Roadiz

Appearance

Roadiz security system

Roadiz uses Symfony's security component to manage user authentication and authorization. It provides an administrable User entity that implements the UserInterface and PasswordAuthenticatedUserInterface. And an administrable Group entity to manage roles in bulk. This user entity can be used in classic session firewall, in API authentication with JWT tokens or even with OpenID (openid user must match a local user).

yaml
# config/packages/security.yaml
security:
    # https://symfony.com/doc/current/security.html#registering-the-user-hashing-passwords
    password_hashers:
        Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'
    # https://symfony.com/doc/current/security.html#loading-the-user-the-user-provider
    providers:
        jwt:
            lexik_jwt: ~
        openid_user_provider:
            id: RZ\Roadiz\OpenId\Authentication\Provider\OpenIdAccountProvider
        roadiz_user_provider:
            entity:
                class: RZ\Roadiz\CoreBundle\Entity\User
                property: username
        all_users:
            chain:
                providers: [ 'roadiz_user_provider', 'openid_user_provider' ]

Built-in roles

Roadiz comes with a set of built-in roles that can be used to manage access control in your back-office. These roles are defined in the config/packages/security.yaml file.

Role nameDescription
ROLE_SUPERADMINInherits all roles in application
ROLE_BACKEND_USEROnly grants access to backoffice and its user account
ROLE_ACCESS_VERSIONSGrants tags, documents and nodes-sources versionning
ROLE_ACCESS_ATTRIBUTESGrants attributes creation and updates
ROLE_ACCESS_ATTRIBUTES_DELETEGrants attributes deletion
ROLE_ACCESS_CUSTOMFORMSGrants custom-forms creation, updates and answers management
ROLE_ACCESS_CUSTOMFORMS_RETENTIONGrants custom-forms maximum retention date (feature flag)
ROLE_ACCESS_CUSTOMFORMS_DELETEGrants custom-forms deletion
ROLE_ACCESS_DOCTRINE_CACHE_DELETEGrants server caches clearing action
ROLE_ACCESS_DOCUMENTSGrants documents uploading, embedding, updating and folders
ROLE_ACCESS_DOCUMENTS_LIMITATIONSGrants access to documents copyright validation dates (feature flag)
ROLE_ACCESS_DOCUMENTS_DELETEGrants documents deletion
ROLE_ACCESS_DOCUMENTS_CREATION_DATEGrants access to document creation date (feature flag)
ROLE_ACCESS_GROUPSGrants user groups management
ROLE_ACCESS_NODE_ATTRIBUTESGrants nodes attributes management (feature flag)
ROLE_ACCESS_NODESGrants nodes-sources creation and edition
ROLE_ACCESS_NODES_DELETEGrants nodes and nodes-sources deletion
ROLE_ACCESS_NODES_SETTINGGrants nodes settings edition and position in tree
ROLE_ACCESS_NODES_STATUSGrants node publication (status)
ROLE_ACCESS_NODETYPESGrants node-types decoration and access definitions (Typescript)
ROLE_ACCESS_REDIRECTIONSGrants access to redirections
ROLE_ACCESS_SETTINGSGrants access to settings
ROLE_ACCESS_TAGSGrants tags creation and updates, and nodes tagging
ROLE_ACCESS_TAGS_DELETEGrants tags deletion
ROLE_ACCESS_TRANSLATIONSGrants translations management
ROLE_ACCESS_USERSGrants users administration
ROLE_ACCESS_USERS_DELETEGrants users deletion
ROLE_ACCESS_USERS_DETAILGrants users details edition (feature flag)
ROLE_ACCESS_WEBHOOKSGrants webhooks management
ROLE_ACCESS_LOGSGrants logs access on dashboard and on nodes history
ROLE_ACCESS_REALMSGrants realms management (creation, update, deletion)
ROLE_ACCESS_REALM_NODESGrants attaching nodes to existing realms
ROLE_ACCESS_FONTSGrants fonts management (optional bundle)
ROLE_ALLOWED_TO_SWITCHGrants right to impersonate another user (Symfony default)

Users and groups

You can attach these roles directly to user accounts or create Groups to manage roles in bulk.

Custom voters

Node and NodesSources voter

We recommend using the NodeVoter to check permissions on nodes and nodes-sources in controllers and API operations, it supports user chroot feature. This voter allows you to check permissions on nodes and nodes-sources with the following actions:

  • CREATE
  • DUPLICATE
  • CREATE_AT_ROOT
  • SEARCH
  • READ
  • READ_AT_ROOT
  • EMPTY_TRASH
  • READ_LOGS
  • EDIT_CONTENT
  • EDIT_TAGS
  • EDIT_REALMS
  • EDIT_SETTING
  • EDIT_STATUS
  • EDIT_ATTRIBUTE
  • DELETE
php
use RZ\Roadiz\CoreBundle\Security\Authorization\Voter\NodeVoter;

#...

$this->denyAccessUnlessGranted(NodeVoter::EDIT_CONTENT, $node);

Roadiz is proudly maintained by Rezo Zero Team. © Copyright 2013-present, Ambroise Maupate, Julien Blanchet.