In my access control I have a bunch of rules but none of them seem to be working. I belong to a group that does not have the role and I am still able to access all the routes. I tried adding dollar signs to the end of the paths but that did not work. I also tried reordering the paths and that failed as well. Any advice will help!
here is my security.yml file
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout: true
anonymous: true
access_control:
- { path: ^/system/staff/add, roles: ROLE_ADD_STAFF }
- { path: ^/system/staff/edit, roles: ROLE_EDIT_STAFF }
- { path: ^/system/staff, roles: ROLE_VIEW_STAFF }
- { path: ^/system/profile/edit, roles: ROLE_USER }
- { path: ^/system/profile, roles: ROLE_USER }
- { path: ^/system/officer/add, roles: ROLE_ADD_OFFICER }
- { path: ^/system/officer/edit, roles: ROLE_EDIT_OFFICER }
- { path: ^/system/officer, roles: ROLE_VIEW_OFFICER }
- { path: ^/system/job/add, roles: ROLE_ADD_JOBS }
- { path: ^/system/job/edit, roles: ROLE_EDIT_JOBS }
- { path: ^/system/job, roles: ROLE_VIEW_JOBS }
- { path: ^/system/company/add, roles: ROLE_ADD_COMPANIES }
- { path: ^/system/company/edit, roles: ROLE_EDIT_COMPANIES }
- { path: ^/system/company, role: ROLE_VIEW_COMPANIES }
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/system, roles: ROLE_USER }
for example my current group does not have the ROLE_EDIT_STAFF role yet I am still able to access the path.
Every time you make a request symfony will check your access controls to find one that works.
When you request /system/staff/edit heres what happens.
For your setup it finds:
- { path: ^/system/staff/edit, roles: ROLE_EDIT_STAFF }
But since you dont have the role ROLE_EDIT_STAFF it moves on.
It now matches:
- { path: ^/system/staff, roles: ROLE_VIEW_STAFF }
Because your route does start with ^/system/staff. And you have ROLE_VIEW_STAFF so you are granted access.
In additon to that one you have:
- { path: ^/system, roles: ROLE_USER }
Which means that anyone who has the ROLE_USER can access any route that starts with /system.
Whether its /system/admin/delete-all for just /system It matches them both.
If you want to use strict route controls i would recommend dropping the ^ from the start of the routes unless you really mean to match any routes starting with what follows the ^.
Related
I'm currently working on a PDF generator, but I'm having a problem accessing the url.
Anyone should be able to download the PDF.
In my security.yml I currently have this:
security:
encoders:
FOS\UserBundle\Model\UserInterface: bcrypt
role_hierarchy: ~
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_token_generator: security.csrf.token_manager
logout: true
anonymous: true
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/gc/$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin, role: ROLE_USER }
- { path: ^/, role: ROLE_USER }
I would like people to have access to the following url: /admin/maintenance/pdf/{id}
So I added the following line:
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/gc/$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin, role: ROLE_USER }
- { path: ^/, role: ROLE_USER }
- { path: ^/admin/maintenance/pdf/$, role: [ROLE_USER,IS_AUTHENTICATED_ANONYMOUSLY] }
But I'm still redirected to the login page when I'm not logged in.
I did several tests, and it is the following line that is problematic:
- {path: ^ /, role: ROLE_USER}
I guess I misconfigured my access to the url.
Someone can help me ?
Thank you
Items in ACL are processed sequently, so you need to put it before:
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/gc/$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/maintenance/pdf/$, role: [ROLE_USER,IS_AUTHENTICATED_ANONYMOUSLY] }
- { path: ^/admin, role: ROLE_USER }
- { path: ^/, role: ROLE_USER }
Move up more specific rules, so that they are matched first.
I'm starting with journey with Symfony.
At this I trying to secure my auth routes (I'm using FOSUserBundle) so I do:
access_control:
- { path: ^/logowanie$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/rejestracja, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetowanie-hasla, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/backstage/, role: ROLE_ADMIN }
- { path: ^/profile/, role: ROLE_USER }
However, I can always go to these routes whether I'm logged in or not.
Where is my bad?
# To get started with security, check out the documentation:
# https://symfony.com/doc/current/security.html
security:
encoders:
FOS\UserBundle\Model\UserInterface: bcrypt
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_token_generator: security.csrf.token_manager
check_path: fos_user_security_check
login_path: fos_user_security_login
logout:
path: fos_user_security_logout
target: website.home
logout: true
anonymous: true
access_control:
- { path: ^/logowanie$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/rejestracja, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetowanie-hasla, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/backstage/, role: ROLE_ADMIN }
- { path: ^/profile/, role: ROLE_USER }
You should restrict access to logged-in users, now if a user is logged in, also has the role IS_AUTHENTICATED_ANONYMOUSLY, this is role hierarchy.
