This time I got a curious bug in my project managing the roles from a user.
I got installed the EasyAdmin bundle where I can manage the roles from the users. So I log with a user that have access to the EasyAdmin (ROLE_ADMIN in this case). Beside of this role I have also a few roles more, one of them, called ROLE_SUPERSUSER, where a user can edit 2 fields that the rest of users don't have the permission to edit them.
So throw the EasyAdmin, I remove the ROLE_SUPERSUSER from myself and here comes the gest of the matter. If I try to access to the edit zone from the profile if you have this ROLE_SUPERSUSER you will be able to edit this field, but because I removed it this role from myself, I expect to don't watch this fields over there. Instead of this, an error appears in the screen.
If I just logout and log in again the problem it's solved. But obviously I can't force the users to logout and login when I change their roles.
I guess the problem comes throw the cache but I don't find a solution.
Symfony roles are added on authentication by default, so you would have to re-login for this change to take effect.
You can change this in security.yml.
security:
always_authenticate_before_granting: true
I could find a solution thanks to KNPUniversity.
The solution pass throw the creation of a listener who updates the user before each controller.
I got the ideas from these links:
https://github.com/symfony/symfony/pull/24331
With special attention to this link:
https://github.com/symfony/symfony/issues/12025#issuecomment-219723819
Related
I'm building a shop system at the moment. Using Symfony+CommerceTools as backend and Twig as frontend.
What I want to achive:
In store A, called with a.store.com, you should be always redirected to /login page if you arent logged in yet. This store can only be used when logged in.
In store B, called with store.com, you can access anything without being logged in.
Right now, anyone can access everything. Thats right for store B.
I could add a rule to the security.yaml, that redirects to /login if not logged in, that would work for store A.
But I need a solution, that have both. Depending on a variable in commerceTools.
So if you have logins set up this is quite straight forward using roles in Symfony. If you don't have a login form set up yet check out this Symfony login guide.
To use roles you will have to ensure you have your security system set up which is in this Symfony Security guide - Note this will need to be set up first if you intend to use the Symfony login forms I linked to first.
The bit you need in particular to restrict access to certain sections of your site is Section 4) Denying Access, Roles and other Authorization in the above guide.
Essentially in your User entity class you have roles set to your users. Then, my preferred way of securing certain parts of your site would be by adding role requirements into the controllers for the views you want to secure, for example:
// src/Controller/ShopAController.php
// ...
public function shopA(): Response
{
$this->denyAccessUnlessGranted('ROLE_USER');
}
You will notice when setting up the security system, that there are settings to give any registered users the role of ROLE_USER, so you can use this to secure parts of your site to only registered users, or you could create a new role such as ROLE_CUSTOMER or something.
If a none logged in user tries accessing this secured view, they will be redirected to the login page.
Then for the views of your site you want anyone to be able to access you simply don't set any role access rules in those controllers.
This avoids needing to add URL paths to your security.yaml as you wanted as well.
I hope this was helpful! Give it a try and follow the Symfony tutorials I linked, they're very easy to follow :)
What happens is that in my application, only the administrator user can add new users, but when I create a new one, the current session becomes automatically or log in with the new user. I thank who can explain how to avoid that, thank you.
Your question is not clear - please add some details (or code).
You added tag FOSUserBundle but not said how you use it...
If I understand correctly - check this:
If you create new User use UserManager here is explained
Second - When User is created (by RegistrationController), this bundle fire many events - check it
Im sure You used normal registration method instead of UserManager createUser method or some other magic.
Remember that If you need prevent autologin for implemented registration action, you can extend this bundle and override Controller
Important: Even If it helped ADD more exmplanation to your question (it can help other users)
I am having a problem and would like to know if someone has a suggestion. On a site I am developing, I was using Asp.net Simple Membership but now I am migrating to Asp.net Identity 2. I have 2 roles: "User" and "Admin". The admin can do admin stuf, configuration, database management, etc. But cannot do "user things". So, the admin is not a "super user" - it only has different function.
The problem I am facing is that the unique identifier for the user is their email. So, if someone wants to use the system all by himself he has to create 2 accounts (one admin and one user), so he has to have 2 emails. This is a problem. I could easily add both "user" and "admin" roles to that users but that would make the system harder to use for the "user" role and I would like to avoid this.
I use roles to authorize routes on the server (MVC and web api) and to basic (like hide elements) things on the UI (SPA), so, it is already part of the system - but I am willing to change it, if necessary.
I was thinking in doing something like this:
When the user is configured to be a administrator, every time he log on, I ask if he want to be an admin or user on this session.
If he choose "user", I set a user role for him and log in.
If he choose "admin", I set a "admin" role for him and log in.
What do you think about that? Does someone have a better idea? This feels like a hack and hacks do not go well with security :/
I see a problem with that - Sometimes I need to send emails to admins (when they are offline). With this, I cannot rely on the UserRole table only, will always have to check the User.IsAdministrator flag too. It is not a big problem but add a small complexity to things.
You need to use roles for this. A user can be a member of several roles at once, so you can have a user that is a member of the 'user' roles, a user that is a member of the 'admin' role or a user that is a member of both the 'user' and 'admin' roles.
You have already suggested this idea and this is how I would do it, if you then wanted to control what they could see (so that an 'admin' member could only see stuff that normally a 'user' role user can see) then you could have a drop down on any form (or put it on your master page) that allows the user to turn the admin stuff on and off, you can then remember their selecting in the session object and refer to that each time the page loads. e.g.
if user.IsInRole("Admin") and IsNothing(Session("HideAdmin")) Then
'Show Admin Stuff
End If
Or somthing similar.
This type of problem is solved at DataBase Design time not at development time. You have few choice the best I see is create a Third user who will have both rights.
I have a user management interface built from fosUserBundle, and sometimes I get logged out after opening a user, it does not matter if I edit anything on this user, and save the changes, or if I just bring up the edit user form and then hit the back link, I still get logged out without any error or warnings in app_dev.php mode.
...and I realized that is what symfony2 does when you bring up a form to edit the currently logged-in user. If I am logged in as admin, and open the edit form for this user, the next route I go to (doesn't matter which one it is) will take me to the login page, bringing up the edit form for the currently logged-in user will log me out, no error or warning.
Thought it might be helpful to someone else who doesn't know that you can't edit the currently logged-in user.
I think it would be great if symfony2 threw an exception telling you that this is the reason for auto logout, at least in dev mode.
First you should check your logs in Apache.
I had a similar issue and it was caused by duplicate column name in one of the entities. All the other entities refused to work and it ended in being logged out every time I clicked something in admin.
I'm trying to figure out how when using the default asp.net forms authentication stuff one can change the roles that a user has dynamically. In our case a user has access to many accounts and there roles can change per account. This doesn't seem like rocket science to me but I can't figure out I would do this. Does anyone have a experience trying to do this or a link that would be helpful?
UPDATE:
Just to clarify. We know at startup that User X has access to account #1 with roles 1,2,3 and account #2 with roles 1,2.
So first off I have to handle this part of the problem. Getting their roles based off their current account. For this I think I'd use a RoleProvider. The problem I'm trying to solve though is once ASP.Net has a User how do I tell it to invalidate that user or refresh that user so it would hit my custom RoleProvider (or what not) again.
Roles.AddUserToRole() should take care of adding the user to a role.
For removing: Roles.RemoveUserFromRole()
http://msdn.microsoft.com/en-us/library/system.web.security.roles.aspx