Access for role by object state in symfony2

How to realize complex access rights asserts for model ? I have a models:

class Unit {
...
}


class Order {
    const STATUS_NEW         = 0;
    const STATUS_NEEDCONFIRM = 1;
    const STATUS_CONFIRMED   = 2;
    const StATUS_CLOSED      = 3;

    /* @Column(name="status", type="smallint") */
    public $status = 0;

    /**
     * @var Doctri开发者_如何学运维ne\Common\Collections\ArrayCollection <Unit>
     *
     * @OneToMany(
     *     targetEntity="Unit",
     *     mappedBy="order",
     *     cascade={"persist", "remove"}
     * )
     */
    public $units;
}

I have a roles: ROLE_MANAGER, ROLE_OPERATOR

Access rights depends on order $status property: ROLE_MANAGER view order in any status. ROLE_OPERATOR can add units and view orders only with STATUS_NEEDCONFIRM

Status changes: ROLE_MANAGER can switch order status only from STATUS_NEW to STATUS_NEEDCONFIRM and STATUS_CONFIRMED to STATUS_CLOSED

ROLE_OPERATOR can switch order status only from STATUS_NEEDCONFIRM to STATUS_CONFIRMED, if order units count > 0

There is workflow modules or examples for symfony2 ?

I would probably create a service that takes Order and User entities, knows how to determine which roles have permissions in which statuses, and returns true or false for allowed or denied.

You could use the ACL system, but it's pretty sparsely documented right now as far as extensive usage goes. If you go that route, you would need to update the ACEs when the status changed to give (or take) proper permissions, and for that, you're again probably looking at a service of some sort.