Description
Suppose I have the following hierarchy of roles and access control definition:
role_hierarchy:
ROLE_FOO: ROLE_USER
ROLE_BAR: ROLE_USER
access_control:
- { path: "^/some/where.*", roles: [ROLE_FOO, ROLE_BAR] }I interpret this as: "Access is granted if user has one of the roles FOO or BAR"
And that is the way it (appears) to work with the default Affermative strategy.
However with Unanimous strategy I believe it works counter-intuitive: "Access is granted if user has all of the roles FOO and BAR"
I guess I missed the s in the documentation:
The idea of a "role" is key to the authorization process. Each user is assigned a set of roles and then each resource requires one or more roles. If the user has the required roleS, access is granted. Otherwise access is denied.
Also
The process of authorization has two different sides:
- The user has a specific set of roles;
- A resource requires a specific role in order to be accessed.
Apart from declaring just ROLE_USER how would it be possible in the latter situation to grant two different roles access to the same resource?
Then, if you look at security.yml in symfony-standard it has two example entries under access_control:
#- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
#- { path: ^/_internal/secure, roles: IS_AUTHENTICATED_ANONYMOUSLY, ip: 127.0.0.1 }This suggests _roles_ is more than just roles. The AuthenticatedVoter (in this example) and any custom voters are also called with the attributes of the roles property.