I want that the user with the role ROLE_USER_1 or ROLE_USER_2 is getting to ^/(de|en)/secured/account/. But what I don't want that e.g. a user with ROLE_USER_2 can go to ^/(de|en)/secured/account/profile or any other action. User with the role ROLE_USER_2 can only go to ^/(de|en)/secured/account/.
What is wrong with my security.yml:
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_USER_B2B: ROLE_USER_B2B_INACTIVE
access_control:
- { path: ^/(en|de)/secured/account/$, roles: [ROLE_USER_B2B_INACTIVE, ROLE_USER_B2B] }
- { path: ^/(en|de)/secured/account/*, roles: ROLE_USER_B2B }
My answer, what is working! Just had to switch the first roles! A little bit stupid. And I uncomment the role hierachy with ROLE_USER_B2B.
role_hierarchy:
ROLE_ADMIN: ROLE_USER
access_control:
- { path: ^/(en|de)/secured/b2b/account/$, roles: [ROLE_USER_B2B, ROLE_USER_B2B_INACTIVE] }
- { path: ^/(en|de)/secured/b2b/account/*, roles: ROLE_USER_B2B }
Related
My code is security
security:
access_control:
- { path: '^/(%app.locales%)/profile/messages', roles: [ROLE_ADMIN]}
role_hierarchy:
ROLE_ADMIN: [ROLE_USER]
User has role ROLE_ADMIN, but get access denied. If i change code:
security:
access_control:
- { path: '^/(%app.locales%)/profile/messages', roles: [ROLE_USER]}
role_hierarchy:
ROLE_ADMIN: [ROLE_USER]
All it's OK. I have access. Where i have error?
The problem was that I changed the role through the database. In order for this to apply, it was necessary to log out and log in.
I am having issues securing a route 'dashboard' to a custom user role. I am using FOSUserBundle and I am aware that due to due users are given ROLE_USER by default - even though this role does appear in the user table.
On a user sign in (this happens via Steam) I add a new custom
$user->setRoles(['ROLE_LOGGED_STEAM_USER']);
My issue flows as such - User hits site - User logs in - redirect to Dashboard route - with the access denied error.
I have also disabled the security line and dumping out the ROLES to which I can pull from the token user object to confirm the ROLE exists and matches the rule
Here is my security ACL
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
steamauth:
id: steam.user_provider
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
main:
provider: steamauth
pattern: ^/
form_login:
provider: fos_userbundle
logout: true
anonymous: true
form_login:
login_path: login
check_path: login_check
steam:
default_route: controller.dashboard.home
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/dashboard, role: ROLE_LOGGED_STEAM_USER }
Initially, I wasn't aware that all roles had to Begin with ROLE_*
Here is a screenshot of the user entry with the role attached here
I hope its somthing simple im just overlooked so any help would be great!
Thanks it advance for any help/suggestions!
Not sure but I think you have a typo, please try changing role to roleS wtih "s"
- { path: ^/dashboard, roles: ROLE_LOGGED_STEAM_USER }
I think you must register your custom role on the "role_hierarchy" so the code will be:
role_hierarchy:
ROLE_ADMIN: [ROLE_USER, ROLE_LOGGED_STEAM_USER]
ROLE_SUPER_ADMIN: ROLE_ADMIN
Hope it help.
I'm trying to learn the Symfony roles and security. My current security.yml file, looks like this:
role_hierarchy:
ROLE_USER: ROLE_DO_ALMOST_NOTHING
ROLE_EDITOR: [ ROLE_USER, ROLE_ALLOWED_TO_EDIT ]
ROLE_CONTRIBUTOR: [ ROLE_EDITOR, ROLE_ALLOWED_TO_CONTRIBUTE ]
ROLE_ADMIN: [ ROLE_CONTRIBUTOR ]
ROLE_SUPER_ADMIN: [ ROLE_ADMIN, ROLE_ALLOWED_TO_DO_ANY_THING ]
access_control:
- { path: ^/admin, roles: ROLE_USER }
- { path: ^/admin/editor, roles: ROLE_ADMIN }
- { path: ^/editor, roles: ROLE_EDITOR }
- { path: ^/contributor, roles: ROLE_CONTRIBUTOR }
- { path: ^/super, roles: ROLE_SUPER_ADMIN }
And I'm using this setup for my users:
providers:
in_memory:
memory:
users:
person:
password: password!
roles: 'ROLE_USER'
admin:
password: password2
roles: 'ROLE_ADMIN'
Here is my problem. I'm been missing around with the access_control portion of security, however, the path ^/admin/editor with the roles marked as ROLE_ADMIN will allow the user person to access the route even though the person user didn't have the role of ROLE_ADMIN. I was wondering if this is because the route itself is shared by the same controller as the ^admin route? Or done someone see where I might have gone wrong with the code, since the user person can access the route that I they shouldn't.
