I want to limit user access only for admin on some routers and I want to know how is it best practice to do that, is it possible from routing (example after call my function from controller I want to call one function who say true if I'm admin or false if not) or need for all function call my function first for verify.
I was read the documentation symfony2 but no specific noting if is possible.
Since you need to limit access on specific routes, you can do so with Symfony's Access Control in your security.yml. Read the docs in order to achieve this.
See http://symfony.com/doc/current/book/security.html#book-security-securing-controller in the Symfony2 documentation. You need to access the security.context service and return the proper value based on the user's roles.
Related
I am attempting to create a controller that can detect if it is called from another controller in the application.
If it called directly via the URL, however, I need to know so I can perform some other actions.
i.e.
cheese/modulename calling potato/modulename is different to someone accessing site/cheese/modulename via URL - and I need to be able to pick up on this and act accordingly.
I am aware of:
$this->router->class
but it will not work as I may have the same named class in another module (HMVC pattern as an FYI) that may want to call this controller (cheese/modulename calling potato/modulename as an example would return 'modulename' - so I can't use that as a check to see if it was called by itself.)
I basically need a check for:
controller was called via another controller = true / false
can anyone tell me how (or if I am being thick!)
I am doing this in the __construct() just in case your solution will have a problem with that (can't see why but you never know!)
EDIT
Thank you to Mohammad Walid for his answer.
For clarity the structure is
CLIENTS
MODELS
CONTROLLERS
- Client
- Api
VIEWS
JOBS
MODELS
CONTROLLERS
- Jobs
- Api
VIEWS
I will be calling the API from Client - but may also call it from another API (possibly) That may be
In another Module
For Example the CLIENTS Api might get called from the JOBS Api Controller (I have no intention of doing this at present but it may be a possibility under different scenarios I haven't forseen and want to make it future-proof so I don't have a massive refactoring job in the future.)
You can try this:
function is_called_via_url($controller_object){
return $this->uri->segment(1) === get_class($controller_object);
}
and in your controller:
if(is_called_via_url($this)){
//do something
}
I'm not quite sure if passing $this as an argument in the constructor will work, but it worth try.
Reference and a hint from MonkeyZeus's comment.
From the comments there seems to be no way to do this without using debug_backtrace($options, $limit)
However the work-around I have ended up doing is to add a 'flag' within the authorisation module (which is called before all controllers)
The flag defaults to false.
If a controller from within my application calls the API page I turn this flag to true (is_application = true - I am currently just manually pasting this into the __construct of any controllers in my application that need to talk to my API)
I can then just do a simple
if(!is_application){
//this was called directly from the URL not from within the application
}
from within the API controller.
Hopefully this will be helpful for others who are attempting this sort of thing and once again thank you to the people who took the time to comment / answer.
I have access_control setup in the security configuration of my Symfony app so, clearly, the application can detect if the current user has access for the current request (that works just fine). What I want to be able to is have the app figure out if the current user would have access to another request (eg. a different path or method) from a Controller action.
What is the proper way to do this in Symfony? I can hack together going through and accessing the FirewallContext of the current request and looking for the proper listener with the proper AccessMap but this is ugly and I fear that it will break easily. Any suggestions?
This question has gone unanswered for almost a week now so I've found a decent workaround solution in the meantime, if anyone finds this and wants to do something similar.
First of all, I pulled the functionality from AccessListener::handle(GetResponseEvent) out into a new class/method Authorization::checkAccess(Request) which takes a Request object instead of a GetResponseEvent.
Next (and the necessity of this depends on whether or not checkAccess differs from the way handle handles requests), I created a separate class to override AccessListener and use Authorization::checkAccess(Request) to do the checking (and swapped it out in the configuration by setting the security.access_listener.class parameter)
Next, setup a service in the configuration to construct an Authorization object with all of the parameters that are injected into the AccessListener.
Finally, in order to check a particular request, I use this slice of code in the controller:
$check = $this->getRequest()->duplicate();
$check->server->set('REQUEST_URI', $requestUri);
$check->setMethod('GET');
$this->get('my_access_control_service')->checkAccess($check);
I hope this helps someone out there...
