Symfony: Access control expressions reference

On this page

In a nutshell

You can pass an Expression object to the isGranted or denyAccessUnlessGranted methods like so:

// src/Controller/MyController.php
namespace App\Controller;

use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
use Symfony\Component\ExpressionLanguage\Expression;
use Symfony\Component\HttpFoundation\Response;

class SomeController extends AbstractController
{
    public function index(): Response
    {
        $this->denyAccessUnlessGranted(new Expression(
            '"ROLE_ADMIN" in role_names or (is_authenticated() and user.isSuperAdmin())'
        ));

        // ...
    }
}

Inside the expression, you have access to a number of variables:

Variable	Description
`user`	The user object (or the string `anon` if you’re not authenticated).
`role_names`	An array of strings representing the user’s roles.
`object`	The object (if any) that’s passed as the second argument to `isGranted()`.
`subject`	Alias for `object`.
`token`	The token object (what is this?)

Sources

Security: Complex Access Controls with Expressions – Symfony docs

Tagged: Symfony