advanced / dynamic permissions on sfguard - symfony

I have a symfony project and would like to add communities feature.

Everyone can open a community as an admin and invites people to join the community.

Admin has more permissions than a regular community user.

The thing is, I want to user Syfony's sfguardu开发者_StackOverflow中文版ser, sfguardgroup, sfguardpermission

1. Does it make any sense to use the sfguard architecture for that purpose?
2. how do I check if a specific user has a spcecific permission on a specific group?

Hey, this will help you a little ;)

Inside the action :

  class myAccountActions extends sfActions
{
  public function executeDoThingsWithCredentials()
  {
    $user = $this->getUser();

    // Check if the user has a credential
    echo $user->hasCredential('foo');                      =>   true

    // Check if the user has both credentials
    echo $user->hasCredential(array('foo', 'bar'));        =>   true

    // Check if the user has one of the credentials
    echo $user->hasCredential(array('foo', 'bar'), false); =>   true

    // Remove a credential
    $user->removeCredential('foo');
    echo $user->hasCredential('foo');                      =>   false

    // Remove all credentials (useful in the logout process)
    $user->clearCredentials();
    echo $user->hasCredential('bar');                      =>   false
  }
}

Inside the layer :

     <?php if ($sf_user->hasCredential('section3')): ?>
  ....
  <?php endif; ?>

You might consider using in addition :

if($user->hasGroup('SOME_GROUP')) 

Source : Symfony inside the layer

Does it make any sense to use the sfguard architecture for that purpose?

Absolutely, but you'll need to fix it up a little bit. By default, Symfony stores credentials on the session, which means that they won't get invalidated until your session expires. This is a big issue when you expect to see an immediate effect by adding someone to a group or granting them a permission.

To fix this, you'll want to do one of the following:

• Load the credentials on every request, rather than on sign in.
• When a user's credentials change, invalidate them either via a global cache setting in APC (you are using APC, right?) or a setting on the user's profile.

Either way, you're going to have to get familiar with Symfony and sfGuardDoctrine user system. Take a look at sfGuardSecurityUser::signIn so you're familiar with how credentials work by default.

How do I check if a specific user has a spcecific permission on a specific group?

Tristan covered this pretty thoroughly. You'll also want to take a look at the sfDoctrineGuard readme. Note that for any solution in which credential changes happen live for signed in user's, you'll need to override most if not all of the methods listed by Tristan to perform some sort of invalidation.

Also, check out this related question, it may be helpful.