The other routes:
- { path: ^/editor, roles: ROLE_EDITOR }
- { path: ^/contributor, roles: ROLE_CONTRIBUTOR }
- { path: ^/super, roles: ROLE_SUPER_ADMIN }
Work as expected.
The issue is you are matching /admin before you match admin/editor, and that only requires the ROLE_USER role. When you have:
- { path: ^/admin, roles: ROLE_USER }
That matches everything that starts with /admin, including admin/editor. As soon as Symfony finds the appropriate route it will not check the first of them.
So your ^/admin/editor/ check is never reached. Try this instead:
access_control:
- { path: ^/admin/editor, roles: ROLE_ADMIN }
- { path: ^/admin, roles: ROLE_USER }
- { path: ^/editor, roles: ROLE_EDITOR }
- { path: ^/contributor, roles: ROLE_CONTRIBUTOR }
- { path: ^/super, roles: ROLE_SUPER_ADMIN }
As a good rule of thumb, your most granular/specific routes should be put first. Any sub-routes should always be put ahead of the main route.
noob question, I'm working in Symfony 2.8 and I want to grant all access to the role ROLE_ADMIN in access control, is there a way to do this without writing 'ROLE_ADMIN' in every rule over access_control?
What I´m trying to avoid in my security.yml, is going from this:
access_control:
- { path: ^/application, roles: ROLE_STUDENT }
- { path: ^/keyword, roles: ROLE_MENTOR }
- { path: ^/department, roles: ROLE_ADMIN }
- { path: ^/requirement, roles: ROLE_MENTOR}
To this:
access_control:
- { path: ^/application, roles: [ROLE_ADMIN, ROLE_STUDENT ]}
- { path: ^/keyword, roles: [ROLE_ADMIN, ROLE_MENTOR ]}
- { path: ^/department, roles: ROLE_ADMIN }
- { path: ^/requirement, roles: [ROLE_ADMIN, ROLE_MENTOR ]}
in a most larger file
Yes, you can add role hierarchy:
security:
role_hierarchy:
ROLE_ADMIN: [ROLE_STUDENT, ROLE_MENTOR]
That way if you have ROLE_ADMIN, you have also ROLE_STUDENT and ROLE_MENTOR.
I encountered a strange issue. I have the following security.yml:
security:
encoders:
Symfony\Component\Security\Core\User\User: plaintext
role_hierarchy:
ROLE_USER:
ROLE_EDITOR: [ROLE_USER]
ROLE_ADMIN: [ROLE_USER, ROLE_EDITOR]
providers:
in_memory:
memory:
users:
admin: { password: 123456, roles: [ 'ROLE_ADMIN' ] }
editor: { password: 123456, roles: [ 'ROLE_EDITOR' ] }
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
backend:
pattern: ^/backend
anonymous: ~
provider: in_memory
form_login:
login_path: backend_login
check_path: backend_login_check
access_control:
- { path: ^/, roles: IS_AUTHENTICATED_ANONYMOUSLY, host: example\.com$ }
- { path: ^/backend_login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/backend, roles: ROLE_ADMIN }
- { path: ^/user/fetch, roles: ROLE_USER }
- { path: ^/level, roles: ROLE_USER }
- { path: ^/gallery, roles: ROLE_USER }
I have an window development machine with XAMPP running and everything works out properly. I can log in to the backend and if I'm not logged in and try to open a backend route, I'm redirected to the login page.
This is my routing portion:
backend_login:
pattern: /backend_login
defaults: { _controller: FooBackendBundle:Security:login }
backend_login_check:
pattern: /backend/login_check
But when I'm uploading it to my integration linux server, I can open the backend without having to log in. It seems like Symfony does not care about the role the current user has.
The code and the symfony version are both the exact same (Symfony 2.3).
If I remove the anonymous: ~ part from the backend firewall, it will redirect to the login page, but also creates an inifite redirection loop.
Does anybody have an idea how to solve this?
From the Symfony documentation:
For each incoming request, Symfony checks each access_control entry to find one that matches the current request. As soon as it finds a matching access_control entry, it stops - only the first matching access_control is used to enforce access.
When you set access_control in your security config, you want to put your least-restrictive matches last. In your case you will always match on the first pattern since all routes match on ^/ and therefore do not require any authentication. Change your access_control to this:
access_control:
- { path: ^/backend_login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/backend, roles: ROLE_ADMIN }
- { path: ^/user/fetch, roles: ROLE_USER }
- { path: ^/level, roles: ROLE_USER }
- { path: ^/gallery, roles: ROLE_USER }
- { path: ^/, roles: IS_AUTHENTICATED_ANONYMOUSLY }
I removed the host parameter as it didn't seem relevant.