We needed to decide whether a user loaded from FOSUserBundle is granted a specific role. Because of the role hierarchy, this is not as simple as doing in_array($role, $user->getRoles())
. The user model only knows about its roles, not about what other roles those roles grant it.
The only thing that handles this situation that i found is the SecurityContext::isGranted method. But the problem of that is that its a check about the role of the "current" user. We needed this information in a command that generates a file and needs to know which user has permission for a specific role.
The RoleHierarchy service can not do decisions but only explode roles into all roles granted through the tree. The RoleHiararchyVoter is part of the security manager. Both are private service and thus not intended to be reused in application code.
The simplest we could come up with is this code, which we use like this:
$roleHierarchy = $this->getContainer()->get('acme_demo.security.role_hierarchy_checker');
foreach ($users as $user) {
if (!$roleHierarchy->check($user, 'ROLE_DEMO')) {
continue;
}
// do things with the authorized user...
}
David, what do you think about creating a new DX (Developer Experience) issue in Symfony repository about this? I've been asked for this same feature some times, so adding it to the core of the framework could be useful for lots of people.