I try to set up security per folder under src/ in Symfony. But I want a different set of security rules per main folder "General" and "Intranet" without having to prefix the routes... So I only have to prefix "Extranet"
Is that possible? I know that with a prefix in routing.yml it is very easy to do but that is not an option since the visible urls will suddenly change
The problem arises when we have to allow External users to our platform. For years it was only available for the companies' employees only but now external people must have access to certain pages. And some general routes (ajax calls etc) must be available for all
src/
Intranet/ => Open routes for internal users
SomeBundle
...
General/ => Open routes for all users
AnotherBundle
...
Extranet/ => Open routes for external users
TheBestBundle
...
Then the Extranet routes all get an extra prefix /extranet/. But I would like to have the other 2 (General and Intranet) without any prefix
# routing.yml
extranet:
resource: "#ExtranetBundle/Controller/"
prefix: /extranet/
Then with access control I take care of the /extranet routes
access_control:
# Login and the base_route "/" is always available
- { path: ^/$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
# External users + Super admins + server IP's can only access urls starting with /extranet/
-
path: ^/extranet/*
roles: [ROLE_EXTERNAL_USER, ROLE_SUPER_ADMIN]
ips: !php/const:SomeBundle\SomeClass\ConstantProvider::ALLOWED_SERVER_IPS
# Some routes need to be available for both internal and external users
# but hopefully without having to prefix them
...
# All other routes are only for internal users and the right ip addresses
-
path: ^/*
role: ROLE_INTERNAL_USER
ips: !php/const:SomeBundle\SomeClass\ConstantProvider::ALLOWED_SERVER_IPS
Or maybe an idea of approaching this problem differently?
I Think the best approche is to use voter external user need to have a unique ROLE (EXTERNAL_ROLE) then you can use voter to deney resources you want to protect https://symfony.com/doc/current/security/voters.html so this way you can protect a resource based on a the logic not on the folder
Related
# set hierarchy for roles?
role_hierarchy:
# give admin also the roles inside the array.
ROLE_ADMIN: [ROLE_USER]
# Easy way to control access for large sections of your site
# Note: Only the *first* access control that matches will be used
access_control:
#- { path: ^/admin, roles: ROLE_ADMIN }
# Unless the path is login, user must be authenticated anonymously.
# This means only page accessible anonymously is login page.
- { path: ^(/(login|register)), roles: IS_AUTHENTICATED_ANONYMOUSLY }
# can visit any other path if authenticated fully
- { path: ^/, roles: IS_AUTHENTICATED_FULLY }
This simple code doesn't seem to work. I cannot visit login or register anonymously. I know the IS_AUTHENTICATED_FULLY part is working as when I comment it out (and I am signed out, aka authenticated anonymously) I can visit other paths other than login and register.
Even when I simply do:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
It doesn't work and I cannot visit /login. What am I doing wrong?
I have been using this video as a guide: https://youtu.be/XjbIDOIoXTo?t=4211
Symfony 5.3 has deprecated the old authentication mechanism along with the Guard Component see https://symfony.com/blog/new-in-symfony-5-3-guard-component-deprecation. The new system doesn't "authenticate" user by default with IS_AUTHENTICATED_ANONYMOUSLY.
Anonymous users no longer exist
You now must use the PUBLIC_ACCESS as #Bossman specified in a comment. https://symfony.com/doc/current/security.html#allowing-unsecured-access-i-e-anonymous-users
The video in your link clearly states that the video has been recorded using Symfony 5.2
NOTICE - THIS SERIES WAS RECORDED USING SYMFONY 5.2. THERE HAVE BEEN SOME MINOR CHANGES AND SOME CLASSES HAVE SINCE BEEN REMOVED. YOU WILL STILL BE ABLE TO FOLLOW THIS TUTORIAL BUT YOU WILL NEED TO COMBINE IT THE DOCUMENTATION IN SOME PARTS.
I have an application with the framework Symfony, I have users with particular rights, if they don't have the right to access into a page, I must block them, but the users still can access into page with modifying URLs. For example I have this URL that they have the right to access in it:
dialog/campany/sms/fid/setting/new
and they don't have the right to access to this URL:
dialog/campany/mail/fid/setting/new
but they can by remplacing sms by mail.
You have to checkout how your security.yml is configured and control the access from there. If you need information about it you can visit: http://symfony.com/doc/current/security/access_control.html.
