I'm working with FOSUserBundle, and now I'm trying the roles and access control.
I tried to create a new role, change the role of one of my user, then access a page with restricted access.
security.yml :
security:
encoders:
FN\UserBundle\Entity\User: sha512
role_hierarchy:
ROLE_USER_CONFIRMED: ROLE_USER
ROLE_ADMIN: [ROLE_USER, ROLE_USER_CONFIRMED]
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_USER_CONFIRMED, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
main:
id: fos_user.user_provider.username
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main_login:
pattern: ^/login$
anonymous: true
main:
pattern: ^/
anonymous: true
provider: main
form_login:
login_path: fos_user_security_login
check_path: fos_user_security_check
always_use_default_target_path: false
default_target_path: /client/home
target_path_parameter: _target_path
use_referer: false
logout:
path: fos_user_security_logout
target: /home
remember_me:
key: %secret%
access_control:
- { path: ^/client, roles: ROLE_USER_CONFIRMED }
- { path: ^/admin, roles: ROLE_ADMIN }
I changed the roles of my user with $user->setRoles(array('ROLE_USER_CONFIRMED'));
In my database, user's role changed well, but when I click on the user in the FOSUserBundle toolbar, my user stay in ROLE_USER. and when I go on the page : "xxx/client/home", I have an ACCESS DENIED page.
Have you an idea of why the role is well changed in my database, but I can't open the page ?
did you have the user logout then log back in? Roles get pulled and saved as part of the session upon logging in so if you applied the role while the user was logged in on a machine, the user would not see that reflected on that machine until they logged out and then logged back in.
Related
I've a page with form login and "remember me" functionality enabled. Unfortunately the remember me" wont work.
The security panel doesn't show any authenticators. Interestingly after closing the browser and trying to get on the page again, the security panel shows the correct authenticated user, but redirects always to the login page.
Can anybody help?
Here part of my security.yml
security:
enable_authenticator_manager: true
role_hierarchy:
ROLE_SUPPORT: ROLE_USER
ROLE_ADMIN: [ROLE_SUPPORT, ROLE_ALLOWED_TO_SWITCH]
password_hashers:
Symfony\Component\Security\Core\User\User:
algorithm: bcrypt
cost: 12
App\Entity\User:
algorithm: auto
providers:
# used to reload user from session & other features (e.g. switch_user)
app_user_provider:
entity:
class: App\Entity\User
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
secured_area:
form_login:
login_path: login
check_path: login
enable_csrf: true
logout:
path: /logout
target: /
remember_me:
secret: '%kernel.secret%'
lifetime: 604800 # 1 week in seconds
access_control:
- { path: ^/public, roles: PUBLIC_ACCESS }
- { path: ^/others, roles: IS_AUTHENTICATED_FULLY }
Thx in advance
UPDATE
With lazy: true the security panel now shows authenticators
Unfortunately IS_AUTHENTICATED_REMEMBERED is missing in the access_control section.
I have a Symfony 2.8 web app made like an API with FosUserBundle for users entities and Fosoauthserver for authentication.
My security.yml is this:
security:
encoders:
FOS\UserBundle\Model\UserInterface: bcrypt
role_hierarchy:
ROLE_ADMIN: [ROLE_USER, ROLE_ALLOWED_TO_SWITCH]
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
firewalls:
oauth_token:
pattern: ^/oauth/v2/token
security: false
oauth_authorize:
pattern: ^/oauth/v2/auth
form_login:
provider: fos_userbundle
check_path: /oauth/v2/auth_login_check
login_path: /oauth/v2/auth_login
anonymous: true
api:
pattern: ^/v1
fos_oauth: true
stateless: true
switch_user_stateless: true
anonymous: false
access_control:
- { path: ^/v1/register, role: IS_AUTHENTICAIS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/v1/login, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/v1, role: IS_AUTHENTICATED_FULLY }
I can register an user and login, getting the access_token correctly, but when I try to access to any end point of my API I can access without login.
Even, if I set the right Access token in the headers, if I do $this->getUser() I get null because in any point my app is doing the authentication check.
Any idea? I made differente APIs and never I had this problem.
Thanks!
I encountered a problem on roles promotion in Symfony3, as the title suggests.
The error is simple :
Expression "has_role('ROLE_ADMIN')" denied access.
