Okay, So I'm trying to setup my security in symfony2 via config. I have created a role_hierarchy:
role_hierarchy:
ROLE_USER_ADMIN: ROLE_USER
ROLE_VENDOR: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_VENDOR, ROLE_USER_ADMIN, ROLE_ALLOWED_TO_SWITCH]
And I've setup my access_control:
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/administration/, roles: ROLE_VENDOR }
- { path: ^/administration/vendor/new, roles: ROLE_SUPER_ADMIN }
- { path: ^/administration/taxonomy, roles: ROLE_SUPER_ADMIN }
- { path: ^/administration/property, roles: ROLE_SUPER_ADMIN }
- { path: ^/administration/usagelimit, roles: ROLE_SUPER_ADMIN }
- { path: ^/account, roles: ROLE_USER }
- { path: ^/library, roles: ROLE_USER }
- { path: ^/profile, roles: ROLE_USER }
- { path: ^/vendors, roles: ROLE_USER }
- { path: ^/community, roles: ROLE_USER }
And yet, when I login with a user who has only the "ROLE_VENDOR", I can access the routes like /administration/taxonomy, /administration/property, etc...
What am I doing wrong???
Your routes are in the wrong order.
It's a first come, first served everything after /administration/ with the directory are being caught by that directive and so allowing access by ROLE_VENDOR.
You should change it to...
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, roles: IS_AUTHENTICATED_ANONYMOUSLY }
# - { path: ^/administration/, roles: ROLE_VENDOR } // Old home...
- { path: ^/administration/vendor/new, roles: ROLE_SUPER_ADMIN }
- { path: ^/administration/taxonomy, roles: ROLE_SUPER_ADMIN }
- { path: ^/administration/property, roles: ROLE_SUPER_ADMIN }
- { path: ^/administration/usagelimit, roles: ROLE_SUPER_ADMIN }
- { path: ^/administration/, roles: ROLE_VENDOR } // New home...
- { path: ^/account, roles: ROLE_USER }
- { path: ^/library, roles: ROLE_USER }
- { path: ^/profile, roles: ROLE_USER }
- { path: ^/vendors, roles: ROLE_USER }
- { path: ^/community, roles: ROLE_USER }
Related
I'm new to Ez publish and symfony. We have a application in Ezpublish where user can login with his username and password.
Even after giving correct credentials it is redirecting to login page.
We are able to login to the back office with the same credentials. We
are facing issue only for end user login to the front office.
Using Ezpublish version 5.4.
Following is my security.yml file
security:
providers:
ezpublish:
id: ezpublish.security.user_provider
role_hierarchy:
ROLE_USER: []
ROLE_RISKMANAGER: [ROLE_USER]
ROLE_MANAGER: [ROLE_RISKMANAGER]
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
ezpublish_setup:
pattern: ^/ezsetup
security: false
ezpublish_rest_forgotpassword:
pattern: ^/api/ezp/v2/user/forgotpassword
anonymous: ~
#security: false
stateless: true
ezpublish_rest:
pattern: ^/api/ezp/v2
stateless: true
ezpublish_http_basic:
realm: eZ Publish REST API
ezpublish_front:
pattern: ^/
anonymous: ~
ezpublish_rest_session: ~
form_login:
login_path: login
check_path: login_check
require_previous_session: false
use_forward: false
always_use_default_target_path: false
default_target_path: /
use_referer: true
failure_path: /loginfailed
logout: ~
guard:
authenticators:
- project.security.device_authenticator
default:
anonymous: ~
access_control:
#- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
# backend
- { path: ^/api/ezp/v2/user/forgotpassword, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/mot-de-passe-oublie, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/fr/mot-de-passe-oublie, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/creer-votre-compte, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/fr/creer-votre-compte, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/verification-email, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/fr/verification-email, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/completer-votre-compte, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/fr/completer-votre-compte, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/mise-a-jour-mot-de-passe, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/fr/mise-a-jour-mot-de-passe, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/login, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/_fos_user_context_hash, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/activer-votre-compte, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/fr/activer-votre-compte, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/bo, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/en/mot-de-passe-oublie, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/en/creer-votre-compte, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/en/verification-email, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/en/completer-votre-compte, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/en/mise-a-jour-mot-de-passe, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/en/login, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/fr/login, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/en/_fos_user_context_hash, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/en/activer-votre-compte, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/country/polygons, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/fr/country/polygons, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/en/country/polygons, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/manage-translation, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/.*, role: ROLE_USER }
- { path: ^/en/country/map, role: ROLE_USER }
- { path: ^/en/, role: ROLE_USER }
You SHOULD change the default page which is the page where the user is redirected to, if no previous page was stored in the session :
The value can be a relative/absolute URL or a Symfony route name:
# config/packages/security.yaml
security:
