We Keep Coding

Expression "has_role('ROLE_ADMIN')" denied access, with an Admin User

I encountered a problem on roles promotion in Symfony3, as the title suggests.
The error is simple :
Expression "has_role('ROLE_ADMIN')" denied access.
I promoted the user with
php bin/console fos:user:promote (etc.),
resulting in :
a:1:{i:0;s:10:"ROLE_ADMIN";}
in the database.
I also put an annotation on a my controller method :
/**
* #Security("has_role('ROLE_ADMIN')")
*/
And my security.yml looks like this :
security:
encoders:
MR\UserBundle\Entity\User: sha512
role_hierarchy:
ROLE_ADMIN: [ROLE_USER, ROLE_MODERATOR]
ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
main:
id: fos_user.user_provider.username
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main_login:
pattern: ^/login$
anonymous: true
main:
pattern: ^/
anonymous: true
provider: main
form_login:
login_path: fos_user_security_login
check_path: fos_user_security_check
logout:
path: fos_user_security_logout
target: /
remember_me:
secret: %secret%
access_control:
#- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
Do not bother with the visible increments, there are a mere effect of my copy-paste.
I hope I did not missed an obvious point, but I'd prefer it more than a nothing-solved case.
Thanks in advance

#K.F I "it worked in the morning" => I also had this issue on SF 3.X. It was not a cache problem. Just simply because I had to disconnect and reconnect to appy the new roles to my user.

I know it wasn't your problem but I solved mine after I realized that I made a mistake in my user promotion... I didn't add the ROLE_ADMIN but only ADMIN... rookie mistake

Access_Control refuses anonymous token'ed user to go through

Im building a project with a front app in Angular and a REST API backend in Symfony2 (2.7, needs to move to 3.3 soon).
Backend side, i'm using FOSRestBundle, FOSUSerBundle, LexikAuthBundle and a bunch of other cool bundles for REST API needs.
I recently implemented one time Login through social providers Google and Facebook (front login buttons, then create fos_user backend side and manually set to just recognized user, a JWT provided by LexikBundle). This works well with the following app\config\security.yml:
security:
encoders:
Symfony\Component\Security\Core\User\User: plaintext
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_API: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
login:
pattern: ^/api/login
stateless: true
anonymous: true
form_login:
check_path: /api/login_check
login_path: /api/login
require_previous_session: false
username_parameter: username
password_parameter: password
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
api:
pattern: ^/api
stateless: true
anonymous: true
lexik_jwt:
authorization_header:
enabled: true
prefix: Bearer
query_parameter:
enabled: true
name: bearer
always_authenticate_before_granting: true
access_control:
- { path: ^/api/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api/registration., roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api, roles: [IS_AUTHENTICATED_FULLY, ROLE_API] }
This works fine for /api/login/social routes (where data is in body, POST), but impossible to reach /api/registration :( :
INFO - Matched route "myapp_security_register".
Context: {"route_parameters": {"_controller":"myapp\\CoreBundle\\Controller\\SecurityController::registerAction","_route":"myapp_security_register"},"request_uri":"http://127.0.0.1:8000/api/registration"}
INFO - Populated the TokenStorage with an anonymous Token.
ERROR - Uncaught PHP Exception Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException: "You do not have the necessary permissions" at C:\projects\myappAPI\vendor\friendsofsymfony\rest-bundle\FOS\RestBundle\EventListener\AccessDeniedListener.php line 70
Context: {"exception":"Object(Symfony\\Component\\HttpKernel\\Exception\\AccessDeniedHttpException)"}
I dont get it, because the anonymous token is set ! Why access_control doesnt let /api/registration access my controller ? What am i missing ?
I can also post FOSRestBundle config if it may help.
Thanks, Bor.