Also you could control the access making a function that checks the user's credentials before given access to a given page.
Supposing that ROLE_SMS can only access to dialog/campany/sms/ and ROLE_MAIL can only access to dialog/campany/mail/
In app/config/security.yml , you should have:
security:
access_control:
- { path: ^/dialog/campany/sms/, roles: ROLE_SMS }
- { path: ^/dialog/campany/mail/, roles: ROLE_MAIL }
If you only want to limit the /new URL, you can change the path to:
- { path: ^/dialog/campany/sms/fid/setting/new$, roles: ROLE_SMS }
- { path: ^/dialog/campany/mail/fid/setting/new$, roles: ROLE_MAIL }
I am working on a project that is on expansion and needs to support multi-domain and multi-language.
I find that the way the standard routing is managed does not cover in an efficient way the project needs.
I found this: https://github.com/alexandresalome/multisite-bundle
It's find it good but I see the following drawbacks:
1) The bundle has not really much movement
2) The routing is set up at Controller/annotation level instead of yml file, what makes project hard to maintain.
Do you know any bundle/strategy based on symfony2 for this need? thanks a lot !!!
That doesn't solve the problem.
This is my scenario:
I have a parameter where I set up several hosts: landing_hosts, separated by “|”
I have some landings, that are only valid for those hosts, routing: landings
When a request comes, I can’t see any way to dynamically set the current host for the default => hosts entry.
I am forced to specify one, that is %domain%. This works this way because there is a cached file appDevUrlGenerator.php that is created at first time website is visited or ran the command app/cache cache:clear.
If I visit a landing page as host2, the urls and paths created inside twig templates will follow the hosts1 instead hosts2, and this is not valid.
// parameters.yml
parameters:
landing_hosts: host1|host2
main_host: host1
// routing.yml
landings:
host: "{hosts}"
path: /
defaults: { _controller: FrontendBundle:Landings:index }
requirements:
hosts: %landing_hosts%
defaults:
hosts: %main_host%
I'm having difficulties to fully understand the concept of the client creation explained here.
I followed the post to set up the OAuthBundle, and tried to make the changes needed to comply with FOSUser. Though I'm not sure it's perfect.
My situation
My Website is a RESTFul API, which return json or xml only. My frontend will be in AngularJS
I combined FOSUser, FOSRest and FOSOAuth, it's possible I'm having errors in the configuration.
The Problem
I finished setting up the first part of the article up to the doctrine:schema:update command. Now I'm supposed to create a client.
How can I set the security for parts of the ^/api for differents ROLES ?
example:
Anonymous users can access POST /api/users but not GET /api/users.
Only users with ROLE_ADMIN can access DELETE /api/users/{id}
For testing I'm using Postman (that support OAuth1 & 2, along with other means of auth).
Using expressions in security.yml
In order to secure certain routes by a conditional combination of (request)-method AND (user)-role ...
... you can make use of Expressions in your security.yml.
More information can be found in the documentation chapter Securing by an Expression.
Example
Only users with role ROLE_ADMIN shall be allowed to access /api/users/{id} using a DELETE request:
# app/config/security.yml
security:
# ...
access_control:
- path: "^/api/users/\d+$"
allow_if: "'DELETE' == request.getMethod() and has_role('ROLE_ADMIN')"
Regex explanation
^ begins with
\d+ one or more digits (= user id)
$ string end
In my app, I have set up the routes and security to use secure connection for certain routes:
<route id="store_checkout" pattern="/checkout" scheme="https">
<default key="_controller">Store:Store:checkout</default>
</route>
access_control:
- { path: ^/checkout, role: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
However, since this app is open-source and can run on any server (which may not have SSL), I want to allow users to disable/ignore SSL requirement (at their own risks) if they choose to do so.
Currently I can think of several ways:
I can have 2 routing files (1 with ssl, 1 without) and also 2 security files. Then based on user's selection on installation the app can decide which file to use
Or perhaps I can also customize router's generate function to generate http or https links based on the _scheme settings AND the SSL status (which user can enable/disable if they have/dont have SSL cert)
Is there any better way to resolve this issue?
I know the answer is late, but if you stumble upon this when googling:
Just add a to parameters.yml:
url_scheme: https
And in your security.yml:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: %url_scheme% }