I work with with Symfony 2.7 and FOSUserBundle 2.0
What i want is to allow access to /admin to ROLE_ADMIN user but to deny him other paths.
# app/security.yml
access_control:
- { path: ^/$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, roles: ROLE_USER }
- { path: ^/admin, roles: ROLE_SUPER_ADMIN }
role_hierarchy:
ROLE_USER: ROLE_USER
ROLE_ADMIN: ROLE_ADMIN
I thought about php app/console fos:user:demote admin ROLE_USER but ROLE_USER is the default role of FOSUser, so every times the admin connects, ROLE_USER comes back in addition to ROLE_ADMIN.
How can do this ?
In that case, ROLE_ADMIN as no access to ROLE_MANAGER
access_control:
- { path: ^/$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/roles: ROLE_MANAGER }
- { path: ^/admin, roles: ROLE_ADMIN }
role_hierarchy:
ROLE_USER:
- ROLE_USER
ROLE_MANAGER:
- ROLE_USER
ROLE_ADMIN:
- ROLE_ADMIN
Related
I have a application with frontend and backend sides. Both share the same FOSUserBundle users table. The logic behind the application I'm working on doesn't allow "admin" (ROLE_ADMIN or group ADMIN) to be logged in at frontend so I need to catch on login flow whether the user belongs to group ADMIN or has ROLE_SUPERADMIN or ROLE_ADMIN credentials. I think this could be done in someway on the Security flow from Symfony2 itself, but how? What I need to do to catch that and if user belongs redirect to login form (from FOSUserBundle) or allow it to get into the frontend? Any help? Some code? Examples?
security.yml file content:
Regarding user answer this is how my security.yml file is configured:
role_hierarchy:
ROLE_USER: ROLE_USER
ROLE_ADMIN: ROLE_ADMIN
access_control:
# Anonymous area
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/registro, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/cedula, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/rif, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/correo, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/usuario, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/razon_social, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/registro_mercantil, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/padre, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/correo_alternativo, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/paises, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/estados, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/ciudades, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/municipios, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/parroquias, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/empresas, role: IS_AUTHENTICATED_ANONYMOUSLY }
# Secured area
- { path: ^/, role: ROLE_USER }
- { path: ^/admin, role: ROLE_ADMIN }
But users with ROLE_ADMIN can still login in frontend (/) and them shouldn't right? What's wrong then?
You must know the role hierarchy in your security.yml file.
You don't need to extend default functionality on fosuserbundle or symfony security to achieve that.
For example:
role_hierarchy:
ROLE_USER: ROLE USER
ROLE_CONTENT_MANAGER: ROLE_USER
ROLE_ADMIN: [ROLE_CONTENT_MANAGER]
ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
So, super admin can go anywhere all other grups allowed. Admin, has the rights of content manager. Content manager has the rights of user.
Check your access control in your security.yml file.
access_control:
- { path: ^/private_directory$, roles: MUST_BE_RIGHT_TO_SEE_HERE }
So, the role MUST_BE_RIGHT_TO_SEE_HERE can only see the private_directory. Any other roles can not.
I thought I did the settings correctly when I tried going on to the homepage (/) and it redirects me to the login page (/login). However, when I click on navigation menu such as about (/about) and inventory (/inventory), the pages were shown even when I am not logged on. Currently only the homepage is redirecting to login, but I need all pages to redirect to login if users are not signed on.
Here is my security.yml:
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
default_target_path: /
logout: true
anonymous: true
access_control:
- { path: ^/$, role: ROLE_USER }
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
config.yml:
fos_user:
db_driver: orm # other valid values are 'mongodb', 'couchdb' and 'propel'
firewall_name: main
user_class: Main\UserBundle\Entity\User
Am I missing someting?
EDIT: I guess the solution was to get rid of the "$" in the access control.
