php - Symfony2 Firewall not preventing access -
i think don't understand concept of firewall , access control of symfony here's understanding.
i have fosuserbundle installed , configured properly.
i created roles:
role_hierarchy: role_coach: [role_user] role_editor: [role_user] role_premium_coach : [role_user, role_coach] role_admin: [role_user, role_sonata_admin, role_coach, role_editor, role_premium_coach] role_super_admin: [role_admin, role_allowed_to_switch] i want prevent people accessing url /dashboard if not logged in, therefore if don't have role role_user.
here's firewall:
firewalls: # -> custom firewall admin area of url admin: pattern: /admin(.*) form_login: provider: fos_userbundle login_path: /admin/login use_forward: false check_path: /admin/login_check failure_path: null logout: path: /admin/logout anonymous: true # -> end custom configuration # defaut login area standard users main: pattern: .* form_login: provider: fos_userbundle csrf_provider: form.csrf_provider login_path: /login use_forward: false check_path: /login_check failure_path: null logout: true anonymous: true here's added under access_control:
- { path: ^/dashboard, role: [role_user]} - { path: ^/dashboard/blog, role: [role_editor]} i can access page /dashboard if i'm not connected , don't want possible. getting wrong ?
from pastebin
- { path: ^/.*, role: is_authenticated_anonymously } this line cause issue. tells symfony2 security system every user can access (this "very first rule" if ignore fos ones) , so, when satified, no other controll done (as - { path: ^/osc/dashboard, role: role_user} came after)
possibile solutions:
1) place line @ bottom of acl.
pro: application work
cons: if don't set acl, you'll run "security" issues or unauthorized users access pages that, logic, have not access.
2) remove line @ all
pro: application not suffer security issues , unauthorized access
cons: have set route explicitly , properly, pretty "natural" if want build strong application
Comments
Post a Comment