FOS User Bundle every role except ADMIN is denied

Question

I have a Symfony 3 CRM with FOS User Bundle installed for the login. The issue is, most users of this CRM will be engineers belonging to a company who are only allowed to see certain parts, so I have created their own dashboard specifically. Admin users can see everything and simply redirect to the main dashboard. However, it seems that only users with ROLE_ADMIN are allowed to access the CRM and everyone else is denied regardless of where they go.

Here is my security file:

security:
    encoders:
        FOS\UserBundle\Model\UserInterface: bcrypt

    role_hierarchy:
        ROLE_STAFF:       ROLE_USER
        ROLE_ADMIN:       ROLE_STAFF
        ROLE_SUPER_ADMIN: ROLE_ADMIN

    providers:
        fos_userbundle:
            id: fos_user.user_provider.username

    firewalls:
        main:
            pattern: ^/
            form_login:
                provider: fos_userbundle
                csrf_token_generator: security.csrf.token_manager
                # if you are using Symfony < 2.8, use the following config instead:
                # csrf_provider: form.csrf_provider
                use_referer:        false
                success_handler:    login_success_handler

            logout:       true
            anonymous:    true

    access_control:
        - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/, role: ROLE_ADMIN }
        - { path: ^/staff-dashboard, role: ROLE_STAFF }

As you can see I have created a custom role called ROLE_STAFF which is assigned to engineers (or staff members) and they are allowed to view the staff-dashboard link. I have a test user with the ROLE_STAFF role but I still am unable to view staff-dashboard .

I also have the following if statement in my controller, so it redirects all those users who are NOT admin to the staff-dashboard:

if($userRole === "ROLE_ADMIN") {
    return $this->render('AppBundle:pages:dashboard.html.twig', array(
        'latest' => $latest,
        'cashflow_chart' => $ob,
        'job_chart' => $ob2
    ));
} else {
    return $this->redirectToRoute('app_staff_dashboard');
}

But again, this does not work.

Any help with this is appreciated - I haven't yet found a solid solution.

Answer 1

Access control rules are processed in order specified in config. First matched rule (matched path) is checked and processing stops.
For your case 2 rules match path /staff-dashboard : 1 - { path: ^/, role: ROLE_ADMIN } and 2 - { path: ^/staff-dashboard, role: ROLE_STAFF } . The 1-st one is checked. Staff users don't pass this rule.
Change the order of these 2 rules.