cleanup: use roles constants

Author: COil

config/packages/security.yaml

@@ -67,10 +67,11 @@ security:
     access_control:
         # this is a catch-all for the admin area
         # additional security lives in the controllers
-        - { path: '^/(%app_locales%)/admin', roles: ROLE_ADMIN }
+        - { path: '^/(%app_locales%)/admin', roles: !php/const App\Entity\User::ROLE_ADMIN }
 
+    # The ROLE_ADMIN role inherits from the ROLE_USER role
     role_hierarchy:
-        ROLE_ADMIN: ROLE_USER
+        !php/const App\Entity\User::ROLE_ADMIN: !php/const App\Entity\User::ROLE_USER
 
 when@test:
     # this configuration simplifies testing URLs protected by the security mechanism

config/packages/twig.yaml

@@ -4,6 +4,12 @@ twig:
         - 'form/layout.html.twig'
         - 'form/fields.html.twig'
 
+    # These variables are now available in all Twig templates
+    globals:
+        # We can use PHP constants from the application thanks to the !php/const sintaxis.
+        ROLE_USER: !php/const App\Entity\User::ROLE_USER
+        ROLE_ADMIN: !php/const App\Entity\User::ROLE_ADMIN
+
 when@test:
     twig:
         strict_variables: true

src/Command/AddUserCommand.php

@@ -189,7 +189,7 @@ protected function execute(InputInterface $input, OutputInterface $output): int
         $user->setFullName($fullName);
         $user->setUsername($username);
         $user->setEmail($email);
-        $user->setRoles([$isAdmin ? 'ROLE_ADMIN' : 'ROLE_USER']);
+        $user->setRoles([$isAdmin ? User::ROLE_ADMIN : User::ROLE_USER]);
 
         // See https://symfony.com/doc/5.4/security.html#registering-the-user-hashing-passwords
         $hashedPassword = $this->passwordHasher->hashPassword($user, $plainPassword);

src/Controller/Admin/BlogController.php

@@ -38,7 +38,7 @@
  * @author Javier Eguiluz <[email protected]>
  */
 #[Route('/admin/post')]
-#[IsGranted('ROLE_ADMIN')]
+#[IsGranted(User::ROLE_ADMIN)]
 class BlogController extends AbstractController
 {
     /**

src/Controller/UserController.php

@@ -31,7 +31,7 @@
  *
  * @author Romain Monteil <[email protected]>
  */
-#[Route('/profile'), IsGranted('ROLE_USER')]
+#[Route('/profile'), IsGranted(User::ROLE_USER)]
 class UserController extends AbstractController
 {
     #[Route('/edit', name: 'user_edit', methods: ['GET', 'POST'])]

src/DataFixtures/AppFixtures.php

@@ -103,9 +103,9 @@ private function getUserData(): array
     {
         return [
             // $userData = [$fullname, $username, $password, $email, $roles];
-            ['Jane Doe', 'jane_admin', 'kitten', '[email protected]', ['ROLE_ADMIN']],
-            ['Tom Doe', 'tom_admin', 'kitten', '[email protected]', ['ROLE_ADMIN']],
-            ['John Doe', 'john_user', 'kitten', '[email protected]', ['ROLE_USER']],
+            ['Jane Doe', 'jane_admin', 'kitten', '[email protected]', [User::ROLE_ADMIN]],
+            ['Tom Doe', 'tom_admin', 'kitten', '[email protected]', [User::ROLE_ADMIN]],
+            ['John Doe', 'john_user', 'kitten', '[email protected]', [User::ROLE_USER]],
         ];
     }
 

src/Entity/User.php

@@ -32,6 +32,12 @@
 #[ORM\Table(name: 'symfony_demo_user')]
 class User implements UserInterface, PasswordAuthenticatedUserInterface
 {
+    // we can use constants for roles so we get all usages all over the application
+    // more easyly than doing a search on the "ROLE_" string. It also prevents from
+    // doing typo errors.
+    public const ROLE_USER = 'ROLE_USER';
+    public const ROLE_ADMIN = 'ROLE_ADMIN';
+
     #[ORM\Id]
     #[ORM\GeneratedValue]
     #[ORM\Column(type: Types::INTEGER)]
@@ -118,7 +124,7 @@ public function getRoles(): array
 
         // guarantees that a user always has at least one role for security
         if (empty($roles)) {
-            $roles[] = 'ROLE_USER';
+            $roles[] = self::ROLE_USER;
         }
 
         return array_unique($roles);

templates/base.html.twig

@@ -55,7 +55,7 @@
                                         </a>
                                     </li>
 
-                                    {% if is_granted('ROLE_ADMIN') %}
+                                    {% if is_granted(ROLE_ADMIN) %}
                                         <li>
                                             <a href="{{ path('admin_post_index') }}">
                                                 <i class="fa fa-lock" aria-hidden="true"></i> {{ 'menu.admin'|trans }}

templates/security/login.html.twig

@@ -67,15 +67,15 @@
                     <tr>
                         <td>john_user</td>
                         <td>kitten</td>
-                        <td><code>ROLE_USER</code> ({{ 'help.role_user'|trans }})</td>
+                        <td><code>{{ ROLE_USER }}</code> ({{ 'help.role_user'|trans }})</td>
                         <td>
                             <button class="btn btn-primary btn-sm" {{ stimulus_action('login', 'prefillJohnUser') }}><i class="fa fa-user"></i></button>
                         </td>
                     </tr>
                     <tr>
                         <td>jane_admin</td>
                         <td>kitten</td>
-                        <td><code>ROLE_ADMIN</code> ({{ 'help.role_admin'|trans }})</td>
+                        <td><code>{{ ROLE_ADMIN }}</code> ({{ 'help.role_admin'|trans }})</td>
                         <td>
                             <button class="btn btn-primary btn-sm" {{ stimulus_action('login', 'prefillJaneAdmin') }}><i class="fa fa-user"></i></button>
                         </td>