What is the proper way to prevent not logged in users to acces specific pages

Question

I have following structure on my website:

/Login page, when someone goes to the website, they automatically get on this page. Its not needed to be logged in.

When someone logs in, they get on the /game/welcome page. From there on they can acces /game/account and such pages.

Now when I go straight to /game/welcome, without logging in, I can acces this page. How can I prevent this?

This is my security.yml file:

# you can read more about security in the related section of the documentation
# http://symfony.com/doc/current/book/security.html
security:
    # http://symfony.com/doc/current/book/security.html#encoding-the-user-s-password
    encoders:
        Login\LoginBundle\Entity\User: sha512
            #algorithm: sha1
            #iterations: 1
            #encode_as_base64: true
        #Login\Loginbundle\Entity\User: sha512

    # http://symfony.com/doc/current/book/security.html#hierarchical-roles
    role_hierarchy:
        ROLE_ADMIN:       ROLE_USER
        ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]

    # http://symfony.com/doc/current/book/security.html#where-do-users-come-from-user-providers
    providers:
        user:
            entity:
                class: Login\LoginBundle\Entity\User
                property: username
        #in_memory:
            #memory:
                #users:
                    #user:  { password: userpass, roles: [ 'ROLE_USER' ] }
                    #admin: { password: adminpass, roles: [ 'ROLE_ADMIN' ] }

    # the main part of the security, where you can set up firewalls
    # for specific sections of your app
    firewalls:
        secured_area:
            pattern:   ^/
            anonymous: ~
            form_login:
                login_path: login
                check_path: login_check
    access_control:
    - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }

Answer 1

Access Control (security:access_control) is the key word here.

- { path: ^/game/welcome, role: ROLE_USER }

This requires the user to have the ROLE_USER (which your logged in user should have according to your yaml) to access this route

More infos: http://symfony.com/doc/current/book/security.html#access-controls-authorization

Answer 2

If you want to have most URLs secured its better to secure all and then add exceptions. Remember that ROLE_USER is automatically granted to all logged in users.

# add exceptions before the general rule
access_control:
    - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
    # some more exceptions ...
    - { path: ^/, role: ROLE_USER } # all other URLS need login

Answer 3

Just this code:

- { path: ^/game/*, role: ROLE_USER }

Should be enough. This prevents not logged users from reaching

^/game/*

Answer 4

Typically checking for the ROLE_USER should suffice, though it is probably more safe to check for the role IS_AUTHENTICATED_FULLY, which is set automatically by the security component for authenticated users if you want to differentiate from anonymous users.

Instead of taking the path of setting up access_control in security.yml like the other answers suggest, I'd recommend securing the individual controllers instead.

This has the advantage of not inadvertently disabling security when changing route URL patterns, or by making mistakes in the regular expressions, which I see happening a lot.

With SensioFrameworkExtraBundle you can secure the controllers with an annotation:

use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security;
use Symfony\Bundle\FrameworkBundle\Controller\Controller;

class DemoController extends Controller
{
    /**
     * @Security("has_role('IS_AUTHENTICATED_FULLY')")
     */
    public function indexAction()
    {
        // ...
    }
}

If you don't like annotations, you can do the check in your controller code as follows (when extending the default Controller class):

use Symfony\Bundle\FrameworkBundle\Controller\Controller;

class DemoController extends Controller
{
    public function indexAction()
    {
        if (false === $this->get('security.context')->isGranted('IS_AUTHENTICATED_FULLY')) {
            throw $this->createAccessDeniedException('Unable to access this page!');
        }

        // ...
    }
}