccessDeniedException('Current user is not granted');

[mevdschee]

Hi, this is tricky since some people may rely on that behavior now.

[olivier3400]

Yes but all people who migrate from the JMS bundle with multiple roles couldn't use it directly (and the new ones also).
A solution could be by using a setting parameter.

[mevdschee]

Hi olivier, I think you are right. It should either be a setting parameters or an alternative annotation for the AND behavior. I do think the exception should be more descriptive, something like: current user is not granted; one of these roles is required: a,b,c.

[RolfBabijn]

Another option that will give you a lot of flexibility is using the @Security annotation provided by the SensioFrameworkExtraBundle (Symfony 2.4+ feature). Use the expression language to filter through multiple roles, set up custom conditions, or anything you like. If you need something really complicated you should probably be looking into another solution than annotations (perhaps a guard (Symfony 2.8+ feature) or a simple listener/subscriber).

/**
 * @Security("has_role('ROLE_USER') or has_role('ROLE_ASSISTANT')")
 */

Source: http://symfony.com/doc/current/bundles/SensioFrameworkExtraBundle/annotations/security.html

[mevdschee]

@Gadgetdude I agree and I added a note to the readme pointing people in that direction.