Develop Reference

How to authorize custom user from db in Symfony4

I just need to authorize custom user. Without any froms, tokens and etc. I have user entity in my DB.
User class is already configuren it fos_user.yaml:
fos_user:
db_driver: orm
firewall_name: main
from_email:
address: '***#*******.**'
sender_name: '**.****.**'
user_class: App\Entity\User
Is it possible? Somethong like
Authurizer::authorize($userEntity)
Thanks.

Authorization in Symfony done Tokens. To be logged in Symfony's World you'll need to set a Token.
One of the common use cases is "auto login" right after registration.
Take a look at this article -> https://ourcodeworld.com/articles/read/459/how-to-authenticate-login-manually-an-user-in-a-controller-with-or-without-fosuserbundle-on-symfony-3
especially for that part
$token = new UsernamePasswordToken($user, null, 'main', $user->getRoles());
$this->get('security.token_storage')->setToken($token);
BUT also take a look at symfony's impersonalizaiton => https://symfony.com/doc/current/security/impersonating_user.html
It basically allows you to switch users without filling out forms and knowing users' credentials

Custom Commands for FOSUserBundle are
fos:user:activate
fos:user:change-password
fos:user:create
fos:user:deactivate
fos:user:demote
fos:user:promote
There is no such way to authorize directly as you want it.
You can create a custom command in symfony which accepts username and authenticates a user. Here is a way to create such a command : https://symfony.com/doc/current/console.html

Thanks you, guys! I found the solution here!
How to programmatically login/authenticate a user?
Sorry for wrong or stupid question.

Sonata Admin Bundle ACL don't grant edit

I integrated the Sonata Admin Bundle with ACL, and have the following configs:
config.yml
sonata_admin:
security:
handler: sonata.admin.security.handler.acl
# acl security information
information:
GUEST: [VIEW, LIST]
MAINTAINER: [EDIT, LIST]
STAFF: [EDIT, LIST, CREATE]
EDITOR: [OPERATOR, EXPORT]
ADMIN: [MASTER]
# permissions not related to an object instance and also to be available when objects do not exist
# the DELETE admin permission means the user is allowed to batch delete objects
admin_permissions: [CREATE, LIST, DELETE, UNDELETE, EXPORT, OPERATOR, MASTER]
# permission related to the objects
object_permissions: [VIEW, EDIT, DELETE, UNDELETE, OPERATOR, MASTER, OWNER]
security.yml
security:
role_hierarchy:
ROLE_OPERATOR:
- ROLE_ADMIN_BOOKING_ADMIN
- ROLE_ADMIN_PAYMENT_ADMIN
The flow is we create a booking object via BookingAdmin class and in postPersist doctrine event listener I create the payment Object.
$payment = new Payment();
//... set here
$this->entityManager->persist($payment);
$this->entityManager->flush();
The problem is in list I'm not able to see the edit button, but I can delete.
And when run manual the command:
php bin/console sonata:admin:generate-object-acl
after that I'm able to see the edit button.
What I do wrong here ? Because I'm logged with the same user.
EDIT
After few research I found the next problem https://sonata-project.org/bundles/admin/2-3/doc/reference/security.html#acl-and-friendsofsymfony-userbundle
A listener must be implemented that creates the object Access Control List with the required rules if objects are created outside the Admin
What this mean, and how I should do in listener to take the correct ACL role?

I think you don't pointed out your allowed action detailed enough ... you only point to the admin with e.g. "ROLE_ADMIN_BOOKING_ADMIN" ... following the documentation, the config should be "ROLE_ADMIN_BOOKING_ADMIN_EDIT" for example to allow this role to edit your admin ... write "ROLE_ADMIN_BOOKING_ADMIN_ALL" to allow to edit everything ...

Symfony2 User permission managment

I come to you because I have a little concern about the management of users and their Permissions with Symfony2.
Let me explain:
I set up the FOSUserBundle:
What I'd like to do now is a rights management. I have an entity 'Post'.
I have users with roles specified below.
ROLE_GUEST - VIEW,RATE
ROLE_USER - VIEW,CREATE,RATE,EDIT_OWN
ROLE_EDITOR - VIEW,CREATE,RATE,EDIT,DELETE
I want to set permission to each roles for performing certain actions.
Thank you :)

