Warning! Our RBAC Plugin described below has been deprecated.

We focus on developing advanced user permissions within Sylius Plus.

Hello everyone! Today I’m going to discuss one of the most crucial tasks from Sylius Roadmap which turned out to become an official open source Sylius plugin. According to our community feedback, role-based access control in the administration panel was considered one of the biggest Sylius missing features. Well, to put things straight – it’s not a missing feature anymore – here comes RBAC Plugin!

What is RBAC Plugin?

RBAC Plugin is the newest Sylius open source extension delivered by the Sylius Core Team. Its feature list is listed below:

• Creating administration roles in the admin panel
• Choosing read and write (including update) permissions for each section in the admin panel while creating a role
• Assigning an administration role to an administrator (one-to-many relation)
• Choosing the root administrator from the command line
• Plugin setup command assigning No Sections Access role to all administrators except the root
• Being able to add custom admin panel sections to the plugin’s configuration

How does it work code-wise?

Since the main plugin goal is to provide role-based access control in the administration panel, the Sylius Resource that needed to be extended wasis AdminUser. In order to make a relationship between AdminUser and AdministrationRole possible in your Sylius-based project, the plugin delivers AdministrationRoleAwareInterface and AdministrationRoleTrait – a piece of code that makes your AdminUser entity implement the required interface. Your overridden entity using the mentioned trait and implementing AdministrationRoleAwareInterface would look like this:

One would ask how does the plugin decide whether an administrator that is currently logged in should be able to access a given section or not. First of all, we’ve implemented a Symfony KernelEvent listener that checks if the requested path is prefixed with admin-related keywords. If so, depending on the request method, the plugin determines if the administrator wants to have their read or write access granted. Then, using the route name, it checks whether a currently logged administrator has the access to a given section.

If the KernelEvent passes all mentioned constraints, the access for operating with a given section is granted to the administrator. Otherwise, the administrator is redirected to the previously visited page and informed that the access cannot be granted.

How to get it?

I bet that it is not surprising that the plugin is free, open source and available on GitHub. However, there’s still something to add here. The RBAC Plugin delivered by the Sylius Core Team offers just a basic set of solutions for common RBAC-related problems. 

Alternatives

The team at BitBag, one of our fantastic Solution Partners, has developed a paid plugin, which takes a bit different approach to the management of the roles and permissions. It allows for hierarchical permission and roles management. We encourage to you to check it out as well. You can do so by going to their shop here.

Happy access granting!