I know that this problem was discussed so many times but I had found some solution and I'm not sure if it is the best and the most efficient approach.
My problem: I'm using fosuserbundle to handle user authentication and I would also like to prevent displaying of login, password resetting, etc. form for logged in users. Below I put some approaches:
The first one (which has been already implemented) based on the kernel events, there is a code
https://gist.github.com/walmen/871c13014b80c6a3d05d
The second approach which was mentioned by my colleague based on the method overloading (removing listeners and duplicate code in the each method which has some logic which shouldn't be displayed for logged in users)
Write custom annotation, i.e. #RequireAnonymous
As I mentioned before, I've already implemented the first approach but I'm not sure if it is the best and the most efficient solution (this listener would be called for each request - it is not too heavy load for application? How listeners affect the application, if they?).
The second approach is the easiest one of course but...code duplication doesn't sound really nice.
The last one might be the best but If we take a look on this example https://gist.github.com/cystbear/1391850 we will see that there is also problem with calling event during any controller call.
Any advice or other ideas with good arguments and explanation?
If I'm understanding you correctly, you can use the third approach with the JMSSecurityExtraBundle which is included with Symfony Standard.
On the action's you want to exclude from authenticated users you can do like so:
/**
* #Secure(roles="IS_AUTHENTICATED_ANONYMOUSLY")
*/
public function fooAction()
{
// stuff...
}
This ensures that the user requesting the specific path is not authenticated.
#Ramon not really because every user has the role IS_AUTHENTICATED_ANONYMOUSLY, even the authenticated ones.
What is more we don't want to throw an exception like "Access denied" or something but we want to 'hide' those pages thanks to the redirection.
What do you think about this https://github.com/FriendsOfSymfony/FOSUserBundle/issues/996#issuecomment-14812806 ?
While testing roles in my application I found the function isGranted of the SecurityContext. It works great but now I need to check the roles of a user that is not the current user so isGranted doesn't work for me.
I've been looking and I found the function hasRole of the user, the problem is that this function doesn't look in the hierarchy tree of Symfony and it just looks in the roles assigned to the user.
So, Is there a function that looks for a role of a user looking in the hierarchy tree like isGranted do for the current user?
EDIT
I found this solution:
How to use the AccessDecisionManager in Symfony2 for authorization of arbitrary users?
I implemented it and it works, the problem is that it needs the ContainerBuilder and I would prefer a different approach.
Any Idea?
Basically AFAIK SecurityContext work with Symfony\Component\Security\Core\Authentication\Token\TokenInterface from where can fetch current user using getUser method.
If user token is not authenticated then isGranted trying authenticate user token first and then use class called AccessDecisionManager which basically iterate over voters objects and call them (and can use different strategies for that) One of called voters is RoleHierarchyVoter which use Symfony\Component\Security\Core\Role\RoleHierarchy.
So answer to your question:
I think that is no such function like isGranted for other users (or do not know about any), but you can write own service which allow to that using security.role_hierarchy (just notice that is private service).
BTW hasRole probably should be sufficient most of the time, so maybe you should think about what do you want to do ;)
how can i get back the actions i defined in my accessrules function
public function accessRules(){
return array(
'allow',
'actions'=>array('create','update' ...),
....
)
}
i need them for dislay reason something like if(in_array('create',$actions)) echo CHtml::link('link to create form')
or may be something like if(user->isAutorizedToPerfoem('create')).
thanx in advance
I think this is not possible when you use the accessControl filter. The authorization data is in this case saved directly in the controller, so you technically have to be in the controller to see the accessRules(). And you cannot check access manually, as far as I know. The filter does the work there. You can see your acces rules by calling $this->accessRules, but well you have to be in the controller.
You probably have to use RBAC and save your access rules externally. Read here for more information: Yii Documentation - role based access control
There is also a quite capable Yii extension called Rights, which provides a backend for RBAC.
This might seem like overkill for the moment, but RBAC is unmatched in flexibility. If you use it, you can check access like Yii::app->user->checkAccess('post.create'), and many other things.