If i understand your necessity correctly you want to have a security layer based on those roles. You can do this in may ways:
The symfony default way -
you can configure the security layer of symfony like in the example below
# app/config/security.yml
security:
# ...
access_control:
- { path: ^/post/view, roles: VIEW }
- { path: ^/post/rate, roles: RATE }
# etc
This will take care of route access control. More info on http://symfony.com/doc/current/cookbook/security/access_control.html
For more complex roles like EDIT_OWN, you can take the direct approach
if (!$post->isAuthor($this->getUser())) {
$this->denyAccessUnlessGranted('EDIT', $post);
// or without the shortcut:
//
// use Symfony\Component\Security\Core\Exception\AccessDeniedException;
// ...
//
// if (!$this->get('security.authorization_checker')->isGranted('edit', $post)) {
// throw $this->createAccessDeniedException();
// }
} else {
$this->denyAccessUnlessGranted('EDIT_OWN', $post);
}
For all this and more you can check the symfony site http://symfony.com/doc/current/best_practices/security.html
For even more advanced roles or ACL requirement also take a look here https://symfony.com/doc/current/components/security/authorization.html and at the authorization voters https://symfony.com/doc/current/components/security/authorization.html#voters
In the 4 links I provided in this post you should find all you need to implement RBAC as well as ACL. You can also find information about some annotations you may want to use. Also there are some extensions to the symfony security layer that may come in handy depending on the symfony version you are working on like JMS\SecurityExtraBundle.
Hope this help,
Alexandru Cosoi

Symfony2 + FOS OAuth bundle testing without authentication

I have application which base on logging users by FOSOAuthServerBundle and I want to test actions in this application.
So... In Sf2 are special config file for testing environment, config_test.yml and I've put this code:
security:
firewalls:
default:
anonymous: ~
In theory it should solve my problem, because this firewall allows anyone access any action. I've put it in config_test.yml, so it should work only then I'm testing application. Good solution, I was thinking.
But Sf threw this error:
You are not allowed to define new elements for path "security.firewalls". Please define all elements for this path in one config file.
My questions is:
How can I allow access actions without logging while testing application by PHPUnit?

You can't add/define new elements but you can modify them.
In config_test.yml instead default firewall use name of your real firewall used in security.yml.
And better will be using http_basic: ~ instead anonymous: ~ so your tests will can behave like real authenticated user.
Nice cookbook here: http://symfony.com/doc/2.8/cookbook/testing/http_authentication.html

Symfony2 ACL - can't set multiple user sources on a single provider

I'm trying to figure out why I can't set multiple user providers into a single provider.
Currently I'm configuring ACL. For the user providers I want to have a couple of "hard-coded" users and users which would be loaded from a database.
Reading the documentation it's stated that you're not required to have two user providers - one for the in_memory users and one for the database users. You should be able to combine them into a single user provider (which is what I'm trying to do).
The suggested configuration is:
security:
providers:
main_provider:
memory:
users:
foo: { password: test }
entity:
class: Acme\UserBundle\Entity\User,
property: username
My configuration is:
security:
providers:
main_provider:
memory:
users:
foo: { password: test }
entity:
class: Company\EntitiesBundle\Entity\User,
property: username
Unfortunately I get this exception:
InvalidConfigurationException: Invalid configuration for path "security.providers.main_provider": You cannot set multiple provider types for the same provider
If I, however, set two different providers and chain them, it works without problems.
I can't figure out why this would happen? It's clearly stated in the documentation - you can accomplish this even more easily by combining the two sources into a single provider.
What am I missing here?

Why don't you chain providers? The documentation that you're referring states that you can use multiple user providers "...by creating a new provider that chains the two together".
http://symfony.com/doc/current/book/security.html#using-multiple-user-providers
Each authentication mechanism (e.g. HTTP Authentication, form login, etc) uses exactly one user provider, and will use the first declared user provider by default. But what if you want to specify a few users via configuration and the rest of your users in the database? This is possible by creating a new provider that chains the two together.
Now, all authentication mechanisms will use the chain_provider, since it's the first specified. The chain_provider will, in turn, try to load the user from both the in_memory and user_db providers.
All you have to do is to setup a chain provider.
# app/config/security.yml
security:
providers:
main_provider:
chain:
providers: [memory_provider, entity_provider]
memory_provider:
memory:
users:
foo: { password: test }
entity_provider:
entity:
class: Company\EntitiesBundle\Entity\User
property: username

Which Symfony version are you using? If 2.0, in 2.0 documentation the configuration is slightly different:
# app/config/security.yml
security:
providers:
main_provider:
users:
foo: { password: test }
entity: { class: Acme\UserBundle\Entity\User, property: username }
Notice the memory key missing.