I'm trying to study the FOSUserBundle. I follow the steps of their documentation (link) and I successfully created a login form and registration. Now, I'm creating another controller name TodoController and I want to secure that TodoController. It needs the user to login first before they show the page of todo. How can I secure the TodoController?
FOSUserBundle only extend the Symfony security layer, but all other Symfony security stuff remains the same, so you can use the default access control from symfony security
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
You will find it mentioned in the link you provided, but you can read more about it here http://symfony.com/doc/current/security/access_control.html
Or if you want something more flexible and more powerful you can take a look at JMSSecurityExtraBundle http://jmsyst.com/bundles/JMSSecurityExtraBundle/1.2/annotations
Hope this helps,
Alexandru Cosoi
Related
I currently have the below code, which does pretty much what I want.
There's just a few things I don't understand.
What's the ^/ in front of each path?
What's the $ behind ^/login?
Why do I get redirected to the login page when I don't have access to a page? Where do I set this up or change this?
Is there an easy way to grant access to my frontpage (/) while requiring users to be logged in to access any other page (except for the login/register pages)?
Should I use IS_AUTHENTICATED_FULLY or ROLE_USER?
Can't find any clear info on the subject either ...
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/, role: IS_ATHENTICATED_FULLY }
Regarding ^ and $
^ = start of the string
$ = end of string
https://en.wikipedia.org/wiki/Regular_expression#Delimiters
IS_AUTHENTICATED_FULLY or ROLE_USER:
You can't compare these 2 directly. You could be authenticated fully and not have the role user.
IS_AUTHENTICATED_FULLY only means that you're not logged in through the remember_me mechanism in this session but actively entered your password.
It does not however check which role the logged in user is granted.
More here:
http://symfony.com/doc/current/security.html#checking-to-see-if-a-user-is-logged-in-is-authenticated-fully
Is there an easy way to grant access to my frontpage (/) while requiring users to be logged in to access any other page (except for the login/register pages)?
Try:
access_control:
- { path: ^/$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/*, role: IS_AUTHENTICATED_FULLY }
On this page: http://symfony.com/doc/master/bundles/FOSUserBundle/index.html
the recommended security.yml has
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
Why is there a $ at the end of /login but not at the end of /register?
On a related note, when I visit /register I am redirected to /register/.
The access control on the login uses a regex. This always means URL starting with /login, so /login, /login-check...etc.
The second one allows to catch all the URLs starting with the directory /register/
I hope that I have been able to help you with my explanations.
I'm using FOSUser and I would like to return an exception or simply block access to registration if user is already connected. When I'm connected, by url, I can still go to /register.
This is my access_control :
access_control:
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
I could override registration controller action and return an AccessDeniedException but I'm sure there is a better solution, with security.yml maybe ?
if you add this:
- { path: ^/register, role: ROLE_ADMIN }
then use:
php bin/console fos:user:promote user_name ROLE_ADMIN
to add "user_name" to the ROLE_ADMIN, then other users will get an Access Denied message.
I finally found the answer. I have to use Voters to check user permissions.
This is doc : http://symfony.com/doc/current/cookbook/security/voters.html
And there is great example here : http://henrik.bjrnskov.dk/symfony2-anonymous-users-access/
And this is what I have :
- { path: ^/register, role: IS_ANONYMOUS }
I have made two different login section in my website, one for admin section and another for frontend users.
When I logged into to frontend it logged in. The problem is that when i try to login the admin section it throws access denied error.
Is it possible make two different login sessions so that both login session are independent of eachother
you don't show security.yml, so no way to know for sure:
try deleting this row:
- { path: ^/, roles: IS_AUTHENTICATED_ANONYMOUSLY }
but most likely you have something like this in your security.yml
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/, role: ROLE_USER }
and your login page is on url /admin/login/
so it requires ROLE_ADMIN to access login page, before you can login as admin
I have installed both FOSUserBundle and Sonata Admin bundle
First FOSUserBundle worked perfect, with both profile, login and logout.
Now with Sonata Admin bundle, I can CRUD my entities.
Now I wanted them integrated with login to my backend.
Now when I go to /admin/dashboard it redirects to /admin/login and then a infinity redirect loop.
I have properly messed up the security, and I really dont understand it that well.
security.yml : https://gist.github.com/lsv/4740268
routing.yml : https://gist.github.com/lsv/4740284
config.yml : https://gist.github.com/lsv/4740291
dev.log : https://gist.github.com/lsv/4740301
Can somebody help?
Add
- { path: ^/admin/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/logout$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/login-check$, role: IS_AUTHENTICATED_ANONYMOUSLY }
to security.yml