Where to implement the security filter for dynamic groups

First I'll describe rougthly the context. I want to have a symfony application where I can create various areas. In each of the areas, you can have different kinds of users (or roles). Each user can have multiple roles in different areas.

To illustrate the question, we'll define:

• 2 areas: "Area 1" and "Area 2".
• 2 users: "User 1" and "User 2".
• 2 roles: "seller" and "buyer".
• "User 1" is a seller and a buyer in "Area 1"
• "User 2" is a seller and a buyer in "Area 1" and a buyer only in "Area 2"

My question is: which is the best way to check in restricted pages if a user belongs to a given area and if he has the required role in that area.

After thinkin开发者_开发知识库g a bit about it, I have done the following:

1. When an area is created, I also create one sfGuardGroup per role and one global sfGuardGroup for the area, each suffixed with the area id. So in our example, we'll have the roles:
   • area-1, sellers-1, buyers-1 for area 1
   • area-2, sellers-2, buyers-2 for area 2
2. The users are added to the relevant groups. So in our example:
   • User 1 will belong to the groups area-1, sellers-1 and buyers-1
   • User 2 will belong to the groups area-1, sellers-1, buyers-1, area-2 and buyers-2
3. From the URL, I know in which area we are, for instance:
   • http://example.com/area-1/sellers-restricted-page (accessible to users in the group area-1 and sellers-1)
   • http://example.com/area-2/buyers-restricted-page (accessible to users in the group area-2 and buyers-2)
   • http://example.com/area-2/ (accessible to users in the group area-2)

At that point, I am kind of stuck as I cannot make out the best place to implement the permission check: modify the guard filter? Change the actions?

Your required implementation is not supported by sfGuard so I would recommend creating a new, additional, security filter.

You can create a brand new filter that extends sfFilter, then add it into filter.yml after the existing security filter. This means that all existing security functionality provided by sfGuard continues.

You can then determine what area is being requested by looking at the current module name and action name (how you access these is different dependent on which version of symfony you are using, look in sfBasicSecurityFilter for a clue) then compare that with the roles that the current user has using sfGuardSecurityUser.