Role Handler isGranted usage in parent Admin Class not working

[webdevilopers]

I have a parent Admin Class Contract and a child Admin Class Bundle.

My roles are working correctely

role_hierarchy:
    ROLE_ADMIN:
        - ROLE_SONATA_ADMIN_CONTRACT_LIST
        - ROLE_SONATA_ADMIN_BUNDLE_LIST
    ROLE_SUPER_ADMIN:
        - ROLE_ADMIN 

when calling the links separately:

• http://localhost:8000/admin/contract/list
• http://localhost:8000/admin/contract/137/bundle/list
  I can see both lists as ROLE_ADMIN

Now I am trying to link both lists:

         if ($this->isGranted('ROLE_SONATA_ADMIN_BUNDLE_LIST')) {
            $listMapper
                ->add('_action', 'actions', array(
                    'actions' => array(
                        'show' => array(),
                        'edit' => array(),
                        'show_bundles' => array('template' => 'AcmeContractBundle:ContractAdmin:list__bundles.html.twig'),
                    ))
                )
            ;
        } 

but the link does not appear. Is isGranted limited to the ROLEs on the current Admin Class e.g. LIST, SHOW etc?

Using the securityContext would work:

if ($this->securityContext->isGranted('ROLE_SONATA_ADMIN_BUNDLE_LIST')) {

I'm wondering because the docs mentions a similar EMAIL example:
Yon can also create your own permissions, for example EMAIL (which will turn into role ROLE_SONATA_ADMIN_DEMO_FOO_EMAIL).
http://sonata-project.org/bundles/admin/master/doc/reference/security.html#usage

My complete code:

• https://gist.github.com/webdevilopers/26f0ffd9cccaf9403cdf

Possibly related issues:

• Permissions #2298

[core23]

Ping @webdevilopers

[webdevilopers]

I'm no longer maintaining the project with the example. Will close issue for now but keep an eye on it. I have a similar project coming up.

[webdevilopers]

I may be an old issue but I stumbled upon something similar again.
I think this issue is created due to the fact that the internal admin class method "isGranted" only checks sonata roles and NOT the inherited roles from the hierarchy.

As mentioned here by @MaxDamage:

• https://stackoverflow.com/a/37462547/1937050

Generic, non-entity roles, like ROLE_USER, ROLE_ADMIN, ROLE_SUPER_ADMIN, ROLE_{CUSTOM_STRING} should be checked using the default Symfony security context.
Entity actions roles like ROLE_SONATA_USER_ADMIN_USER_LIST, ROLE_SONATA_USER_ADMIN_USER_VIEW, ROLE_{CUSTOM_SONATA_ADMIN_SERVICE_NAME}_{ACTION} can be checked using the Sonata Admin helper or the Symfony security context.

[kunicmarko20]

We should add support for both Sonata and Symfony roles.

SonataAdminBundle/src/Security/Handler/RoleSecurityHandler.php

Lines 47 to 66 in 82a4d6e

	public function isGranted(AdminInterface $admin, $attributes, $object = null)
	{
	if (!is_array($attributes)) {
	$attributes = [$attributes];
	}
	foreach ($attributes as $pos => $attribute) {
	$attributes[$pos] = sprintf($this->getBaseRole($admin), $attribute);
	}
	$allRole = sprintf($this->getBaseRole($admin), 'ALL');
	try {
	return $this->authorizationChecker->isGranted($this->superAdminRoles)
	|| $this->authorizationChecker->isGranted($attributes, $object)
	|| $this->authorizationChecker->isGranted([$allRole], $object);
	} catch (AuthenticationCredentialsNotFoundException $e) {
	return false;
	}
	}

Foreach adds soanta perfix for roles, so maybe we can check before it.