I have this configuration for firewall :
$app->register(new Silex\Provider\SecurityServiceProvider(), array(
'admin' => array(
'pattern' => '^/admin',
'form' => array(
'login_path' => '/#login',
'check_path' => '/admin/login_check',
),
'logout' => array(
'logout_path' => '/admin/logout',
)
),
'unsecured' => array(
'anonymous' => true,
'pattern' => '^.*$',
),
));
and also this for security.rules :
$app['security.access_rules'] = array(
array('^/admin', 'ROLE_ADMIN'),
array('.*', 'IS_AUTHENTICATED_ANONYMOUSLY'),
);
I see this answer : Silex/Symfony Security Firewall Access user token outside the secured area
But the problem is, I can not access the app.user in "/" page and is_granted (in twig) always return false to any input.
I don't know if the ACL mentioned in that answer is something else (other than the access_rules) or I do something wrong.
I believe a user (token) is only accessible within the firewall that logged it in. So as long as you are within /admin part of your site you would have access to the app.user, but not within the "unsecured" firewall.
To have the behaviour you are looking for, you need to have one overall/sitewide firewall with the pattern of ^/ and then use access rules to restrict access to /admin.
$app->register(new Silex\Provider\SecurityServiceProvider(), array(
'main' => array(
'pattern' => '^/',
'anonymous' => true,
'form' => array(
'login_path' => '/#login',
'check_path' => '/admin/login_check',
),
'logout' => array(
'logout_path' => '/admin/logout',
)
),
));
$app['security.access_rules'] = array(
array('^/admin', 'ROLE_ADMIN'),
array('^/', 'IS_AUTHENTICATED_ANONYMOUSLY'),
);
So a brand new user to your site would be immediately authenticated anonymously, until they login with a role that allows them to access /admin.
It's also worth noting that if you were to have your login form within admin area, as something like /admin/login. Them you would need to add an anonymous access rule for the login URL.
Hope this helps!
Related
I'm using the wp_login_form() in my header so that people can log in to my site.
When they click a user icon in the header area, a modal is opened where they can input their username and password and press login.
When they log in, they get redirected to my start page, even though the default value regarding redirect (current page) is inserted. I want them to stay on the current page where they clicked the user icon in the header after they've logged in. Is it possible?
See the code below. I guess I need to change the string after redirect. Is there any alternative ways of getting the current page than the usual one?
$args = array(
'echo' => true,
'remember' => true,
'redirect' => ( is_ssl() ? 'https://' : 'http://' ) . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'],
'form_id' => 'loginform',
'id_username' => 'user_login',
'id_password' => 'user_pass',
'id_remember' => 'rememberme',
'id_submit' => 'wp-submit',
'label_username' => __( 'Username or Email Address' ),
'label_password' => __( 'Password' ),
'label_remember' => __( 'Remember Me' ),
'label_log_in' => __( 'Log In' ),
'value_username' => '',
'value_remember' => false
);
For this use the login_redirect filter.In this filter one parameter is $request, which is the URL the user is coming from
function redirect_to_request( $redirect_to, $request, $user ){
return $request; // this is the URL the user is coming from
}
add_filter('login_redirect', redirect_to_request, 10, 3);
I'm implementing security on my API and I found a road block. I'm using angular, so if the API is on a different host than the client, the client will do a OPTIONS before any POST or put.
This is my code:
$app['security.firewalls'] = array(
'v3' => array(
'pattern' => '/v3/.*', //protect /v3/ endpoints
'oauth' => true, //using oauth service
'stateless' => true, //Do not persist this token
),
'default' => [
'anonymous' => true,
'security' => false,
],
);
//We finally register our security using the silex security servide provider
$app->register(new Silex\Provider\SecurityServiceProvider(), array(
'security.firewalls' => $app['security.firewalls']
));
It works perfect for GET, POST, PUT and DELETE...It don't work for OPTIONS
I have Drupal 7 and Services 3.x (3.10).
