I have application in Symfony2 with 2 roles: ROLE_ADMIN and ROLE_PARTNER. Also I have some public pages. All public pages starts with URL "/public/". I want to protect all application excluded these public items.
My current config:
access_control:
- { path: /.*, role: ROLE_PARTNER|ROLE_ADMIN }
- { path: /public/.*, role: IS_AUTHENTICATED_ANONYMOUSLY }
But it works wrong (looping redirection).
Change the order:
access_control:
- { path: ^/public/, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, role: ROLE_PARTNER|ROLE_ADMIN }
The second option is to turn off security for the public section completely:
firewalls:
public:
pattern: ^/public/
security: false
Add:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
See "Common Pitfalls" in http://symfony.com/doc/current/book/security.html#using-a-traditional-login-form
Related
My access_controll looks like:
- { path: ^/login, role: IS_AUTHENTICATED_ANONYMOUSLY}
- { path: ^/, roles: ROLE_USER}
I need to give an access to route /login only to anonymously authenticated users.
Ok, I found the solution:
- { path: ^/login, allow_if: 'is_anonymous()'}
Okay, there's a better variant to do this even with redirect. Firstable, you need to edit security.yaml with this:
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY}
- { path: ^/, roles: ROLE_USER}
And then just add this to your SecurityController::login() method:
if ($this->isGranted('ROLE_USER')) {
return new RedirectResponse(
$this->generateUrl('index')
);
}
I have a application with frontend and backend sides. Both share the same FOSUserBundle users table. The logic behind the application I'm working on doesn't allow "admin" (ROLE_ADMIN or group ADMIN) to be logged in at frontend so I need to catch on login flow whether the user belongs to group ADMIN or has ROLE_SUPERADMIN or ROLE_ADMIN credentials. I think this could be done in someway on the Security flow from Symfony2 itself, but how? What I need to do to catch that and if user belongs redirect to login form (from FOSUserBundle) or allow it to get into the frontend? Any help? Some code? Examples?
security.yml file content:
Regarding user answer this is how my security.yml file is configured:
role_hierarchy:
ROLE_USER: ROLE_USER
ROLE_ADMIN: ROLE_ADMIN
access_control:
# Anonymous area
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/registro, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/cedula, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/rif, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/correo, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/usuario, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/razon_social, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/registro_mercantil, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/padre, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/correo_alternativo, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/paises, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/estados, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/ciudades, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/municipios, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/parroquias, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/empresas, role: IS_AUTHENTICATED_ANONYMOUSLY }
# Secured area
- { path: ^/, role: ROLE_USER }
- { path: ^/admin, role: ROLE_ADMIN }
But users with ROLE_ADMIN can still login in frontend (/) and them shouldn't right? What's wrong then?
You must know the role hierarchy in your security.yml file.
You don't need to extend default functionality on fosuserbundle or symfony security to achieve that.
For example:
role_hierarchy:
ROLE_USER: ROLE USER
ROLE_CONTENT_MANAGER: ROLE_USER
ROLE_ADMIN: [ROLE_CONTENT_MANAGER]
ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
So, super admin can go anywhere all other grups allowed. Admin, has the rights of content manager. Content manager has the rights of user.
Check your access control in your security.yml file.
access_control:
- { path: ^/private_directory$, roles: MUST_BE_RIGHT_TO_SEE_HERE }
So, the role MUST_BE_RIGHT_TO_SEE_HERE can only see the private_directory. Any other roles can not.
I have a site with some static pages and I have defined as follow in routing_pages.yml file:
index:
pattern: /inicio
defaults: { template: 'FrontendBundle:Site:index.html.twig' }
contact_one:
pattern: /contact_one
defaults: { template: 'FrontendBundle:Site:contact.html.twig' }
location:
pattern: /horario
defaults: { template: 'FrontendBundle:Site:location.html.twig' }
payment:
pattern: /pagos
defaults: { template: 'FrontendBundle:Site:payment.html.twig' }
question:
pattern: /preguntas
defaults: { template: 'FrontendBundle:Site:question.html.twig' }
questionb:
pattern: /preguntasb
defaults: { template: 'FrontendBundle:Site:questionb.html.twig' }
shipping:
pattern: /politicasenvio
defaults: { template: 'FrontendBundle:Site:shipping.html.twig' }
warranties:
pattern: /garantias
defaults: { template: 'FrontendBundle:Site:warranties.html.twig' }
ml:
pattern: /ml
defaults: { template: 'FrontendBundle:Site:forms.html.twig' }
Then at main routing.yml file I use the resource as:
_paginas:
resource: routing_pages.yml
prefix: /
defaults:
_controller: FrameworkBundle:Template:template
I'm having some issues trying to access /app_dev.php|app.php route with this exception:
No route found for "GET /"
This is due to the configuration I have on access_control at security.yml:
access_control:
#Security Login/Register/Resetting
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
#Frontend Pages Routes
- { path: ^/inicio, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/contact_one, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/horario, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/pagos, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/preguntas, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/preguntasb, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/politicasenvio, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/garantias, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/ml, role: IS_AUTHENTICATED_ANONYMOUSLY }
#Login required
- { path: ^/, role: ROLE_USER }
- { path: ^/admin/, role: ROLE_ADMIN }
What I did like that? Because the stactic pages doesn't need login features just admin area does. I tried play with this two lines by changing to this:
- { path: ^/, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
But then when I access `app_dev.php|app.php/admin I don't see the login form, why? How I fix that? Any advice?
