Develop Reference

How to do test the access control system in Symfony 5?

I am using the new Symfony authorization system.
In the security.yaml file I have set the following access restrictions.
security:
enable_authenticator_manager: true
//....
role_hierarchy:
ROLE_ADMIN: [ROLE_USER]
access_control:
- { path: ^/login, roles: PUBLIC_ACCESS }
- { path: ^/signup, roles: PUBLIC_ACCESS }
- { path: ^/reset, roles: PUBLIC_ACCESS }
- { path: ^/, roles: ROLE_USER }
In my test, I'm trying to catch a 302 redirect.
$client = static::createClient();
$client->request('GET', '/');
$this->assertSame(302, $client->getResponse()->getStatusCode());
But I get the following error message.
Failed asserting that 500 is identical to 302.
Please note that I am getting 500 error instead of 403 redirect code.
Then I try to trace the request with.
$client->catchExceptions(false);
And I see the following request stack.
There was 1 error:
App\Tests\Functional\HomeTest::testGuest
Symfony\Component\Security\Core\Exception\AccessDeniedException:
Access Denied.
C:\Users\webgr\projects\project-manager\manager\vendor\symfony\security-http\Firewall\AccessListener.php:112
C:\Users\webgr\projects\project-manager\manager\vendor\symfony\security-http\Firewall\AccessListener.php:106
C:\Users\webgr\projects\project-manager\manager\vendor\symfony\security-bundle\Debug\WrappedLazyListener.php:49
C:\Users\webgr\projects\project-manager\manager\vendor\symfony\security-bundle\Security\LazyFirewallContext.php:60
C:\Users\webgr\projects\project-manager\manager\vendor\symfony\security-bundle\Debug\TraceableFirewallListener.php:59
C:\Users\webgr\projects\project-manager\manager\vendor\symfony\security-http\Firewall.php:86
C:\Users\webgr\projects\project-manager\manager\vendor\symfony\event-dispatcher\Debug\WrappedListener.php:117
C:\Users\webgr\projects\project-manager\manager\vendor\symfony\event-dispatcher\EventDispatcher.php:230
C:\Users\webgr\projects\project-manager\manager\vendor\symfony\event-dispatcher\EventDispatcher.php:59
C:\Users\webgr\projects\project-manager\manager\vendor\symfony\event-dispatcher\Debug\TraceableEventDispatcher.php:151
C:\Users\webgr\projects\project-manager\manager\vendor\symfony\http-kernel\HttpKernel.php:132
C:\Users\webgr\projects\project-manager\manager\vendor\symfony\http-kernel\HttpKernel.php:78
C:\Users\webgr\projects\project-manager\manager\vendor\symfony\http-kernel\Kernel.php:199
C:\Users\webgr\projects\project-manager\manager\vendor\symfony\http-kernel\HttpKernelBrowser.php:65
C:\Users\webgr\projects\project-manager\manager\vendor\symfony\framework-bundle\KernelBrowser.php:169 C:\Users\webgr\projects\project-manager\manager\vendor\symfony\browser-kit\AbstractBrowser.php:402
C:\Users\webgr\projects\project-manager\manager\tests\Functional\HomeTest.php:15
Why I can't do test the "access control"?
Why am I getting a 500 server error instead of a simple redirect 302 while testing?
I would be glad to any suggestion.
Thank you in advance.
Here's another thing I would like to add, it is quite possible that this information can be decisive. My site is running with https.

Finally, I figured out what the problem was I added the following lines to framework.yaml and everything worked.
when#test:
framework:
test: true
session:
storage_factory_id: session.storage.factory.mock_file

User Role based routes in Symfony

I've got five types of roles in my Symfony project.
I want to create restrictions for each role, so that they will have access to specific routes. They will not be able to access others paths. I want to do this in an efficient way like Laravel uses middleware in the routes for access. Is there any way like this in Symfony?

