I am using sfDoctrineGuard 5.x and I have configured my module credentials in security.yml like this:
all:
is_secure: true
credentials: [ admin ]
and my app/backend/config/security.yml:
default:
is_secure: true
I have tested using:
$this->getUser()->hasPermission('vendor'): returned true
$this->getUser()->hasPermission('admin'): returned false
so I guess the users are inheriting credentials right. But still users with other credentials can access the module!
I have 3 types of group admin, client and vendor and similar permissions: admin, client and vendor!
And users having 'client' or 'vendor' credentials can access the module ignoring the credentials defined in the security.yml after login !
What could be the problem? Can anyone give me some direction?
oh, I am using sfForkedApplyPlugin for registration and profile editing process, which I don't think causing the issue, as I am testing with predefined fixture data.
I figured out the problem just now!
It was the *is_super_admin* field in *sf_guard_user* table which was set to 1 for all my dummy users in fixture.yml :) !
That's why every users were getting access to all modules bypassing the credentials!
Related
I am trying to debug a Resque setup in an (inherited) app, and so I found that there is a route for resque at /hidden/resque that would be nifty to access, but I am unable to access the route. I am wondering what I need to do ... When I try to access that route I get a HTTP 500 due to this error being thrown:
Symfony\Component\Security\Core\Exception\InsufficientAuthenticationException: Full authentication is required to access this resource.
I have tried accessing it both as a web page (after authenticating as an admin role on a different route) and using curl -H 'Authorization: Basic 9339034147964aebec6716c0110311d1' 'https://web.mysite/hidden/resque' -v. No go.
So what constitues "full authentication"? I am already logged in as an admin user on one of the other routes. Would I need to add anything more to the below config? This has not been setup by me, so I would not know if it ever worked.
app/config/routing.yml
ResqueBundle:
resource: "#ResqueBundle/Resources/config/routing.xml"
prefix: /hidden/resque
app/config/security.yml
access_control:
- { path: ^/hidden, roles: ROLE_ADMIN }
According to the docs:
IS_AUTHENTICATED_FULLY: This is similar to IS_AUTHENTICATED_REMEMBERED, but stronger. Users who are logged in only because of a "remember me cookie" will have IS_AUTHENTICATED_REMEMBERED but will not have IS_AUTHENTICATED_FULLY.
How can I be "more logged in" than using a cookie? Should I send a basic auth header with username and password base64 encoded?
If you ask for full authentication.
I.E:
/**
* Requiring IS_AUTHENTICATED_FULLY
*
* #IsGranted("IS_AUTHENTICATED_FULLY", message="Nope, no access")
*/
Then when you are logging in with an user, your Authorization Checker must have granted you the IS_AUTHENTICATED_FULLY status in order to have access.
As explained in the docs:
IS_AUTHENTICATED_FULLY: This is similar to IS_AUTHENTICATED_REMEMBERED, but stronger. Users who are logged in only because of a "remember me cookie" will have IS_AUTHENTICATED_REMEMBERED but will not have IS_AUTHENTICATED_FULLY.
You will be completely Authenticated if you manually log in, and not via a cookie. If you are using a command that remembers your credentials, that might be the issue.
Check Doc nº3 to see whether your actual way of entering that route falls inside the IS_REMEMBERED status. Even maybe you end up prefering using the less restrictive IS_AUTHENTICATED_REMEMBERED
Check the different documentations here:
https://symfony.com/doc/3.4/security.html#checking-to-see-if-a-user-is-logged-in-is-authenticated-fully
https://symfony.com/doc/3.4/security.html#learn-more
https://symfony.com/doc/3.4/security/remember_me.html
https://symfony.com/doc/3.4/components/security/authorization.html#authorization-checker
https://github.com/symfony/symfony/blob/3.4/src/Symfony/Component/Security/Core/Authorization/AuthorizationChecker.php
I have setup Apache Drill version 1.15 in distributed mode on 3 nodes with ZK on the same 3 nodes.
Now, I am trying to configure Plain Authentication in Drill using PAM.
I already have 2 existing users in the 3 nodes with same password and they are present in /etc/passwd and /etc/shadow.
I have followed the steps mentioned here, to configure authentication setup on the Drill cluster.
But, on entering correct username and password, it throws Invalid Username/Password error.