# ...
firewalls:
main:
form_login:
# ...
default_target_path: after_login_route_name
Source : official symfony 4 documentation
https://symfony.com/doc/current/security/form_login.html
I served my domain over HTTPS instead of HTTP then it works.
enter image description hereHere is my security.yml:
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, roles: IS_AUTHENTICATED_FULLY }
Here is my error:
It says the YAML file is not valid. How can I proceed?
Yml file should be indented correctly.
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, roles: IS_AUTHENTICATED_FULLY }
I want to authorize the access to only one ip to my API. But even if I write it in the access_control from my security.yml file, it seem to not work.
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/administration, role: ROLE_ADMIN}
- { path: ^/api, role: IS_AUTHENTICATED_ANONYMOUSLY, ip: 527.0.2.1 }
The route I would like to block is all coming after ^/api/*
Thank for helping.
You can try this
access_control:
#
- { path: ^/api, roles: IS_AUTHENTICATED_ANONYMOUSLY, ips: [127.0.0.1, ::1] }
- { path: ^/api, roles: ROLE_NO_ACCESS }
Replace 127.0.0.1 with your IP
Read Official doc Symfony Matching access_control By IP
I'm working on Symfony 2 and create a new action named "newAction" in "UserController":
/**
* #Route("/new", name="user_new")
*/
public function newAction()
{
if (false === $this->get('security.context')->isGranted('ROLE_ADMIN')) {
return $this->forward('RikkeiLunchOrderBundle:User:access_denied.html.twig', Array());
}
}
I want to check if the user has role Admin to create a new user. But I got this error(when user is not an admin):
The controller for URI "/user/new" is not callable.
500 Internal Server Error - InvalidArgumentException
Below is access_control and role_hierarchy in security.yml:
access_control:
- { path: ^/user/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin, roles: ROLE_ADMIN }
- { path: ^/user/list, roles: ROLE_ADMIN }
- { path: ^/user/delete, roles: ROLE_ADMIN }
- { path: ^/order/dish/new, roles: ROLE_ADMIN }
- { path: ^/API/admin/, roles: ROLE_ADMIN }
- { path: ^/, roles: ROLE_USER }
role_hierarchy:
ROLE_ADMIN: ROLE_USER
Please help if you know the solution!
someone could help me solve this problem in the login redirection?
the browser says that the page has made too many redirects
here i show file security.yml:
firewalls:
frontend:
pattern: ^/
anonymous: ~
form_login:
login_path: /login
check_path: /login_check
default_target_path: /index
success_handler: authentication_handler
logout:
path: /logout
target: /
success_handler: authentication_handler
security: true
remember_me:
key: sitio123
lifetime: 604800 # 7 * 24 * 3600 = 604.800 = 1 semana
access_denied_handler: accessdenied_handler
access_control:
- { path: ^/, roles: ROLE_U }
- { path: ^/admin, roles: ROLE_A }
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/pruebita, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/prueba, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/comprobarmail, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/nuevacontrasena, roles: IS_AUTHENTICATED_ANONYMOUSLY }
providers:
chain_provider:
providers: [in_memory, user_db]
in_memory:
users:
foo: { password: test, roles: 'ROLE_A' }
foo1: { password: test1, roles: 'ROLE_U' }
user_db:
entity: { class: mio\mioBundle\Entity\Empleado, property: username }
role_hierarchy:
ROLE_A: ROLE_U
encoders:
mio\mioBundle\Entity\Empleado: { algorithm: sha1 }
Symfony\Component\Security\Core\User\User: plaintext
thank you very much for your time
Place the anonymous access control items before the secured items:
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/pruebita, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/prueba, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/comprobarmail, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/nuevacontrasena, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, roles: ROLE_U }
- { path: ^/admin, roles: ROLE_A }