@@ -74,15 +74,13 @@ Authorization (i.e. Denying Access)
7474-----------------------------------
7575
7676Symfony gives you several ways to enforce authorization, including the ``access_control ``
77- configuration in :doc: `security.yml </reference/configuration/security >`, the
78- :ref: `@Security annotation <best-practices-security-annotation >` and using
79- :ref: `isGranted <best-practices-directly-isGranted >` on the ``security.context ``
77+ configuration in :doc: `security.yml </reference/configuration/security >` and
78+ using :ref: `isGranted <best-practices-directly-isGranted >` on the ``security.context ``
8079service directly.
8180
8281.. best-practice ::
8382
8483 * For protecting broad URL patterns, use ``access_control ``;
85- * Whenever possible, use the ``@Security `` annotation;
8684 * Check security directly on the ``security.context `` service whenever
8785 you have a more complex situation.
8886
@@ -95,44 +93,14 @@ with a custom security voter or with ACL.
9593 * For restricting access to *any * object by *any * user via an admin
9694 interface, use the Symfony ACL.
9795
98- .. _best-practices-security-annotation :
99-
100- The @Security Annotation
101- ------------------------
102-
103- For controlling access on a controller-by-controller basis, use the ``@Security ``
104- annotation whenever possible. It's easy to read and is placed consistently
105- above each action.
106-
107- In our application, you need the ``ROLE_ADMIN `` in order to create a new post.
108- Using ``@Security ``, this looks like:
109-
110- .. code-block :: php
111-
112- use Sensio\Bundle\FrameworkExtraBundle\Configuration\Route;
113- use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security;
114- // ...
115-
116- /**
117- * Displays a form to create a new Post entity.
118- *
119- * @Route("/new", name="admin_post_new")
120- * @Security("has_role('ROLE_ADMIN')")
121- */
122- public function newAction()
123- {
124- // ...
125- }
126-
12796.. _best-practices-directly-isGranted :
97+ .. _checking-permissions-without-security :
12898
129- Checking Permissions without @Security
130- --------------------------------------
99+ Manually Checking Permissions
100+ -----------------------------
131101
132- The above example with ``@Security `` only works because we're using the
133- :ref: `ParamConverter <best-practices-paramconverter >`, which gives the expression
134- access to the a ``post `` variable. If you don't use this, or have some other
135- more advanced use-case, you can always do the same security check in PHP:
102+ If you cannot control the access based on URL patterns, you can always do
103+ the security checks in PHP:
136104
137105.. code-block :: php
138106
@@ -220,21 +188,7 @@ To enable the security voter in the application, define a new service:
220188 tags :
221189 - { name: security.voter }
222190
223- @Security `` annotation:
224-
225- .. code-block :: php
226-
227- /**
228- * @Route("/{id}/edit", name="admin_post_edit")
229- * @Security("is_granted('edit', post)")
230- */
231- public function editAction(Post $post)
232- {
233- // ...
234- }
235-
236- security.context `` service or via
237- the even easier shortcut in a controller:
191+ security.context `` service:
238192
239193.. code-block :: php
240194
@@ -268,5 +222,4 @@ If your company uses a user login method not supported by Symfony, you can
268222develop :doc: `your own user provider </cookbook/security/custom_provider >` and
269223:doc: `your own authentication provider </cookbook/security/custom_authentication_provider >`.
270224
271- .. _`@Security annotation` : http://symfony.com/doc/current/bundles/SensioFrameworkExtraBundle/annotations/security.html
272225.. _`FOSUserBundle` : https://github.com/FriendsOfSymfony/FOSUserBundle
0 commit comments