I know that my title is not very clear. I explain me, I create a security:
security:
encoders:
Bundles\UserBundle\Entity\user: sha512
role_hierarchy:
ROLE_MENAGE: [ROLE_USER]
ROLE_EMPLOYE: [ROLE_ADMIN]
ROLE_GERANT: [ROLE_SUPER_ADMIN]
ROLE_INTERCOMMUNAL: [ROLE_GERANT]
providers:
main:
id: fos_user.user_provider.username
firewalls:
main:
pattern: ^/
anonymous: true
provider: main
form_login:
login_path: fos_user_security_login
check_path: fos_user_security_check
logout:
path: fos_user_security_logout
target: /login
remember_me:
key: %secret%
access_control:
- { path: ^/login$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, roles: ROLE_MENAGE }
- { path: ^/resetting, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, roles: ROLE_MENAGE }
- { path: ^/EncoderDechet, roles: ROLE_EMPLOYE }
- { path: ^/VoirConteneurs, roles: ROLE_GERANT }
- { path: ^/GenererFacture, roles: ROLE_INTERCOMMUNAL }
- { path: ^/Statistique, roles: ROLE_GERANT }
Like you can see in this SECURITY.YML I define a role hierarchy. When I log In with a User who have : ROLE_EMPLOYE as role, I have can have access to /register. But this path must have as role : EMPLOYE, and it give me an 403 : access denied.
Can you explain me where I made a mistake ?
Your role hierarchy looks wrong.
It should be
ROLE_B: ROLE_A
ROLE_C: ROLE_B
ROLE_D: ROLE_C
So something like
ROLE_MENAGE: ROLE_USER
ROLE_EMPLOYE: ROLE_MENAGE
ROLE_GERANT: ROLE_EMPLOYE
ROLE_INTERCOMMUNAL: ROLE_GERANT
Which would give you 5 roles going: USER < MENAGE < EMPLOYE < GERANT < INTERCOMMUNAL
If you do need ROLE_ADMIN & ROLE_SUPER_ADMIN just add them in there where you need them.
Here is what I use on my current project for example
ROLE_INFLUENCER: ROLE_USER
ROLE_COMPANY: ROLE_INFLUENCER
ROLE_COMPANY_ADMIN: ROLE_COMPANY
ROLE_SITE_ADMIN: ROLE_COMPANY_ADMIN
ROLE_SUPER_ADMIN: ROLE_SITE_ADMIN
Related
I am using Symfony 2.8.2 with FOSUserBundle. When I'm trying to logout, I got the following error:
You must activate the logout in your security firewall configuration
Here's my security.yml
security:
encoders:
FOS\UserBundle\Model\UserInterface: bcrypt
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
main:
pattern: ^/login
form_login:
provider: fos_userbundle
csrf_token_generator: security.csrf.token_manager
anonymous: true
logout:
path: /logout
target: /login
access_control:
- { path: ^/logout$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/, role: ROLE_USER }
I've also tried to set logout: true but nothing changed.
P.S. I'm not using Sonata, just FOSUserBundle.
What's the reason I'm getting this error?
It seems like you have wrong pattern for main firewall.
Setting pattern: ^/login makes this firewall valid only for matching URLs which is only /login URL.
Also, logout URL has to be inside firewall's secured area.
you must add in your security.yml
firewalls:
secured_area:
logout:
path: /logout
target: /
and in your routing.yml
logout:
path: /logout
I have loop redirect after logout
My security.yml
# app/config/security.yml
security:
encoders:
FOS\UserBundle\Model\UserInterface: bcrypt
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: security.csrf.token_manager # Use form.csrf_provider instead for Symfony <2.4
# login_path: /login111
logout: true
anonymous: true
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/accaunt, role: ROLE_USER }
- { path: ^/accaunt/, role: ROLE_USER }
- { path: ^/, roles: IS_AUTHENTICATED_FULLY }
- { path: ^/_wdt, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/_profiler, role: IS_AUTHENTICATED_ANONYMOUSLY }
If I'm replace in config.yml handler_id: session.handler.pdo
into handler_id: ~
All good
As the name suggests, when an anonymous user try to access page A which needs an admin role, symfony redirects to the login page, login page of your seems to be also aking for a role user, and hence the error
I think your problem is a typo?! the ^/login$ in your access_control?
I'm trying to make the admin section only accessible for admin users using FOSUserBundle.
However if I go to the admin url (www.foo.local/app_dev.php/admin) without authentication, it allows me access.
In the Symfony debug toolbar it shows Logged in as anon.
I have configured the FOSUserBundle following the official documentation
Here is the security.yml config:
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout: true
anonymous: true
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
I don't know why it doesn't ask for the ROLE_ADMIN in order to allow access to the admin section, any ideas?
I guess that's because your rule says
- { path: ^/admin/, role: ROLE_ADMIN }
which means
www.foo.local/app_dev.php/admin/one
www.foo.local/app_dev.php/admin/two
Notice the '/' after admin
where
www.foo.local/app_dev.php/admin
won't satisfy the rule because it's missing the '/' at the end
try to change the rule to be
- { path: ^/admin, role: ROLE_ADMIN }
Hi i got an problem with my access control in symfony 2.
I want to secure the whole site except of the "/" route cause there is the login. So every route else, for example "/hello" must be secured and redirect to / if there is no user logged in.
In my security config i got this configuration:
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
login_path: /
logout: true
anonymous: ~
access_control:
- { path: ^/, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/.*, roles: ROLE_ADMIN }
What am I doing wrong?
This should work:
access_control:
- { path: ^/$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, roles: ROLE_ADMIN }
for more info:
http://symfony.com/doc/master/book/security.html
I have FOS UserBundle installed in my symfony2 project. Login/logout works, only problem is, the system doesn't redirect/close parts that i want closed.
The whole site should only be accessable by loged in users.
Yet i can call any route.
I filled in the data in the access control section of my security yml, yet it doesn't work. I can call mydomain/de_CH/anything/i/want/ and access that content.
This is my security.yml:
security:
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
encoders:
FOS\UserBundle\Model\UserInterface: sha512
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
login_path: fos_user_security_login
check_path: fos_user_security_check
csrf_provider: form.csrf_provider
logout:
path: fos_user_security_logout
anonymous: true
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/my-admin/, role: ROLE_ADMIN }
- { path: ^/$, role: ROLE_USER }
#- { path: ^/$, role: ROLE_USER }
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
Change
- { path: ^/$, role: ROLE_USER }
to
- { path: ^/.*, role: ROLE_USER }
This is because, first regex tell you allow ROLE_USER to path with that pattern /
So, patterns like /foo /foo/bar and so on aren't catched from your firewall.
Second pattern cover the latter case
Remove the anonymous: true part and put /login to it's own firewall so users can log in.
The anonymous part allowed anonymous user to access that firewall.
firewalls:
login_firewall:
pattern: ^/login$
anonymous: ~
main:
pattern: ^/
form_login:
# ...
logout:
path: fos_user_security_logout
EDIT: Since we denied anonymous users access to the page, we need to create separate firewall for /login otherwise they wouldn't be able to log in.
See section "Avoid Common Pitfalls" in the official documentation:
http://symfony.com/doc/current/book/security.html for more info on the subject.