@Security & @IsGranted

Usage

The @Security and @IsGranted annotations restrict access on controllers:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security; use Sensio\Bundle\FrameworkExtraBundle\Configuration\IsGranted; class PostController extends Controller { /** * @IsGranted("ROLE_ADMIN") * * or use @Security for more flexibility: * * @Security("is_granted('ROLE_ADMIN') and is_granted('ROLE_FRIENDLY_USER')") */ public function index() { // ... } }

1 2 3 4 5 6 7 8 9 10 11 12 13

use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security; use Sensio\Bundle\FrameworkExtraBundle\Configuration\IsGranted; class PostController extends Controller { #[IsGranted('ROLE_ADMIN')] /** or use Security attribute */ #[Security("is_granted('ROLE_ADMIN') and is_granted('ROLE_FRIENDLY_USER')")] public function index() { // ... } }

@IsGranted

The @IsGranted() annotation is the simplest way to restrict access. Use it to restrict by roles, or use custom voters to restrict access based on variables passed to the controller:

1 2 3 4 5 6 7 8 9

/** * @Route("/posts/{id}") * * @IsGranted("ROLE_ADMIN") * @IsGranted("POST_SHOW", subject="post") */ public function show(Post $post) { }

1 2 3 4 5 6

#[Route('/posts/{id}')] #[IsGranted('ROLE_ADMIN')] #[IsGranted('POST_SHOW', subject: 'post')] public function show(Post $post) { }

Each IsGranted() must grant access for the user to have access to the controller.

You can also control the message and status code:

1 2 3 4 5 6 7 8 9 10 11 12

/** * Will throw a normal AccessDeniedException: * * @IsGranted("ROLE_ADMIN", message="No access! Get out!") * * Will throw an HttpException with a 404 status code: * * @IsGranted("ROLE_ADMIN", statusCode=404, message="Post not found") */ public function show(Post $post) { }

1 2 3 4 5 6 7

/** Will throw a normal AccessDeniedException */ #[IsGranted('ROLE_ADMIN', message: 'No access! Get out!')] /** Will throw an HttpException with a 404 status code */ #[IsGranted('ROLE_ADMIN', statusCode: 404, message: 'Post not found')] public function show(Post $post) { }

@Security

The @Security annotation is more flexible than @IsGranted: it allows you to pass an expression that can contain custom logic:

1 2 3 4 5 6 7

/** * @Security("is_granted('ROLE_ADMIN') and is_granted('POST_SHOW', post)") */ public function show(Post $post) { // ... }

1 2 3 4 5

#[Security("is_granted('ROLE_ADMIN') and is_granted('POST_SHOW', post)")] public function show(Post $post) { // ... }

The expression can use all functions that you can use in the access_control section of the security bundle configuration, with the addition of the is_granted() function.

The expression has access to the following variables:

• token: The current security token;
• user: The current user object;
• request: The request instance;
• roles: The user roles;
• and all request attributes.

You can throw an Symfony\Component\HttpKernel\Exception\HttpException exception instead of Symfony\Component\Security\Core\Exception\AccessDeniedException using the statusCode option:

1 2 3 4 5 6

/** * @Security("is_granted('POST_SHOW', post)", statusCode=404) */ public function show(Post $post) { }

1 2 3 4

#[Security("is_granted('POST_SHOW', post)", statusCode: 404)] public function show(Post $post) { }

The message option allows you to customize the exception message:

1 2 3 4 5 6

/** * @Security("is_granted('POST_SHOW', post)", statusCode=404, message="Resource not found.") */ public function show(Post $post) { }

1 2 3 4

#[Security("is_granted('POST_SHOW', post)", statusCode: 404, message: 'Resource not found.')] public function show(Post $post) { }