I promoted the user with
php bin/console fos:user:promote (etc.),
resulting in :
a:1:{i:0;s:10:"ROLE_ADMIN";}
in the database.
I also put an annotation on a my controller method :
/**
* #Security("has_role('ROLE_ADMIN')")
*/
And my security.yml looks like this :
security:
encoders:
MR\UserBundle\Entity\User: sha512
role_hierarchy:
ROLE_ADMIN: [ROLE_USER, ROLE_MODERATOR]
ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
main:
id: fos_user.user_provider.username
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main_login:
pattern: ^/login$
anonymous: true
main:
pattern: ^/
anonymous: true
provider: main
form_login:
login_path: fos_user_security_login
check_path: fos_user_security_check
logout:
path: fos_user_security_logout
target: /
remember_me:
secret: %secret%
access_control:
#- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
Do not bother with the visible increments, there are a mere effect of my copy-paste.
I hope I did not missed an obvious point, but I'd prefer it more than a nothing-solved case.
Thanks in advance
#K.F I "it worked in the morning" => I also had this issue on SF 3.X. It was not a cache problem. Just simply because I had to disconnect and reconnect to appy the new roles to my user.
I know it wasn't your problem but I solved mine after I realized that I made a mistake in my user promotion... I didn't add the ROLE_ADMIN but only ADMIN... rookie mistake
I have a problem with using LdapBundle with both authentication database and ldap.
I've try to do it like this :
My security.yml
security:
encoders:
IMAG\LdapBundle\User\LdapUser: plaintext
Sermeta\HomeBundle\Entity\User:
algorithm: sha1
encode_as_base64: false
iterations: 1
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
multiples:
chain:
providers: [administrators, ldap]
ldap:
id: imag_ldap.security.user.provider
administrators:
entity: { class: "SermetaHomeBundle:User", property: username }
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
login_firewall:
pattern: ^/login$
anonymous: ~
imag_ldap:
check_path: login_check
login_path: login
provider: multiples
logout:
path: /logout
target: /home
secured_area:
pattern: ^/
imag_ldap:
provider: multiples
imag_ldap:
check_path: login_check
login_path: login
provider: multiples
logout:
path: /logout
target: /home
access_control:
- { path: ^/admin, roles: ROLE_ADMIN }
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
imag_ldap:
client:
host: myipadress
port: 389
skip_roles: true
bind_username_before: true
user:
base_dn: dc=mydc,dc=fr
name_attribute: uid
But when I test this, I can log user with the database password, but when I try with ldap password I've an "Bad Credential" error. (Seems logic if it check only database :/)
According to bundle documentation I put "bind_username_before: true" but it doesn't seem to check it.
(I need database authentication to get user roles (when I will finish with this #!* authentication ...))
In an application I am developing, I'm having a weird issue with the access control for the security component.
I use the FOSUserBundle (of course) for users and I copied the example access control rules from the bundle documentation to my security.yml The login screen (/login) works perfectly but the issue is, all other access control rules have absolutely no effect whatsoever. When a user goes to /register for example, he is redirected to /login, the same goes for /resetting.
This is my security.yml file:
jms_security_extra:
secure_all_services: false
expressions: true
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
firewalls:
dev:
pattern: ^/(\_(profiler|wdt)|css|images|js)/
security: false
api:
pattern: ^/api
anonymous: false
form_login: false
provider: fos_userbundle
http_basic:
realm: "REST Service Realm"
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout: true
anonymous: ~
switch_user: { role: ROLE_SUPER_ADMIN, parameter: _impersonate }
access_control:
- { path: ^/login, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/superadmin/, role: ROLE_SUPER_ADMIN }
I have tried to turn of security for paths containing /resetting and /register, but that clearly won't work since the security token still needs to be available for the FOSUserBundle controllers.
Any help would be much appreciated!
It might be to do with the order of the access_control, try putting superadmin above the others. You also don't seem to have a secured_area section (like this example from Symfony2 access control redirects to login)
security:
firewalls:
secured_area:
pattern: ^/
anonymous: ~
form_login:
login_path: login
check_path: login_check
The problem was that another bundle was messing with each request checking if the user was logged in or not. If the user wasn't logged in, a redirect response was generated to the login page.
No idea why this was done, I think it comes from an era where the original authors had less experience with Symfony.
But so it proves again, always check the logs. Very thoroughly.