There is a typo in your access_control directive:
- { path: ^/api/registration., roles: ['..'] }
... should be
- { path: ^/api/registration, roles: ['..'] }

LdapBundle (Boris Mroel) with multiples providers (Db and LDAP), only take DB provider

I have a problem with using LdapBundle with both authentication database and ldap.
I've try to do it like this :
My security.yml
security:
encoders:
IMAG\LdapBundle\User\LdapUser: plaintext
Sermeta\HomeBundle\Entity\User:
algorithm: sha1
encode_as_base64: false
iterations: 1
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
multiples:
chain:
providers: [administrators, ldap]
ldap:
id: imag_ldap.security.user.provider
administrators:
entity: { class: "SermetaHomeBundle:User", property: username }
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
login_firewall:
pattern: ^/login$
anonymous: ~
imag_ldap:
check_path: login_check
login_path: login
provider: multiples
logout:
path: /logout
target: /home
secured_area:
pattern: ^/
imag_ldap:
provider: multiples
imag_ldap:
check_path: login_check
login_path: login
provider: multiples
logout:
path: /logout
target: /home
access_control:
- { path: ^/admin, roles: ROLE_ADMIN }
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
imag_ldap:
client:
host: myipadress
port: 389
skip_roles: true
bind_username_before: true
user:
base_dn: dc=mydc,dc=fr
name_attribute: uid
But when I test this, I can log user with the database password, but when I try with ldap password I've an "Bad Credential" error. (Seems logic if it check only database :/)
According to bundle documentation I put "bind_username_before: true" but it doesn't seem to check it.
(I need database authentication to get user roles (when I will finish with this #!* authentication ...))

Keep path when user logout in FOSUserBundle

I'm using FOSUserBundle in an ongoing project and everything works fine but I'm having a small problem when I close session because I go to the index of the application instead of staying in the safe area (secured) which is /admin/login where the login form is. This is my security.yml:
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout:
path: /logout
target: /admin
invalidate_session: false
anonymous: true
access_control:
- { path: ^/admin, role: ROLE_ADMIN }
anyone can tell me where I am making the mistake?

I think it's the anonymous: true. If you basically want the whole site to be under access control, with no pages apart from the login page being accessible to someone not logged in then you want something like this:
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout:
path: /logout
target: /admin
invalidate_session: false
anonymous: ~ # NO ANONYMOUS ACCESS
access_control:
- { path: ^/admin, role: ROLE_ADMIN }
# anonymous visitors need to be able to get to the logon pages
- { path: ^/login, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
# Could also add "safe" routes like an "about" or "contact us" pages here if you like
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }

roles and access_control fosuserbundle

I'm working with FOSUserBundle, and now I'm trying the roles and access control.
I tried to create a new role, change the role of one of my user, then access a page with restricted access.
security.yml :
security:
encoders:
FN\UserBundle\Entity\User: sha512
role_hierarchy:
ROLE_USER_CONFIRMED: ROLE_USER
ROLE_ADMIN: [ROLE_USER, ROLE_USER_CONFIRMED]
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_USER_CONFIRMED, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
main:
id: fos_user.user_provider.username
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main_login:
pattern: ^/login$
anonymous: true
main:
pattern: ^/
anonymous: true
provider: main
form_login:
login_path: fos_user_security_login
check_path: fos_user_security_check
always_use_default_target_path: false
default_target_path: /client/home
target_path_parameter: _target_path
use_referer: false
logout:
path: fos_user_security_logout
target: /home
remember_me:
key: %secret%
access_control:
- { path: ^/client, roles: ROLE_USER_CONFIRMED }
- { path: ^/admin, roles: ROLE_ADMIN }
I changed the roles of my user with $user->setRoles(array('ROLE_USER_CONFIRMED'));
In my database, user's role changed well, but when I click on the user in the FOSUserBundle toolbar, my user stay in ROLE_USER. and when I go on the page : "xxx/client/home", I have an ACCESS DENIED page.
Have you an idea of why the role is well changed in my database, but I can't open the page ?

did you have the user logout then log back in? Roles get pulled and saved as part of the session upon logging in so if you applied the role while the user was logged in on a machine, the user would not see that reflected on that machine until they logged out and then logged back in.