I am using Symfony 3.2 and fos user bundle 2.0
I use the classic setup : "Getting Started With FOSUserBundle"
security:
always_authenticate_before_granting: true
encoders:
FOS\UserBundle\Model\UserInterface: bcrypt
role_hierarchy:
ROLE_ADMIN: ROLE_CLIENT
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_token_generator: security.csrf.token_manager # Use form.csrf_provider instead for Symfony <2.4
logout: true
anonymous: ~
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin, role: ROLE_ADMIN }
- { path: ^/client, role: ROLE_CLIENT }
It work but something is strange :
When I logout and navigate to public page it appears as I am always logged
I need to manually reload the page in my browser to make the logout effective.
( I use the {% if is_granted('ROLE_ADMIN') %} in my template )
Is it a problem with my security configuration or a problem with cache memory?
Some help will bee appreciated
thank
Vincent
Try adding the ROLE_USER to your role hierarchy like this:
role_hierarchy:
ROLE_CLIENT: ROLE_USER
ROLE_ADMIN: ROLE_CLIENT
As stated in the docs: "Make sure every user has at least one role, or your user will look like they're not authenticated. A common convention is to give every user ROLE_USER." http://symfony.com/doc/current/security.html#roles
Related
I'm trying to make the admin section only accessible for admin users using FOSUserBundle.
However if I go to the admin url (www.foo.local/app_dev.php/admin) without authentication, it allows me access.
In the Symfony debug toolbar it shows Logged in as anon.
I have configured the FOSUserBundle following the official documentation
Here is the security.yml config:
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout: true
anonymous: true
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
I don't know why it doesn't ask for the ROLE_ADMIN in order to allow access to the admin section, any ideas?
I guess that's because your rule says
- { path: ^/admin/, role: ROLE_ADMIN }
which means
www.foo.local/app_dev.php/admin/one
www.foo.local/app_dev.php/admin/two
Notice the '/' after admin
where
www.foo.local/app_dev.php/admin
won't satisfy the rule because it's missing the '/' at the end
try to change the rule to be
- { path: ^/admin, role: ROLE_ADMIN }
today I have noticed I can always access the register and reset form regardless if I am authenticated or not.
Here is my security.yml:
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout:
delete_cookies:
activeGame: {}
anonymous: true
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
Regarding http://symfony.com/doc/current/cookbook/security/remember_me.html#forcing-the-user-to-re-authenticate-before-accessing-certain-resources it seems "normal" to be able to access this pages.
But how can I "easily" disable it for authenticated user or did I miss anything?
Thanks in advance!
You may be able to accomplish what you are looking for by using the newly introduced allow_if expression for access controls.
- { path: ^/register, allow_if: "not is_authenticated()" }
Another way may be:
- { path: ^/register, allow_if: "user == 'anon'" }
I havent fully tested this but it should only allow users who are not authenticated fully or authenticated remembered to access that path
Here is a little bit about the security
Here are some of the variable and functions available in expressions
Then here is some info on the Expressions you can use in allow_if
IF however, you do not want to throw a 403 Access Denied Exception when logged in users try and access those pages. Instead you would like to redirect them elsewhere then you can add a check to their respective controller actions. Something like:
public function registerAction()
{
if (true === $this->get('security.context')->isGranted('IS_AUTHENTICATED_REMEMBERED')) {
return $this->redirect($this->generateUrl('some_route_to_send_them_to'));
}
// ...
}
I've been using FOSUserBundle for a long time now, but this never happened to me. It seems that the firewall is not working, because I can access any page from my site, when I should only be redirected to the login page when accessing as ANONYMOUS.
So, this is my security file:
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js|assets)/
security: false
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout:
invalidate_session: false
anonymous: true
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, role: ROLE_USER }
And this is my config.yml file:
#v1.0
imports:
- { resource: parameters.yml }
- { resource: security.yml }
fos_user:
db_driver: orm
firewall_name: main
user_class: My\Bundle\Entity\User
So, from where I see, everything is configured correctly so It should work as expected. But, this is not happening. So, the questions is: where else should I look for any conflictive configuration file, or conflictive entities, etc? Because I've been debugging for hours before coming to ask the question here (I did not want to ask a silly question), but I cannot figure out what could be happening.
Any ideas?
your problem:
The correct ACL attribute is roles not role.
working examples:
security:
# ...
access_control:
# ...
- { path: ^/, roles: ROLE_USER }
- { path: ^/admin, roles: [ROLE_ADMIN, ROLE_TRANSLATOR] }
explanation:
Because of the wrong attribute name there are effectively no mandatory roles configured.
That's why - as you have anonymous set to true - access will currently be granted without any restrictions.
Please have a look at the documentation chapter Securing specific URL patterns.
I am using FOSUserbundle
my security setting is like this so,if you access under /member
without login,you are transferred to Top page.
I want to add another behaivor.
If You access on toppage when you are logging in,you are transffered /member/profile
How can I make it?
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
firewalls:
main:
pattern: ^/
anonymous: ~
form_login:
check_path: /login_check
login_path: /login
provider: fos_userbundle
logout:
path: /logout
target: /
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/member, role: ROLE_USER }
there are many solutions to your problem :
In the toppage controller you can redirect the user if he is logged in.
Or
You can use an event listener on kernel.request which as the responsibility to set the response if the current route is toppage and the user is logged in.
edit:
To redirect in controller: return $this->redirect($this->generateUrl('routename'))
see: http://symfony.com/doc/current/book/controller.html#redirecting
Hope it's helpful.
Best regard.
I have FOS UserBundle installed in my symfony2 project. Login/logout works, only problem is, the system doesn't redirect/close parts that i want closed.
The whole site should only be accessable by loged in users.
Yet i can call any route.
I filled in the data in the access control section of my security yml, yet it doesn't work. I can call mydomain/de_CH/anything/i/want/ and access that content.
This is my security.yml:
security:
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
encoders:
FOS\UserBundle\Model\UserInterface: sha512
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
login_path: fos_user_security_login
check_path: fos_user_security_check
csrf_provider: form.csrf_provider
logout:
path: fos_user_security_logout
anonymous: true
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/my-admin/, role: ROLE_ADMIN }
- { path: ^/$, role: ROLE_USER }
#- { path: ^/$, role: ROLE_USER }
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
Change
- { path: ^/$, role: ROLE_USER }
to
- { path: ^/.*, role: ROLE_USER }
This is because, first regex tell you allow ROLE_USER to path with that pattern /
So, patterns like /foo /foo/bar and so on aren't catched from your firewall.
Second pattern cover the latter case
Remove the anonymous: true part and put /login to it's own firewall so users can log in.
The anonymous part allowed anonymous user to access that firewall.
firewalls:
login_firewall:
pattern: ^/login$
anonymous: ~
main:
pattern: ^/
form_login:
# ...
logout:
path: fos_user_security_logout
EDIT: Since we denied anonymous users access to the page, we need to create separate firewall for /login otherwise they wouldn't be able to log in.
See section "Avoid Common Pitfalls" in the official documentation:
http://symfony.com/doc/current/book/security.html for more info on the subject.