I am struggling with a seemingly simple issue around firewalls and user providers in Symfony 4.4.
I am using 2 firewalls & user providers for different user groups.
On my homepage, I want to spare logged in users the marketing page and redirect them to the logged in area immediately. So I need to check if the browser is already logged in to either one of the firewalls. If yes, redirect to a specific page in the login-area.
Here's what's happening though:
I tried to create a firewall using a chained user provider for the homepage, but it cannot access the logged in users from the other firewalls. The user is always null.
So my question is:
How can I check if a user is logged in to a firewall/user provider that does not apply to the page I am currently on?
Related
on my site I have users that I manage thanks to FOSUserBundle.
I am using the "enabled" attribute which is part of the FOSUser model.
However, when one of my users is disabled, they can not connect anymore. It will have the message "Your comtpe is disabled".
However, on my site, when a user is disabled, I want to give him the opportunity to connect and view certain pages of the site.
How can I remove this prohibition from logging in after deactivation? Thank you
EDIT :
On my site, the notion of disabled user is different.
A "disabled" user on my site will just lose the ability to use the site normally. He will only have access to his "My Account" space, on which he can redo a request to reactivate his account, which will be studied by the administrator.
He will then receive an email from the administrator with his answer. If his request is accepted, his account will be reactivated and he will be able to use all the functionalities of the site again.
That's why I do not want FOSUserBundle to stop me from logging in when the user is disabled
lemme explain my problem - i wanna develop e-shop in symfony, but i dont know how to configure firewalls. Normally, i use firewall to restrict access in secured areas, like pages administration, but this time some pages should be accessible without login and in case user logs in, i wanna to get his info on those pages.
I can use two firewalls with different providers, one for admins and another for users. But - how to set security to have accessible user's data on pages, that are not under firewall?
Thank you in advance.
That is not what symfony firewalls are for. Firewalls are for Access Validation. Not View Validation.
You want to check the user (if logged in) in the view and show the data.
If the data changes dependend on the user (e.g. different prices), you'll have to check the user inside the controller.
I'm working on project where users can park their own domain to the main site and then it redirects to user profile. Something like personal site.
masterdomain.com
masterdomain.com/username1
usersdomain.com == masterdomain.com/username1
And basically every user can do such domain redirect and create their site.
In project users can follow, chat, comment and do other things while logged in.
Problem is, that login is related to particular domain name, so if I go to another user or to masterdomain.com I loose session...
Is this even possible to solve and if so, how it could be done? Maybe it's possible to set cookie for IP address?
I'm building a SaaS with Symfony 2. Currently I'm adding registration of users to the application, but I don't know how to start.
I have no problems with basic user registration and login, my problem is another: When a user logs into the system, he must fill his company information. Even if the user goes to another URL, he must be redirected to the company information screen and he can't continue until he fills the company data. And the truth is that I have no idea of how to do this.
Can you help me, please? I know that I can add some checks to all of the controllers, but this is just an ugly hack...
If the company information is important, add those fields to the register page. Don't create the account until all fields are filled.
Hard to answer without knowing anything about your application architecture. There's more than one way to do it.
One possible solution would be as long as the user did not fully fill out all the required information his account is locked, so whenever he tries to get onto another URL the access is denied (so essentially you've got three user states in your database or session storage or whatever) unless he enters his profile page and fills out all the requried information.
If he did so, his status changes to a "fully valid" user and he can login and browser the page however he likes.
So you don't have to check it on every page - just check if the user is logged in, locked or logged out.
If you have some kind of groups or roles in your application you could put your user into the "invalid" or "notcomplete" group which has basically no access to the application's pages.
On a website I have implemented the login using OpenID (based on StackOverflow).
But I can't seem to logout.
On my host I can logout but when the user tries to login again (especially with google) the authentication goes through without requiring the user to type in name and password.
How can I indicate to the OpenID Provider that a user is no longer logged into the site?
OpenID authenticates users to your site, when then starts a session on your site. You destroy or invalidate your site's session separately from the user's session with their OpenID provider.
User visits joewidgets.com > User logs in with OpenID (with a new or existing provider session) > ... User clicks logout > joewidgets.com destroys/invalidates the session.
If the user has their OpenID provider keep them logged in, and your system automatically checks, then it will create a new local session. (Un)fortunately, you don't/can't worry about what the user does or does not do at their provider, which is a pro/con of OpenID.
There is an argument at Social Lipstick which calls for "Single Sign-Out", but OpenID does not currently provide this function.
This is called Single Logout or Single Sign-Out, which OpenID doesn't support. In my opinion, SSO without logout is a big security hole. Logging out a single site doesn't mean much if others can just get in with a few clicks.
For now, we have to remember the provider. If it's someone we know, we trigger the logout process for them. For Google, the URL is,
https://www.google.com/accounts/Logout
The logout flow is ugly but it does the job.
That's generally something handled by the OpenID provider - for instance, if the user remains logged into their Google account and checked the box to "remember" the OpenID authorization for your particular site, then the provider will transparently log them in and redirect them back without displaying the login prompt.
"It's a feature not a bug"
The id provider can choose to keep the user authorized for the provider through cookies, and further can choose not to re prompt the user about sharing the same information that was shared previously (with a prompt). So when the user on Site A, asked to be authorized through Site B, and got redirected, Site B first asked for the user to authenticate him or her self. Then Site B asked if it should share any information (and sometimes which information) with Site A. At this point it will also customarily ask if you want to automatically share this same information in the future. Some providers will assume yes, some no, some won't ask. Site B then redirects to Site A and shares the information, you're now logged in.
If Site A makes a second redirection to Site B to request a login, Site B might
1) Already have a cookie that authenticates the current user of Site B.
2) Already have a record of what information is acceptable to share with Site B.
3) Automatically share this information through a redirect without pausing to prompt the user at all.
This is a feature centered around convenience.