Update roles in security.context without need to logging in again

Question

I use FOSUserBundle in my project. I have a Controller AcmeArticleBundle:Edit which has a route prefix /editor. And in my security.yml I added an access control.

access_control:
    - { path: ^/editor/, role: ROLE_EDITOR }

Now I add ROLE_EDITOR to a user in a controller. But user cannot access AcmeArticleBundle:Edit and security context does not change until logging out and logging in again.

If you want to avoid logging out and back in, you have to manually update the session's token with the new role see https://stackoverflow.com/questions/15084054/symfony-2-1-7-update-security-token-setting-specific-roles-after-the-user-is-a — FuzzyTree, May 13 '14 at 07:51

COil · Answer 1 · 2014-05-13T07:52:15.867

2

You can update the roles manually:

// YourController.php
$roles = $this->getToken()->getUser()->getRoles();
$roles[] = 'ROLE_NEW';
$this->getToken()->getUser()->setRoles($roles);
// Then persist your user entity or the new role will be lost at the next page call

(Code for Symfony2.0 but it should not be very different in 2.4)

edited May 13 '14 at 07:52

answered May 13 '14 at 07:47

COil

7,201
2
50
98

1

My problem is that the action which adds the role to this user is not ran by the same user. – Mohebifar May 13 '14 at 08:04
The roles are reloaded at every request, so if you persist the user entity it should work. – COil May 13 '14 at 08:27

score 0 · Accepted Answer · answered Jun 24 '14 at 09:18

Finally I found the solution. I had to make a new security token and set it as security context.

$user = $this->getUser();
$user->addRole('ROLE_ADMIN');
$this->get('fos_user.user_manager')->updateUser($user);
$token = new UsernamePasswordToken($user, null, 'main', $user->getRoles());
$this->get('security.context')->setToken($token);

Update roles in security.context without need to logging in again

2 Answers2

Linked