Firewall security issue in symfony2

StackOverflow https://stackoverflow.com/questions/20310620

  •  06-08-2022
  •  | 
  •  

Question

I'm using symfony2 And having a little bit problem about Authentication and access control in symfony firewall.

This is my security.yml

security:
    encoders:
        test\UserBundle\Entity\User:
        algorithm:        sha1
        encode_as_base64: false
        iterations:       1

role_hierarchy:
    ROLE_ADMIN:       ROLE_USER
    ROLE_SUPER_ADMIN: [ ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH ]

providers:
    administrators:
        entity: { class: UserBundle:User, property: email }

firewalls:

    login_firewall:
        pattern:    ^/login$
        anonymous:  ~
        security: true

    admin_area:
        pattern:    ^/cp|/(cp/.*|login_check)
        http_basic: ~
        form_login:
            login_path:  _login
            check_path:  login_check
            always_use_default_target_path: true

access_control:
    - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY|ROLE_USER }
    - { path: ^/, roles: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/(booking/hotelsearchresult), roles: IS_AUTHENTICATED_ANONYMOUSLY }

The thing is in this site, there is no /admin path or a spesefic path for admin. admin is defined by the Role in each page and the contetnt of the pages is diffrent acording to user types. (That's bad I know).

It means I must have all users access to all pages exept some and if they login, they get diffrent type of data.

but I have the following error:

When I log in, and send the user to another path ( which is not defiend as a secured path) it does not show any creditential information?!!!

what should I do to have and access the data with this structure?

Was it helpful?

Solution

Exactly what you wrote: If your path is not under firewall, credential information aren't available there because firewall won't cover them.

In your specific case, you will have access to credential information only on routes that start with /cp. What you probably want to do is define firewall pattern as ^/. So that your firewall covers all paths on your website, and then use access_control or whatever method you use to check access permissions for specific page.

OTHER TIPS

You can check what role a specific user has with the following code in your controllers:

public function indexAction()
{
    // show different content to admin users
    if ($this->get('security.context')->isGranted('ROLE_ADMIN')) {
        // ... load admin content here
    }

    // ... load other regular content here
}
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top