If I could define /inicio as homepage in somewhere or somehow then the problem is fixed, tough, but I don't know how to.
You could just define a redirect from "/" to "/inicio" in the routing table:
# redirecting the root
root:
path: /
defaults:
_controller: FrameworkBundle:Redirect:urlRedirect
path: /inicio
permanent: true
src: http://symfony.com/doc/current/cookbook/routing/redirect_in_config.html
I thought I did the settings correctly when I tried going on to the homepage (/) and it redirects me to the login page (/login). However, when I click on navigation menu such as about (/about) and inventory (/inventory), the pages were shown even when I am not logged on. Currently only the homepage is redirecting to login, but I need all pages to redirect to login if users are not signed on.
Here is my security.yml:
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
default_target_path: /
logout: true
anonymous: true
access_control:
- { path: ^/$, role: ROLE_USER }
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
config.yml:
fos_user:
db_driver: orm # other valid values are 'mongodb', 'couchdb' and 'propel'
firewall_name: main
user_class: Main\UserBundle\Entity\User
Am I missing someting?
EDIT: I guess the solution was to get rid of the "$" in the access control.
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/, roles: ROLE_USER }
Except with this after login it will redirect to a blank page that has a URL of /_wdt/(token number). If anyone is having problem with this the solution is to insert this setting before the "main" in the security.yml's firewall:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
Change your firewall configuration to the following:
access_control:
- { path: ^/$, role: ROLE_USER }
- { path: ^/secured, role: ROLE_USER }
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
And change your routes for the secured pages to start with /secured.
UPDATE:
You can deny all the routes after / if user is not logged on by removing $ in your access control rule:
access_control:
- { path: ^/, role: ROLE_USER }
However, this will cause a redirect loop when you try to access routes that should be available to anonymous users, like /login or /register.
UPDATE 2
As #user3757305 commented below, - { path: ^/, role: ROLE_USER } can be added at the bottom. Access control rules are applied in the order they appear in the security config. That means that everything above the - { path: ^/, role: ROLE_USER } rule will not be covered by it. So, the following config should work as required:
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/, role: ROLE_USER }
I have a symfony 2.1 project using FOSUserBundle. The bundle is installed correctly. All the functionalities work properly using the default /login form.
But now I want to change the login form route to be the same as the homepage (path: /).
I tried:
changing the security.yml - login_path:
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
login_path: /
logout: true
anonymous: true
and the access_control to:
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/*, role: ROLE_USER }
- { path: ^/, role: IS_AUTHENTICATED_ANONYMOUSLY }
When I try to access the homepage it enters a infinite redirect (I assume)
The page isn't redirecting properly Firefox has detected that the
server is redirecting the request for this address in a way that will
never complete.
Also couldn't find anything to troubleshoot this behaviour inside the FOSUserBundle documentation.
In short words: I want the first_page to act as login page.
You have a redirect loop.
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY } #1
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY } #2
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY } #3
- { path: ^/admin/, role: ROLE_ADMIN } #4
- { path: ^/*, role: ROLE_USER } #5
- { path: ^/, role: IS_AUTHENTICATED_ANONYMOUSLY } #6
This happens because first, you are telling access controll in #5 requires ROLE_USER BEFORE you tell it that it also requires IS_AUTHENTICATED_ANONYMOUSLY (both 5th and 6th rules match)
Access control is order sensitive, the rules apply in the order they are defined, try:
access_control:
- { path: ^/$, role: IS_AUTHENTICATED_ANONYMOUSLY } # NOTE THE $
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/*, role: ROLE_USER }
I moved the rule
- { path: ^/, role: IS_AUTHENTICATED_ANONYMOUSLY }
to the begining so it matches before
- { path: ^/*, role: ROLE_USER }
I think you should change on your security.yml :
login_path: / to login_path: /login
And your access_control :
{ path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY } #1
{ path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY } #2
{ path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY } #3
{ path: ^/admin/, role: ROLE_ADMIN } #4
Hope this help !