You could do that in different ways, and it depends on your Symfony version.
In the older Symfony versions, the most common way to restrict access to certain routes is adding into config/packages/security.yaml some parameters such as:
access_control:
- { path: '^/agent', roles: ROLE_AGENT }
- { path: '^/profile', roles: ROLE_USER }
- { path: '^/admin', roles: ROLE_ADMIN }
- { path: '^/admin/statistics', roles: ROLE_SUPER_ADMIN }
Also, it's good practice to define the role hierarchy into the same file config/packages/security.yaml :
`role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN`
Hence, the users with a SUPER_ADMIN_ROLE will have access to routes restricted to ROLE_ADMIN.
However, my recommendation is if you've several parts to restrict define the general access roles into the config/packages/security.yaml file such as and define a role hierarchy as I said before:
access_control:
- { path: '^/admin', roles: ROLE_ADMIN }
- { path: '^/profile', roles: ROLE_USER }
Then restrict the other routes using annotations thanks to SensioFrameworkExtraBundle, for example:
use Sensio\Bundle\FrameworkExtraBundle\Configuration\IsGranted;
/**
* Require ROLE_ADMIN_SYSTEMS for *every* controller method in this class.
*
* #IsGranted("ROLE_ADMIN_SYSTEMS")
*/
public function YourFunction() { }
For more information look into official Symfony Docs that are very clear. Symfony Security official documentation
I hope this could help you, if you've any other doubts just tell me,
Kind regards.

Install FOS UserBundle

I'm following a tutorial to install this FOSUserBundle to my project.
I got my information from this french tutorial: http://www.tutodidacte.com/symfony2-installer-fosuserbundle
So I did those commands:
php ./composer.phar require friendsofsymfony/user-bundle "~2.0#dev"
php composer.phar update
Then I created a new Bundle,
php bin/console generate:bundle
Bundle Namespace : Kingdom/UserBundle
But after doing that, in the AppKernel i can see the new UserBundle, mais the FOSUserBundle isn't here.
I try to add it by myself writting it in the file; but after when i try to create an entity we can see something is clearly wrong.
Sorry for the presentation of this below...I haven't succeed to print it correctly.
php bin/console generate:doctrine:entity
Fatal error: Uncaught exception 'Symfony\Component\Config\Definition\Exception\I
nvalidConfigurationException' with message 'The child node "db_driver" at path "
fos_user" must be configured.' in C:\wamp\www\Kingdom\vendor\symfony\symfony\src
\Symfony\Component\Config\Definition\ArrayNode.php:240
Stack trace:
0 C:\wamp\www\Kingdom\vendor\symfony\symfony\src\Symfony\Component\Config\Defin
ition\BaseNode.php(303): Symfony\Component\Config\Definition\ArrayNode->finalize
Value(Array)
1 C:\wamp\www\Kingdom\vendor\symfony\symfony\src\Symfony\Component\Config\Defin
ition\Processor.php(37): Symfony\Component\Config\Definition\BaseNode->finalize(
Array)
2 C:\wamp\www\Kingdom\vendor\symfony\symfony\src\Symfony\Component\Config\Defin
ition\Processor.php(50): Symfony\Component\Config\Definition\Processor->process(
Object(Symfony\Component\Config\Definition\ArrayNode), Array)
3 C:\wamp\www\Kingdom\vendor\friendsofsymfony\user-bundle\DependencyInjection\F
OSUserExtension.php(51): Symfony\Component\Config\Definition\Processor->processC
onfigur in C:\wamp\www\Kingdom\vendor\symfony\symfony\src\Symfony\Component\Conf
ig\Definition\ArrayNode.php on line 240

It seems you haven't properly configured the bundle. Follow the steps here:
http://symfony.com/doc/current/bundles/FOSUserBundle/index.html
In your case, it seems you are missing at least this:
http://symfony.com/doc/current/bundles/FOSUserBundle/index.html#step-5-configure-the-fosuserbundle
EDIT: After reading your question again, it seems you're not loading the bundle properly, as described here:
http://symfony.com/doc/master/bundles/FOSUserBundle/index.html#step-2-enable-the-bundle

