[英]Access Denied for view and download routes in SonataMediaBundle and Symfony 4
I use Symfony 4 (more precise 4.1) with SonataAdminBundle and SonataMediaBundle.我使用带有 SonataAdminBundle 和 SonataMediaBundle 的 Symfony 4(更精确的 4.1)。
This is my config/routes/sonata_media.yaml
:这是我的
config/routes/sonata_media.yaml
:
sonata_media_gallery:
resource: '@SonataMediaBundle/Resources/config/routing/gallery.xml'
prefix: /media/gallery
sonata_media:
resource: '@SonataMediaBundle/Resources/config/routing/media.xml'
prefix: /media
If I run php bin/console debug:router
there are the following routes in the output:如果我运行
php bin/console debug:router
输出中有以下路由:
sonata_media_gallery_index ANY ANY ANY /media/gallery/
sonata_media_gallery_view ANY ANY ANY /media/gallery/view/{id}
sonata_media_view ANY ANY ANY /media/view/{id}/{format}
sonata_media_download ANY ANY ANY /media/download/{id}/{format}
The first two routes work fine, but when I try the other two routes, for example:前两条路线工作正常,但是当我尝试其他两条路线时,例如:
http://localhost:8000/media/view/
http://localhost:8000/media/view/1/default
http://localhost:8000/media/download/1
http://localhost:8000/media/download/1/default
then I always get AccessDeniedException, even though I'm authenticated as ROLE_SUPER_ADMIN
.然后我总是得到 AccessDeniedException,即使我被认证为
ROLE_SUPER_ADMIN
。
The error happens in vendor/sonata-project/media-bundle/src/Controller/MediaController.php
in downloadAction
and in viewAction
.错误发生在
vendor/sonata-project/media-bundle/src/Controller/MediaController.php
中的downloadAction
和viewAction
。 I was digging around in the source code, but can't find the reason for the exception thrown.我在源代码中挖掘,但找不到抛出异常的原因。
After some research I found the culprit and solved the problem.经过一番研究,我找到了罪魁祸首并解决了问题。 Here I'd like to share my knowledge.
在这里我想分享一下我的知识。
As I mentioned in the question, the exceptions were thrown from:正如我在问题中提到的,异常是从以下位置抛出的:
vendor/sonata-project/media-bundle/src/Controller/MediaController.php
in the methods downloadAction
and viewAction
.在方法
downloadAction
和viewAction
。 It was the following if-condition:它是以下 if 条件:
if (!$this->get('sonata.media.pool')->getDownloadSecurity($media)->isGranted($media, $this->getCurrentRequest())) {
throw new AccessDeniedException();
}
which is present in both methods.这两种方法都存在。 This led me to
vendor/sonata-project/media-bundle/src/Provider/Pool.php
, and further to vendor/sonata-project/media-bundle/src/Security/RolesDownloadStrategy.php
.这导致我到
vendor/sonata-project/media-bundle/src/Provider/Pool.php
,并进一步到vendor/sonata-project/media-bundle/src/Security/RolesDownloadStrategy.php
。 I couldn't find any bug or problem there, but it opened my eyes to another position in my own configuration:我在那里找不到任何错误或问题,但它让我看到了我自己配置中的另一个位置:
access_control:
- { path: ^/admin/, role: [ROLE_ADMIN, ROLE_SONATA_ADMIN] }
- { path: ^/.*, role: IS_AUTHENTICATED_ANONYMOUSLY }
How could I be so stupid?我怎么会这么笨? The path
/media
is not declared in security.yml
and can be accessed by not authenticated users.路径
/media
未在security.yml
声明,未经身份验证的用户可以访问。 The SonataMediaBundle
requires per default ROLE_ADMIN
or ROLE_SUPER_ADMIN
for downloading/viewing the media. SonataMediaBundle
默认需要ROLE_ADMIN
或ROLE_SUPER_ADMIN
来下载/查看媒体。
The routes for the Gallery
were accessible because vendor/sonata-project/media-bundle/src/Controller/GalleryController.php
doesn't check if access is granted. Gallery
的路由是可访问的,因为vendor/sonata-project/media-bundle/src/Controller/GalleryController.php
不检查是否授予访问权限。
After finding the culprit the question was which approach to chose to solve the problem找到罪魁祸首后,问题是选择哪种方法来解决问题
1) Change the route prefix: 1)更改路由前缀:
sonata_media:
resource: '@SonataMediaBundle/Resources/config/routing/media.xml'
prefix:
/admin/media
The declared path in security.yml
covers now the media
and ROLE_ADMIN
and ROLE_SUPER_ADMIN
can access the routes. security.yml
声明的路径现在覆盖了media
和ROLE_ADMIN
和ROLE_SUPER_ADMIN
可以访问路由。
Disadvantage: what if you want to expose the media outside of the admin?缺点:如果您想在管理员之外公开媒体怎么办? And what if other roles should be able to access them.
如果其他角色应该能够访问它们呢?
2) Declare a new path in security.yml
: 2) 在
security.yml
声明一个新路径:
access_control:
- { path: ^/media/, role: [ROLE_ADMIN, ROLE_SONATA_ADMIN] }
Now we can expose the media outside of the admin.现在我们可以在管理员之外公开媒体。 But the other issue is still there: what if other roles need to access the media?
但另一个问题仍然存在:如果其他角色需要访问媒体怎么办?
3) Configure another download strategy in the config for SonataMedia: 3) 在配置中为 SonataMedia 配置另一个下载策略:
sonata_media:
# ...
contexts:
default: # the default context is mandatory
download:
strategy: sonata.media.security.connected_strategy
mode: http
# ...
and adjust the path:并调整路径:
access_control:
# ...
- { path: ^/media/, role: [IS_AUTHENTICATED_FULLY, IS_AUTHENTICATED_REMEMBERED] }
# ...
Now every logged in user can access the media.现在每个登录的用户都可以访问媒体。 This solution worked for me.
这个解决方案对我有用。
However it is not a one-size-fits-all recipe.然而,这不是一个一刀切的食谱。 Please check the chapter security from the official documentation to get more detailed information.
请查看官方文档中的安全章节以获取更详细的信息。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.