lemme explain my problem - i wanna develop e-shop in symfony, but i dont know how to configure firewalls. Normally, i use firewall to restrict access in secured areas, like pages administration, but this time some pages should be accessible without login and in case user logs in, i wanna to get his info on those pages.
I can use two firewalls with different providers, one for admins and another for users. But - how to set security to have accessible user's data on pages, that are not under firewall?
Thank you in advance.
That is not what symfony firewalls are for. Firewalls are for Access Validation. Not View Validation.
You want to check the user (if logged in) in the view and show the data.
If the data changes dependend on the user (e.g. different prices), you'll have to check the user inside the controller.
Related
I am struggling with a seemingly simple issue around firewalls and user providers in Symfony 4.4.
I am using 2 firewalls & user providers for different user groups.
On my homepage, I want to spare logged in users the marketing page and redirect them to the logged in area immediately. So I need to check if the browser is already logged in to either one of the firewalls. If yes, redirect to a specific page in the login-area.
Here's what's happening though:
I tried to create a firewall using a chained user provider for the homepage, but it cannot access the logged in users from the other firewalls. The user is always null.
So my question is:
How can I check if a user is logged in to a firewall/user provider that does not apply to the page I am currently on?
Can the same user have multiple sessions to the same app in the same browser as long as another field is added to the authentication process (email, password and website_id)?
I'm building a PHP app that allows the creation of multiple onepage websites. Each website should serve as standalone sites, with different content but they all have the same backend. Each website has a separate set of users/customers. A user can signup on any website but the websites don't necessarily share a user base. This means that a user can go to site1.domain.com and register, and then would have to register again if they wish to visit site2.domain.com.
They will probably register using the same email address, so my user table allows for duplicate email addresses as long as they're not in the same website.
This is sort of a very simple CMS. Kinda like what magento does with multiple websites running under the same instance. They also allow each separate site to have they're own customer base.
I plan to use Laravel for this project. My current approach is this:
Modify the provided user authentication functionality to add the site_id field. This means the user can register with the same email address in multiple sites, and can also log in to all those sites separetly. If they're logged in to site1 and visit site2, they have to log in again and have two separate sessions for what would appear to them as two different apps, but is just the one.
In theory this seems possible to me. A cookie is created for each separate subdomain once they login, which wouldn't work on a different subdomain. I feel like I'm missing something big though, I've never done something similar to this and always relied on Laravel to handle all the session stuff for me. Is this possible without some heavy hacking to the Laravel codebase?
UPDATE
These are my constraints:
The desired affect is that each website appears to be a separate application alltogether and not related at all to the others but all tied to the same backend and with the same routing/views.
userbase and user session cannot be shared between sites. I can make it so a user registers once and can login to every site, but I don't want that. A user should be able to visit every website separately.
every website will have a different subdomain, or in same cases, a different domain alltogether.
PHP sessions are tied to the domain name, so they will automatically have different sessions for each of your apps. You can use route-model binding with a custom resolution to determine the app based on the domain.
routes.php
Route::group(array('domain' => '{site}.com'), function() {
//routes go here
});
RouteServiceProvider (in boot method)
$router->bind('site', function ($value) {
return App\Site::where('custom_domain', $value)->first();
});
This is based on the assumption that you have a Site model with a field in the database called custom_domain. All of the routes available inside the group will have access to the Site using dependency injection. You can adjust the model and field based on your app needs.
You can use the model to customize the login-page for each app, and the apps will have independent sessions for each one.
I've also heard great things about the Landlord package. You use a middleware to define which Site the user is, based on the url. Once that is set, all eloquent queries will be automatically scoped based on the site_id in the database. So User::all() would only return users for the current site.
I have two Symfony applications. They point on the same database for sharing some tables.
So one user can login into app1 and app2 with the same username and password. But the session is blocked for the app is logged in. I'm using FosUserBundle.
My question is, how to share the session to the differents apps ?
I tried to add in the config.yml this line on the two apps :
framwork:
session:
cookie_domain: .my-domain.com
name: SFSESSID
Indeed app1 is available on app1.my-domain.com and app2 is available on app2.my-domain.com
Second possible answer is to listen login event and perform login when i view session of my second app. Right ?
Thanks.
Unfortunately it won't work in this way, because user will have your cookie only on one of domains. You can create an API to share information about that if user is logged in and recognize who he is, but the right way to do this is creating third application - Single Sign On which will be purposed only, and only to login and authorize user. Your two current apps will always authorize and authenticate user with SSO.
To implement this you can use https://github.com/FriendsOfSymfony/FOSOAuthServerBundle/ as a server and https://github.com/hwi/HWIOAuthBundle as Clients.
Or, if you want to do this really quickly but messy you can create a JS script which will call the second page and create own cookie there. But if somebody asked you I haven't recommended you that.
Piotr
I'm building a SaaS with Symfony 2. Currently I'm adding registration of users to the application, but I don't know how to start.
I have no problems with basic user registration and login, my problem is another: When a user logs into the system, he must fill his company information. Even if the user goes to another URL, he must be redirected to the company information screen and he can't continue until he fills the company data. And the truth is that I have no idea of how to do this.
Can you help me, please? I know that I can add some checks to all of the controllers, but this is just an ugly hack...
If the company information is important, add those fields to the register page. Don't create the account until all fields are filled.
Hard to answer without knowing anything about your application architecture. There's more than one way to do it.
One possible solution would be as long as the user did not fully fill out all the required information his account is locked, so whenever he tries to get onto another URL the access is denied (so essentially you've got three user states in your database or session storage or whatever) unless he enters his profile page and fills out all the requried information.
If he did so, his status changes to a "fully valid" user and he can login and browser the page however he likes.
So you don't have to check it on every page - just check if the user is logged in, locked or logged out.
If you have some kind of groups or roles in your application you could put your user into the "invalid" or "notcomplete" group which has basically no access to the application's pages.
I have a website which has two panels....
1- For Normal user accessible through domain.com
2- For Admins and Moderators accessible through admin.domain.com
When I (or anyone) access admin panel using admin.domain.com. He will be asked to enter username and password...BUT
How can I make this only visible to me (any way of telling server.. hey I am admin show me that page)
One approach came in my mind is to use the route filter for static ips, like hey
Laravel my name is 192.116.45.15... show me that page.
Another approach is to separate my whole admin from server and use it directly from my localhost.
Please tell some more approaches (by the way I use Laravel)
Rather than, doing any server configurations, why don't you use a security field.
Say, along with Username and Password, can you please add a field PIN to the form.
Anyways, this field is again known to you only.
Also, you can use strong passwords to protect your admin panel.
If your approach is want the server differentiate before they login. You can set the admin page only able to accessible by admin user with (IP address).
If they had login from main page. You can get the user role session.
Role Level
1 Admin
2 Moderator
3 Member
If you don't want users to see the admin login page at all you could require special GET parameter that pretty much is a password. e.g. admin.domain.com/ would simply output nothing but admin.domain.com/?5q38cZxyaA would output the login page. As long as you dont publish the link anywhere this is as save as sending a password via post(so its as save as the following real login).
If you have ssh access to the server, you can run the administration panel on some different port say port 3000 and then block that port in firewall with a exception of your own ip.