I'm building a shop system at the moment. Using Symfony+CommerceTools as backend and Twig as frontend.
What I want to achive:
In store A, called with a.store.com, you should be always redirected to /login page if you arent logged in yet. This store can only be used when logged in.
In store B, called with store.com, you can access anything without being logged in.
Right now, anyone can access everything. Thats right for store B.
I could add a rule to the security.yaml, that redirects to /login if not logged in, that would work for store A.
But I need a solution, that have both. Depending on a variable in commerceTools.
So if you have logins set up this is quite straight forward using roles in Symfony. If you don't have a login form set up yet check out this Symfony login guide.
To use roles you will have to ensure you have your security system set up which is in this Symfony Security guide - Note this will need to be set up first if you intend to use the Symfony login forms I linked to first.
The bit you need in particular to restrict access to certain sections of your site is Section 4) Denying Access, Roles and other Authorization in the above guide.
Essentially in your User entity class you have roles set to your users. Then, my preferred way of securing certain parts of your site would be by adding role requirements into the controllers for the views you want to secure, for example:
// src/Controller/ShopAController.php
// ...
public function shopA(): Response
{
$this->denyAccessUnlessGranted('ROLE_USER');
}
You will notice when setting up the security system, that there are settings to give any registered users the role of ROLE_USER, so you can use this to secure parts of your site to only registered users, or you could create a new role such as ROLE_CUSTOMER or something.
If a none logged in user tries accessing this secured view, they will be redirected to the login page.
Then for the views of your site you want anyone to be able to access you simply don't set any role access rules in those controllers.
This avoids needing to add URL paths to your security.yaml as you wanted as well.
I hope this was helpful! Give it a try and follow the Symfony tutorials I linked, they're very easy to follow :)
Related
I am building a mvc application with owin authentication. I am storing both users and admins in one table(Users). The application works in a way where the admin can also be an user(different views for admin vs user).
I am thinking the following options but i am not if it is correct approach
Once the admin logs in ask them if they want to use the application as an user or admin and redirect them based on that
Have two records one as an user and another as an admin (only if nothing else works)
Is there a better solution?
The admin user by default is a privileged user, hence he should by default be shown admin pages. Similarly for the user.
However, as you mentioned, we can have a preview link which can render the page in a user mode if admin opts to.
Also, have a page where we can add / remove the roles for any user by the admin.
You may also have a user setting persisted in db to know the user's default view preference.
I want my website to be seen by anonymous users. and i don't want it to have a login /register user part.
i just need one user as administrator and its username and password is chosen manually.
what is the best practice to implement this login part (website has only one user for ever).
my question is how to implement this one user login part, where store username and password and does it need a table in database?
For me - if you're having such a simple system, then merely storing the username / pwd in the web.config is fine.
I'd create a helper class to wrap up talking to the config file (ConfigurationManager.AppSettings on MSDN) and use and evaluate a simple "logon" action.
No table needed.
Finally - make sure you add the AuthoriseAttribute to your controller that will be doing the admin actions...
HTH
Simplest way - just delete the controller and the view responsible for registering new users, change the routing to the login page and you're set.
I am having a problem and would like to know if someone has a suggestion. On a site I am developing, I was using Asp.net Simple Membership but now I am migrating to Asp.net Identity 2. I have 2 roles: "User" and "Admin". The admin can do admin stuf, configuration, database management, etc. But cannot do "user things". So, the admin is not a "super user" - it only has different function.
The problem I am facing is that the unique identifier for the user is their email. So, if someone wants to use the system all by himself he has to create 2 accounts (one admin and one user), so he has to have 2 emails. This is a problem. I could easily add both "user" and "admin" roles to that users but that would make the system harder to use for the "user" role and I would like to avoid this.
I use roles to authorize routes on the server (MVC and web api) and to basic (like hide elements) things on the UI (SPA), so, it is already part of the system - but I am willing to change it, if necessary.
I was thinking in doing something like this:
When the user is configured to be a administrator, every time he log on, I ask if he want to be an admin or user on this session.
If he choose "user", I set a user role for him and log in.
If he choose "admin", I set a "admin" role for him and log in.
What do you think about that? Does someone have a better idea? This feels like a hack and hacks do not go well with security :/
I see a problem with that - Sometimes I need to send emails to admins (when they are offline). With this, I cannot rely on the UserRole table only, will always have to check the User.IsAdministrator flag too. It is not a big problem but add a small complexity to things.
You need to use roles for this. A user can be a member of several roles at once, so you can have a user that is a member of the 'user' roles, a user that is a member of the 'admin' role or a user that is a member of both the 'user' and 'admin' roles.
You have already suggested this idea and this is how I would do it, if you then wanted to control what they could see (so that an 'admin' member could only see stuff that normally a 'user' role user can see) then you could have a drop down on any form (or put it on your master page) that allows the user to turn the admin stuff on and off, you can then remember their selecting in the session object and refer to that each time the page loads. e.g.
if user.IsInRole("Admin") and IsNothing(Session("HideAdmin")) Then
'Show Admin Stuff
End If
Or somthing similar.
This type of problem is solved at DataBase Design time not at development time. You have few choice the best I see is create a Third user who will have both rights.
I'm trying to figure out how to redirect to a certain page (which in my case is the payment page) a user that hasn't a valid subscription running.
I know I could do that by putting a isGranted check in all my actions, but I don't like this solution as it seems to be a big waste of time given the amount of actions I have.
I've looked on the firewall.access_denied_url parameters, but I don't want to link AccessDenied to the payment page because, for example, admin page access is denied to any user that hasn't the ROLE_ADMIN, and being redirected to the payment page doesn't make any sense.
I already have a voter that check if a user is either valid or not and grant access in that case, but how could I manage to use this voter when a user tries to reach a certain pattern and redirect him/her when the access is denied?
Thanks in advance!
In app/config/security.yml add under security:
access_denied_url: /foo/error403
Symfony will then redirect all pages which user cannot access to /foo/error403 page.
You can use JMSAopBundle.
From documentation:
This bundle adds AOP capabilities to Symfony2.
If you haven't heard of AOP yet, it basically allows you to separate a cross-cutting concern (for example, security checks) into a dedicated class, and not having to repeat that code in all places where it is needed.
In other words, this allows you to execute custom code before, and after the invocation of certain methods in your service layer, or your controllers. You can also choose to skip the invocation of the original method, or throw exceptions.
Our site has got two ASP.NET membership providers. The built in one, and a custom one (SqlMembershipProvider.
I am able to log into both no problems, but I don't necessary require the ability to have both logged in at the same time.
The issue I have is as follows:
User "person_a#site.com" logs into the built in provider. They then navigate to the section of the site where we require the custom provider.
On this page, I can check if they are authenticated, and get their username. I can then get a MembershipUser object form the custom providers GetUser method. (HttpContext.Current.User.Identity.Name)
It is possible (and very likely) that the username "person_a#site.com" could also exist in the users for the custom provider.
But, I don't want them to be logged in here, as they haven't authenticated against the custom provider.
So, is it possible to check which proivider HttpContext.Current.User was generated from.
Hope this all makes sense!!
Yes, if you notice on the RolePrincipal there is a property called ProviderName.
Typically when people roll their own providers they omit usage of this field.
In your case, simply modify your custom provider to identify itself, if it does not already, and check that property of the user.