After Installation A bundle needs to be enabled in AppKernel.php file. FOSUserBundle needs a bit of configuration to make it work properly I have written a simple and easy guide on it:
https://www.cloudways.com/blog/implement-fosuserbundle-in-symfony-3-1/
Installation:
composer require friendsofsymfony/user-bundle "~2.0#dev"
Enabling Bundle in AppKernel.php
After installing FOSUserBundle you must enable it in the project. Go to app/config/AppKernel.php and add the highlighted line in the bundles array.
$bundles = [
...
new FOS\UserBundle\FOSUserBundle(),
]
Create User Entity
Create the User entity as you are creating above :)
Configuring Security.yml file
security:
encoders:
FOS\UserBundle\Model\UserInterface: bcrypt
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_token_generator: security.csrf.token_manager
# if you are using Symfony < 2.8, use the following config instead:
# csrf_provider: form.csrf_provider
logout: true
anonymous: true
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
Configure FOSUserBundle in a Config
Add this config in config.yml
fos_user:
db_driver: orm
firewall_name: main
user_class: AppBundle\Entity\User
Importing Route files of FOSUserBundle
Add this to import routes in Routing.yml
fos_user:
resource: "#FOSUserBundle/Resources/config/routing/all.xml"
Updating Database Schema
The last step is to update the database schema to create table in the database.
php bin/console doctrine:schema:update --force
Now move to the app URL add /login in it you will see the login page.

How to allow access only to a local subnet using access control in symfony 2?

Assuming I have /localnetwork, I want only to give access to the local network which usually has ips in this range 10.4.X.X
security:
firewalls:
localnetwork:
pattern: ^/localnetwork
anonymous: ~
access_control:
- { path: ^/localnetwork, roles: IS_AUTHENTICATED_ANONYMOUSLY, ips : [ '10.4.X.X'] }
- { path: ^/localnetwork, roles: ROLE_NO_ACCESS}
So the question is : How can it be done in symfony . what should I add instead of 10.4.X.X ?

Symfony accepts a subnet in CIDR notation. In your case you can use 10.4.0.0/16

Symfony2 Firewall: User has right role but "Access denied"

I can't get my firewall rule working correctly. I have a user that has the role D-COMPLIANCEDIALOG, and a firewall rule, that grants access to that rule: - { path: ^/ , roles: D-COMPLIANCEDIALOG }. I still get an access denied (Access denied, the user is neither anonymous, nor remember-me.).
#security.yml
security:
encoders:
Symfony\Component\Security\Core\User\User: plaintext
providers:
reddot:
id: reddot_user_provider
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
secured_area:
pattern: ^/
anonymous: ~
http_basic: ~
simple_form:
authenticator: reddot_authenticator
check_path: login_check
login_path: login
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/ , roles: D-COMPLIANCEDIALOG }
User data from symfony profiler:
Username admin
Authenticated? yes
Roles [D-COMPLIANCEDIALOG]
Inherited Roles { }
Token class Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken
What I checked:
The controller has no own security settings
The role name does not seem to have a typo
It is really the last line in the firewall rule, if I remove it, I do have access.

The role name is incorrect. Please check the documentation Security - Roles
All roles you assign to a user must begin with the ROLE_ prefix. Otherwise, they won't be handled by Symfony's security system in the normal way (i.e. unless you're doing something advanced, assigning a role like FOO to a user and then checking for FOO as described below will not work).
I have faced the same issue when entered 'incorrect' role name and was confused by the error message too.

Although Symfony suggest prefixing the roles with ROLE_.. You can still use your custom roles via Securing by an Expression like:
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/ , allow_if: "has_role('D-COMPLIANCEDIALOG')"}