Allow only Pimcore admins to access custom route

Hi!

I’ve created a bundle that adds a couple of admin features via custom menu options and custom route endpoints. Now I want to prevent these to be accessed by random users by denying everyone but admins access.

Is there an easy way to get access to the user object and check if it’s an admin? Or do I use Symfony security firewalls and access the Pimcore admin role that way?

Currently I’ve gained access to the current user through the Session class but this feels hacky. I’ve then put this in an auth method that I run before all the endpoint actions.

$user = Session::get()->get('user');

if (!$user instanceof User)
	throw new AccessDeniedHttpException("You need to be admin to access this feature");

if (!$user->admin)
	throw new AccessDeniedHttpException("You need to be admin to access this feature");

Thanks!

  1. Extend your Controller from \Pimcore\Bundle\AdminBundle\Controller\AdminController
  2. Get User: $this->getAdminUser()
  3. Check for a certain permission: $user->isAllowed('my_bundle_permission_name')

Admin Users always have all permissions.

1 Like

Thanks a lot, Dominik!

It appears I spoke too early… :see_no_evil: