Set access control in Symfony2 for URL with querystring - symfony

I want to allow access to users with ROLE_ADMIN to the following path:
/admin
And only allow access to users with ROLE_CONTENT or ROLE_ADMIN to the following path:
/admin?select=pending
Here is my access control config in security.yml:
access_control:
- { path: ^/admin?select=pending, role: [ ROLE_ADMIN, ROLE_CONTENT ] }
- { path: ^/admin, role: ROLE_ADMIN }
However if I try to access to the query string path with a user with ROLE_CONTENT it gives me a 403 access denied error message.
Any suggestions on how to achieve this?

Related

Symfony access_control Rule

I have 3 user roles
ROLE_STAFF
ROLE_ADMIN
ROLE_CUSTOMER
I want to implement following rule for my admin dashboard.
Allow user with role ROLE_ADMIN all access
Do not allow access to user with role ROLE_CUSTOMER to any url starting with /admin
Allow not logged in user to access url starting with /account
Allow user with role ROLE_STAFF to access url starting with /admin/business/*
For the above rule, I have implemented following rule in access_control
access_control:
- { path: ^/account, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/business, role: ROLE_STAFF }
- { path: ^/admin/dashboard, role: ROLE_STAFF }
- { path: ^/admin, role: ROLE_ADMIN }
This is not working as expected, the problem is, when I am logged in with ROLE_STAFF it works but when I login with ROLE_ADMIN it throws access denied error.
What could be possible issue here?
Thanks.

Symfony Security FOSOAuthServerBundle public and private routes

I am using the FOSOAuthBundle for my REST application
I would like most of my routes to require authorization however there are a few that should have public access
I have the following in my security.yml:
security:
encoders:
FOS\UserBundle\Model\UserInterface: bcrypt
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
oauth_token:
pattern: ^/login
security: false
api:
pattern: ^/
fos_oauth: true
stateless: true
anonymous: false
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, roles: [ IS_AUTHENTICATED_FULLY ] }
For example:
I have a Products Entity and Controller
I would like the CRUD operations to be private except for Read
So: POST, PUT, DELETE on /products(/:id) should be private while GET should be public.
I have tried adding the following to the access_control:
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/products$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, roles: [ IS_AUTHENTICATED_FULLY ] }
I thought this would open up all methods on /products but I get the error:
{
"error": "access_denied",
"error_description": "OAuth2 authentication required"
}
I have many entities and controllers I am trying to apply this to.
How would I go about opening up specific routes (including the method requirements)?
You can make new firewall with regex and set it like this. You have to put it in front of your api firewall in order to match this regex first.
api_anonym_area:
pattern: (^/api/products/.*)
methods: [GET]
security: false
Or you can make it
api_anonym_area:
pattern: (^/api/products/.*)
methods: [GET]
anonymous: true
with
access_control:
- { path: ^/api/products/.*, role: IS_AUTHENTICATED_ANONYMOUSLY}
In first case you wont have token, in in second case you will have token (its good when you expect authenticated or anonymous users to come).
To achieve this, best way would be to code the permissions in the controllers, I don't think this is possible via the security.yml configuration.
You should remove:
- { path: ^/, roles: [ IS_AUTHENTICATED_FULLY ] }
And manage permissions inside the controller actions, for example (taken from symfony documentation at http://symfony.com/doc/current/security.html)
public function updateProduct($id)
{
// The second parameter is used to specify on what object the role is tested.
$this->denyAccessUnlessGranted('ROLE_ADMIN', null, 'Unable to access this page!');
// Old way :
// if (false === $this->get('security.authorization_checker')->isGranted('ROLE_ADMIN')) {
// throw $this->createAccessDeniedException('Unable to access this page!');
// }
// ...
}

Symfony 3 | FOSUser Block registration if connected

I'm using FOSUser and I would like to return an exception or simply block access to registration if user is already connected. When I'm connected, by url, I can still go to /register.
This is my access_control :
access_control:
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
I could override registration controller action and return an AccessDeniedException but I'm sure there is a better solution, with security.yml maybe ?
if you add this:
- { path: ^/register, role: ROLE_ADMIN }
then use:
php bin/console fos:user:promote user_name ROLE_ADMIN
to add "user_name" to the ROLE_ADMIN, then other users will get an Access Denied message.
I finally found the answer. I have to use Voters to check user permissions.
This is doc : http://symfony.com/doc/current/cookbook/security/voters.html
And there is great example here : http://henrik.bjrnskov.dk/symfony2-anonymous-users-access/
And this is what I have :
- { path: ^/register, role: IS_ANONYMOUS }

how to authenticate ROLE_USER and ROLE_ADMIN separately in fos userbundle

I have made two different login section in my website, one for admin section and another for frontend users.
When I logged into to frontend it logged in. The problem is that when i try to login the admin section it throws access denied error.
Is it possible make two different login sessions so that both login session are independent of eachother
you don't show security.yml, so no way to know for sure:
try deleting this row:
- { path: ^/, roles: IS_AUTHENTICATED_ANONYMOUSLY }
but most likely you have something like this in your security.yml
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/, role: ROLE_USER }
and your login page is on url /admin/login/
so it requires ROLE_ADMIN to access login page, before you can login as admin

Symfony2 firewall, ROLE_USER has access to /admin

I have a problem with the firewall thing in Symfony2.
I have these in my security.yml file
- { path: ^/, role: ROLE_USER }
- { path: ^/admin, role: ROLE_ADMIN }
- { path: ^/users, role: ROLE_ADMIN }
In my menu builder im using isGranted and this works perfect, if I login with my ROLE_USER user, the menu does not build the admin menu.
But if I manually type /admin in the browser I get the admin pages. (this happens both in production and dev envoirenment)
In the toolbar in dev env I can see the user dont have the ROLE_ADMIN role
If I dont login at all, I only see the login page, so here is everything fine
Full security.yml: https://gist.github.com/lsv/2e9dce622fd82d31853c
Full config.yml: https://gist.github.com/lsv/ec87592f911262af5417
Im using FOSUserbundle
Entries in access_control should be in the order from more specific to more general. So, in your case, they should be in the following order:
- { path: ^/admin, roles: ROLE_ADMIN }
- { path: ^/, roles: ROLE_USER }

Resources