Symfony access_control by role

Question

I read this page about Symfony security !

But I can't use the access_control. I have two routes back and dashboard. Back is only for ROLE_SUPER_ADMIN and in order to go to the dashboard, the user must be authenticated.

Anonymous users can go everywhere and ROLE_USER can go to back (SUPER ADMIN only)

This is my file security.yml

security:
encoders:
    FOS\UserBundle\Model\UserInterface: sha512

role_hierarchy:
    ROLE_ADMIN:       ROLE_USER
    ROLE_SUPER_ADMIN: ROLE_ADMIN

providers:
    fos_userbundle:
        id: fos_user.user_provider.username

firewalls:
    main:
        pattern:    ^/
        form_login:
            provider: fos_userbundle
            csrf_provider: form.csrf_provider
        logout:       true
        anonymous:    true

access_control:
    - { path: ^/, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/dashboard, roles: ROLE_USER }
    - { path: ^/back, roles: ROLE_ADMIN }

Thanks for your help

Answer 1

Of course Anonymous users can go everywhere! Take a look to your first rule

access_control:
    - { path: ^/, role: IS_AUTHENTICATED_ANONYMOUSLY }

Even for /back path the rule seems to act properly because you hit the first access_control rule that grant the action

Faster solution : try to invert your rules order

Better solution : try to write better (less general) rules [if your app let you do that]