I have following structure on my website:
/Login page, when someone goes to the website, they automatically get on this page. Its not needed to be logged in.
When someone logs in, they get on the /game/welcome page. From there on they can acces /game/account and such pages.
Now when I go straight to /game/welcome, without logging in, I can acces this page. How can I prevent this?
This is my security.yml file:
# you can read more about security in the related section of the documentation
# http://symfony.com/doc/current/book/security.html
security:
# http://symfony.com/doc/current/book/security.html#encoding-the-user-s-password
encoders:
Login\LoginBundle\Entity\User: sha512
#algorithm: sha1
#iterations: 1
#encode_as_base64: true
#Login\Loginbundle\Entity\User: sha512
# http://symfony.com/doc/current/book/security.html#hierarchical-roles
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
# http://symfony.com/doc/current/book/security.html#where-do-users-come-from-user-providers
providers:
user:
entity:
class: Login\LoginBundle\Entity\User
property: username
#in_memory:
#memory:
#users:
#user: { password: userpass, roles: [ 'ROLE_USER' ] }
#admin: { password: adminpass, roles: [ 'ROLE_ADMIN' ] }
# the main part of the security, where you can set up firewalls
# for specific sections of your app
firewalls:
secured_area:
pattern: ^/
anonymous: ~
form_login:
login_path: login
check_path: login_check
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
Access Control (security:access_control) is the key word here.
- { path: ^/game/welcome, role: ROLE_USER }
This requires the user to have the ROLE_USER (which your logged in user should have according to your yaml) to access this route
More infos: http://symfony.com/doc/current/book/security.html#access-controls-authorization
If you want to have most URLs secured its better to secure all and then add exceptions. Remember that ROLE_USER
is automatically granted to all logged in users.
# add exceptions before the general rule
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
# some more exceptions ...
- { path: ^/, role: ROLE_USER } # all other URLS need login
Just this code:
- { path: ^/game/*, role: ROLE_USER }
Should be enough. This prevents not logged users from reaching
^/game/*
Typically checking for the ROLE_USER should suffice, though it is probably more safe to check for the role IS_AUTHENTICATED_FULLY, which is set automatically by the security component for authenticated users if you want to differentiate from anonymous users.
Instead of taking the path of setting up access_control
in security.yml like the other answers suggest, I'd recommend securing the individual controllers instead.
This has the advantage of not inadvertently disabling security when changing route URL patterns, or by making mistakes in the regular expressions, which I see happening a lot.
With SensioFrameworkExtraBundle
you can secure the controllers with an annotation:
use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security;
use Symfony\Bundle\FrameworkBundle\Controller\Controller;
class DemoController extends Controller
{
/**
* @Security("has_role('IS_AUTHENTICATED_FULLY')")
*/
public function indexAction()
{
// ...
}
}
If you don't like annotations, you can do the check in your controller code as follows (when extending the default Controller class):
use Symfony\Bundle\FrameworkBundle\Controller\Controller;
class DemoController extends Controller
{
public function indexAction()
{
if (false === $this->get('security.context')->isGranted('IS_AUTHENTICATED_FULLY')) {
throw $this->createAccessDeniedException('Unable to access this page!');
}
// ...
}
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.