June 26, 2014 Javier Eguiluz

Symfony applications usually check user permissions with security voters. However, if your security needs are complex and involve both the person who is requesting access and the domain object that access is being request, you may need to use the Symfony ACL (Access Control List).

The major drawback of ACL is that the code required to deal with permissions is too verbose. To help you manage and debug ACL, Symfony 2.6 will introduce a new command called acl:set .

After having initialized the ACL with the init:acl command, you can use this new command to grant permissions to the application users. For instance, the following command grants the VIEW permission to kevin on the MyClass object with id = 42 :

1 $ php app/console acl:set --user = Symfony/Component/Security/Core/User/User:kevin VIEW Acme/MyClass:42

Similarly, to grant DELETE , EDIT and VIEW permissions to the same user on the same object as before, execute the following command:

1 $ php app/console acl:set --user = Symfony/Component/Security/Core/User/User:kevin DELETE EDIT VIEW Acme/MyClass:42

The acl:set command allows to use the --role option in order to grant permissions to any user that has an specific role. The following command sets the EDIT permission to any editor of the application:

1 $ php app/console acl:set --role = ROLE_EDITOR EDIT Acme/MyClass:42

The previous examples use the object scope of the ACL, which sets permissions for specific objects or instances of a class. However, Symfony ACL supports other scopes for access control entries. The class scope allows to set permissions to all objects with the same class.

For instance, this command grants anne the OWNER permission on any object of the class Acme/MyClass :

1 $ php app/console acl:set --class-scope --user = Symfony/Component/Security/Core/User/User:anne OWNER Acme/MyClass:42

When using the class scope, you must pass a valid id for the class type (that's why the command uses Acme/MyClass:42 instead of Acme/MyClass ). Moreover, the permissions are not applied to all the objects of the same class but only to the objects of this class already present in the ACL table.