In the /admin/structure/services page, i have create an endpoint and my custom module:
function webServices_services_resources() {
$api = array(
'customers' => array(
'retrieve' => array(
'help' => 'Retrieves posted blogs',
'callback' => '_webServices_retrieve',
'access arguments' => array('access content'),
'access arguments append' => FALSE,
'args' => array(
array(
'name' => 'id',
'type' => 'int',
'description' => 'The id of the note to get',
'source' => array('path' => '0'),
'optional' => FALSE,
),
),
),
),
);
return $api;
}
Now i make a POST request to my base_url/endpoint/user/login.json (passing username and password) and i get the session_name and session_id.
if i call (for example) base_url/endpoint/customers/1.json with the following header:
User-Agent: Fiddler
Content-Type: application/json
Host: liburna3.alpha-si.org
Cookie: SESS738851ba4e98ab1f17a7252513dc0719=hy5xVjlDzjIbXz-nlwEV4GywbAPAPL0d_aFGhtIRWzw
i get error 403: Access denied for user xxxxxxxxx
What is the problem?
I would check my authentication state calling base_url/endpoint/system/connect.
If you are not logged in (or you header is not right) it returns:
"sessid": "PfG79I6elMMYln8nyftReLOY0d5So7O0C3LRIdbOeMo",
"session_name": "SESS74282c529439441e18b575b0e6fe308f",
"user": {
"uid": 0,
"hostname": "2a02:8388:1580:2500:7b:3322:23a4:c902",
"roles": {
"1": "anonymous user"
},
"cache": 0,
"timestamp": 1460891635
}
}
If you are logged in it returns the full userdatat in user property of result.
I setup a testing site for nearly all drupal services calls .>You can enter basepath and endpoint and test you backend.
Find it here => http://www.drupalionic.org/explore/
Enter you data and then go to Resources -> Services 3.x -> System and click the Connect tab.
You can also find a fully featured angular lib for drupal services here => https://github.com/BioPhoton/ng-drupal-7-services
I am developing an app in Silex with Symfony Security component. Anonymous users should be able to access every point of app except admin section (^/admin).
What am I doing wrong? Anonymous can still access admin section. I have followed some other answers on SO to get to this points but now I am stuck.
$app['security.firewalls'] = array
(
'general' => array
(
'pattern' => '^/',
'anonymous' => true,
'form' => array
(
'login_path' => '/login',
'check_path' => '/admin/login_check',
'default_target_path' => '/admin',
'always_use_default_target_path' => true,
),
'logout' => array
(
'logout_path' => '/admin/logout',
'target_url' => '/'
),
'users' => $app->share(function() use ($app) {
return new UserProvider($app['db']);
})
)
);
// #todo - find out why anonymous can see admin panel
$app['security.access_control'] = array
(
array('path' => '^/login', 'role' => 'IS_AUTHENTICATED_ANONYMOUSLY'),
array('path' => '^/admin', 'role' => 'ROLE_USER'),
);
$app['security.role_hierarchy'] = array
(
'ROLE_ADMIN' => array('ROLE_USER'),
);
look at the docs
http://symfony.com/doc/current/book/security.html#basic-example-http-authentication
'access_control' => array(
array('path' => '^/admin/', 'role' => 'ROLE_ADMIN'),
// Include the following line to also secure the /admin path itself
// array('path' => '^/admin$', 'role' => 'ROLE_ADMIN'),
),
its either ^/admin/ or ^/admin$ not ^/admin
I have changed the security.access_control (which seemed ignored now) to security.access_rules (which threw error of "access_rules" being unknown property previously) and now it seems to work:
$app['security.access_rules'] = array
(
array('^/admin', 'ROLE_USER'),
);
When I invoke this method. after that not statement executes.
$this->load->spark('ci-merchant/2.1.1'); # We always specify the full path from the spark folder
$this->load->library('merchant');
$this->merchant->load('merchant_paypal_express');
$settings = $this->merchant->default_settings();
$settings = array(
'username' => 'xxxxxxx',
'password' => 'xxx',
'signature' => 'xxxxxx',
'test_mode' => true);
$this->merchant->initialize($settings);
// GETING AMOUNT REMAINING.
$params = array(
'amount' => 100.00,
'currency' => 'USD',
'return_url' => 'hbs.local/checkout/payment_return',
'cancel_url' => 'hbs.local/checkout/place_order');
$response = $this->merchant->purchase($params);
$message = $response->message();
Due to invalid account credientials I was getting the error. I was setting live account API credentials in $settings. using sandbox account setting solve my issue.