- { path: ^/logowanie$, role: IS_AUTHENTICATED_ANONYMOUSLY && !IS_AUTHENTICATED_FULLY }
You can use PUBLIC_ACCESS instead off IS_AUTHENTICATED_ANONYMOUSLY
access_control:
- { path: ^/logowanie$, roles: PUBLIC_ACCESS }
best regards ;)
I'm following few tutorials along with the documentation, but I can't make my provided user in security.yml to log in. Here is my YML file that provides a username called user and a password userpass, as a simply user.
security:
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
encoders:
Symfony\Component\Security\Core\User\User: sha512
providers:
in_memory:
memory:
users:
user: { password: userpass, roles: ROLE_ADMIN }
firewalls:
secured_area:
anonymous: ~
pattern: ^/
form_login:
check_path: /login_check
login_path: /login
logout:
path: /logout
target: /
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
access_control:
- { path: ^/new, roles: ROLE_ADMIN }
- { path: ^/create, roles: ROLE_ADMIN }
- { path: ^/edit, roles: ROLE_ADMIN }
- { path: ^/delete, roles: ROLE_ADMIN }
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
The loginAction is the same from the official documentation:
public function loginAction()
{
$authUtils = $this->get('security.authentication_utils');
$error = $authUtils->getLastAuthenticationError();
$lastUsernme = $authUtils->getLastUsername();
return $this->render('UserBundle:Login:login.html.twig', array(
'last_username' => $lastUsernme,
'error' => $error
));
}
I don't know what else I should paste here because every view, controller and route works perfectly. The only issue is that whenever I try to log in with that user and password the "BAD CREDENTIALS" message is shown.
Just use plaintext encoder in order to be able to login with "userpass" (look at the example below)
or you can encode "userpass" to sha512 and replace "userpass" by the result
encoders:
Symfony\Component\Security\Core\User\User: plaintext
This shows you the full example.
You can just pay attention to SecurityController and the security.yml file in the example then work out what else you're missing in your application.
example security.yml
security:
encoders:
Symfony\Component\Security\Core\User\User:
algorithm: bcrypt
cost: 12
providers:
in_memory:
memory:
users:
basic:
password: $2a$12$Mnp6eUx1AJ5YABwmprcu/OHo21klIpQ/PA7D7PdKx5SA4urdav6/e #basic
roles: ROLE_USER
admin:
password: $2a$12$aRC0GRcjZS9bXfQYlpT8f.JkkrwuK0xZwKuoQ78i1CsErbHtriWLm #admin
roles: ROLE_ADMIN
super:
password: $2a$12$7SeyjOot3/3Ez1c0Dm8W0u/EenNEs8ykOl16D5aKkJkzLEq4lvXP2 #super
roles: ROLE_SUPER_ADMIN
firewalls:
dev:
pattern: ^/(_(profiler|wdt|error)|css|images|js)/
security: false
default:
anonymous: ~
http_basic: ~
form_login:
login_path: /login
check_path: /login
logout:
invalidate_session: true
path: /logout
target: /
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
access_control:
- { path: ^/backend/superadmin, role: ROLE_SUPER_ADMIN }
- { path: ^/backend/secret, role: ROLE_SUPER_ADMIN }
- { path: ^/backend, role: ROLE_ADMIN }
- { path: ^/country, role: ROLE_USER }
- { path: ^/, role: IS_AUTHENTICATED_ANONYMOUSLY }
I thought I did the settings correctly when I tried going on to the homepage (/) and it redirects me to the login page (/login). However, when I click on navigation menu such as about (/about) and inventory (/inventory), the pages were shown even when I am not logged on. Currently only the homepage is redirecting to login, but I need all pages to redirect to login if users are not signed on.
Here is my security.yml:
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
default_target_path: /
logout: true
anonymous: true
access_control:
- { path: ^/$, role: ROLE_USER }
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
config.yml:
fos_user:
db_driver: orm # other valid values are 'mongodb', 'couchdb' and 'propel'
firewall_name: main
user_class: Main\UserBundle\Entity\User
Am I missing someting?
EDIT: I guess the solution was to get rid of the "$" in the access control.
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/, roles: ROLE_USER }
Except with this after login it will redirect to a blank page that has a URL of /_wdt/(token number). If anyone is having problem with this the solution is to insert this setting before the "main" in the security.yml's firewall:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
Change your firewall configuration to the following:
access_control:
- { path: ^/$, role: ROLE_USER }
- { path: ^/secured, role: ROLE_USER }
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
And change your routes for the secured pages to start with /secured.
UPDATE:
You can deny all the routes after / if user is not logged on by removing $ in your access control rule:
access_control:
- { path: ^/, role: ROLE_USER }
However, this will cause a redirect loop when you try to access routes that should be available to anonymous users, like /login or /register.
UPDATE 2
As #user3757305 commented below, - { path: ^/, role: ROLE_USER } can be added at the bottom. Access control rules are applied in the order they appear in the security config. That means that everything above the - { path: ^/, role: ROLE_USER } rule will not be covered by it. So, the following config should work as required:
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/, role: ROLE_USER }
I have application in Symfony2 with 2 roles: ROLE_ADMIN and ROLE_PARTNER. Also I have some public pages. All public pages starts with URL "/public/". I want to protect all application excluded these public items.
My current config:
access_control:
- { path: /.*, role: ROLE_PARTNER|ROLE_ADMIN }
- { path: /public/.*, role: IS_AUTHENTICATED_ANONYMOUSLY }
But it works wrong (looping redirection).
Change the order:
access_control:
- { path: ^/public/, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, role: ROLE_PARTNER|ROLE_ADMIN }
The second option is to turn off security for the public section completely:
firewalls:
public:
pattern: ^/public/
security: false
Add:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
See "Common Pitfalls" in http://symfony.com/doc/current/book/security.html#using-a-traditional-login-form