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/, roles: ROLE_USER }
Except with this after login it will redirect to a blank page that has a URL of /_wdt/(token number). If anyone is having problem with this the solution is to insert this setting before the "main" in the security.yml's firewall:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
Change your firewall configuration to the following:
access_control:
- { path: ^/$, role: ROLE_USER }
- { path: ^/secured, role: ROLE_USER }
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
And change your routes for the secured pages to start with /secured.
UPDATE:
You can deny all the routes after / if user is not logged on by removing $ in your access control rule:
access_control:
- { path: ^/, role: ROLE_USER }
However, this will cause a redirect loop when you try to access routes that should be available to anonymous users, like /login or /register.
UPDATE 2
As #user3757305 commented below, - { path: ^/, role: ROLE_USER } can be added at the bottom. Access control rules are applied in the order they appear in the security config. That means that everything above the - { path: ^/, role: ROLE_USER } rule will not be covered by it. So, the following config should work as required:
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/, role: ROLE_USER }
I used FOSUserBundle and i changed the basic template to my own. When i set rules in my securite file like below
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, role: IS_AUTHENTICATED_ANONYMOUSLY }
then everything is ok but when i change it like below
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, role: ROLE_ADMIN }
my site after login redirects me to "web/app_dev.php/_wdt/7e8a2e" and i don't know why.
What is it "_wdt/7e8a2e " ?
You should add a new access_control rule to allow anonymous access to this:
{ path: ^/_(profiler|wdt)/, role: IS_AUTHENTICATED_ANONYMOUSLY }
you could also add a new firewall rule to avoid security in this url
- { path: ^/event, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, roles: ROLE_MEMBER }
In my security.yml, I would like to authenticate all /xxx except / and /event, is there a way to do so? What I did above will not work. The only way for it to work is to add individual pages everytime i create one.
- { path: ^/event, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, roles: ROLE_MEMBER }
I cannot add IS_AUTHENTICATED_ANONYMOUSLY on the root in the 3rd line because that would be so wrong.
You have to do this in your access_control:
- { path: ^/event, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, roles: ROLE_MEMBER }
I have a symfony 2.1 project using FOSUserBundle. The bundle is installed correctly. All the functionalities work properly using the default /login form.
But now I want to change the login form route to be the same as the homepage (path: /).
I tried:
changing the security.yml - login_path:
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
login_path: /
logout: true
anonymous: true
and the access_control to:
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/*, role: ROLE_USER }
- { path: ^/, role: IS_AUTHENTICATED_ANONYMOUSLY }
When I try to access the homepage it enters a infinite redirect (I assume)
The page isn't redirecting properly Firefox has detected that the
server is redirecting the request for this address in a way that will
never complete.
Also couldn't find anything to troubleshoot this behaviour inside the FOSUserBundle documentation.
In short words: I want the first_page to act as login page.
You have a redirect loop.
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY } #1
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY } #2
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY } #3
- { path: ^/admin/, role: ROLE_ADMIN } #4
- { path: ^/*, role: ROLE_USER } #5
- { path: ^/, role: IS_AUTHENTICATED_ANONYMOUSLY } #6
This happens because first, you are telling access controll in #5 requires ROLE_USER BEFORE you tell it that it also requires IS_AUTHENTICATED_ANONYMOUSLY (both 5th and 6th rules match)
Access control is order sensitive, the rules apply in the order they are defined, try:
access_control:
- { path: ^/$, role: IS_AUTHENTICATED_ANONYMOUSLY } # NOTE THE $
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/*, role: ROLE_USER }
I moved the rule
- { path: ^/, role: IS_AUTHENTICATED_ANONYMOUSLY }
to the begining so it matches before
- { path: ^/*, role: ROLE_USER }
I think you should change on your security.yml :
login_path: / to login_path: /login
And your access_control :
{ path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY } #1
{ path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY } #2
{ path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY } #3
{ path: ^/admin/, role: ROLE_ADMIN } #4
Hope this help !