How to Secure any Service or Method in your Application
How to Secure any Service or Method in your Application

How to Secure any Service or Method in your Application

In the security article, you learned how to secure a controller via a shortcut method.

But, you can check access anywhere in your code by injecting the Security service. For example, suppose you have a SalesReportManager service and you want to include extra details only for users that have a ROLE_SALES_ADMIN role:

  // src/Newsletter/NewsletterManager.php
  // ...
  use Symfony\Component\Security\Core\Exception\AccessDeniedException;
+ use Symfony\Component\Security\Core\Security;
  class SalesReportManager
  {
+     private $security;
+     public function __construct(Security $security)
+     {
+         $this->security = $security;
+     }
      public function sendNewsletter()
      {
          $salesData = [];
+         if ($this->security->isGranted('ROLE_SALES_ADMIN')) {
+             $salesData['top_secret_numbers'] = rand();
+         }
          // ...
      }
      // ...
  }

If you’re using the default services.yaml configuration, Symfony will automatically pass the security.helper to your service thanks to autowiring and the Security type-hint.

You can also use a lower-level Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface service. It does the same thing as Security, but allows you to type-hint a more-specific interface.

This work, including the code samples, is licensed under a Creative Commons BY-SA 3.0 license.