My drill-override.conf looks like:
drill.exec: {
cluster-id: "[cluster_name]",
zk.connect: "[host1]:2181,[host2]:2181,[host3]:2181"
security.user.auth: {
enabled: true,
packages += "org.apache.drill.exec.rpc.user.security",
impl: "pam",
pam_profiles: [ "sudo", "[profile1]", "[profile2]" ]
}
}
I have set, user1 as an admin and user2 as normal user.
Is it that Drill, doesnt work with existing Users in the linux system and wants users to be created explicitly (which i really doubt), or anything else that I am missing?
pam_profiles is array of PAM profiles, not users.
Example of pam_profiles configs: pam_profiles: [ "sudo", "login" ]. See details in doc.
You can add other PAM profiles from your /etc/pam.d.
I am using multiple users providers in my project.
My security.yml looks like this :
security:
...
firewalls:
usertype1:
pattern: ^/root/usertype1_area
provider: type1_provider
usertype2
pattern: ^/root
provider: type2_provider
...
Everything is working fine and I can't login with wrong user types at the right pattern, except that I noticed that if I throw an exception in one of my providers, say type1_provider , and try to log in with the /root/login path (which should use only type2_provider), Symfony is going through type1_provider as well as type2_provider, and I get an exception.
The same is also true with /root/usertype1_area/login when I throw at type2_provider.
This is a problem to me because I want to be able to access type2 login when the type1_provider is shut down.
Any guesses ? Is this normal behavior ?
EDIT : As pointed out by Alexander Keil, it was not clear in my question what I was trying to do
One of my providers relies on a 3d party service, and I want it to throw when this service is down, but I still want to be able to access the other login, which is not supposed to rely on the provider that is throwing. Is there a way I can achieve this ?
You can use the method "supportsClass" in your provider. Return false if the current user class does not support the loaded provider. See Symfony\Component\Security\Core\User\UserProviderInterface
Sorry if this question has been asked many times but I didn't found any solution on the Web.
So, I just have installed FOSUserBundle and I've created 2 users on my application with the console. The problem is they don't have any role.
So in on controller, I get the user Entity and y set his role but when I try to access to a page restricted for admin, it says access denied. Moreover, the roles has no changed on the databse.
My code in the controller :
$user = $this->container->get('security.context')->getToken()->getUser();
$user->setRoles('ROLE_ADMIN');
if (!$this->get('security.context')->isGranted('ROLE_ADMIN')){
throw new AccessDniedException('Access Denied !');
}
Anyone have an idea ?
Thanks in advance !
It is a very bad practice to set a user role in your controller if you want to keep them away from the controller in the first place. I hope you use this line of code for testing only.
The FOSUserBundle provides a number of command line utilities to help manage your application's users.
The one you need is:
$ php app/console fos:user:promote testuser ROLE_ADMIN
Replace testuser with your username.
Did you also define your roles in your firewall?
I'd like to get three Drupal websites to work together using CAS. So, one of these Drupal websites is using the CAS server module; but, when I go to the other Drupal websites as a CAS "client" I still have to press "Log in" to be logged in.
Is it possible for the CAS "client" to check automatically? So, users won't have to press the "Log in" button if they are already logged in? And, if they aren't they can remain anonymous.
Ok, I figured it out. It's called "the Gateway feature" in CAS.
My confusion was because the Drupal CAS module wasn't working the way I had thought it would. Here is what the client portion of the Drupal CAS module says:
[ x ] Check with the CAS server to see if the user is already logged in?
This implements the Gateway feature of the CAS Protocol.
So, digging through the module code I was able to figure out a solution.
The Fix:
The phpCAS function that implements the CAS gateway feature is:
phpCAS::checkAuthentication()
Here is a snippet of code that I plan to use:
$is_auth = phpCAS::checkAuthentication(); // Returns TRUE or FALSE
if ($is_auth) {
phpCAS::forceAuthentication();
}
else {
// Do nothing until user is ready to authenticate.
}
I have a couple options:
Put this functionality in a separate "glue" module
Hack the Drupal CAS module to suit my needs
Try to make improvements, and see if this can be contributed back
(If I'm lucky, I might get to contribute some code back to this module.)
As one of the cas module mainainers I'd like to request that this discussion get moved to an issue in the projects issue queue. This code snippet should do absolutely nothing different, since using "CheckAuthentication" should cause a drupal login. If you're getting different behavior, we want to know about it and fix it.
It turns out this functionality is working in the CAS module, but the "Caching mode" needs to be set to "Disabled". See issue: http://drupal.org/node/1280474
Also, the authentication check only happens the first time the site is accessed (until the browser is closed and re-opened). See issue: http://drupal.org/node/1405448