Access control forces me to have fixed routes

Question

What's the point in having flexible routes (being able to change routes without breaking the application, thanks to route identifiers like 'admin_settings' -> '/admin/settings') if then in security.yml, in access_control we have to specify the paths (instead of the ids)?

access_control:
    - { path: ^/test, ip: 127.0.0.1 }
    - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/reset, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/admin, role: ROLE_ADMIN }
    - { path: ^/settings, role: ROLE_USER }

Every time I change a route I will have to check that it is still secured.

Answer 1

Recently I have same problem, so I write little extension for symfony security.yml that adds route names support, maybe you will be interested: https://github.com/madesst/MadesstSecurityExtraBundle

You will be able to write in this way:

# app/config/security.yml
security:
    firewalls:
        secured_area:
            pattern:    '@*' # Equals to '^/' in old syntax
            anonymous:  ~
            form_login:
                login_path:  '_demo_login'
                check_path:  '_security_check'

    access_control:
        - { path: '@my_bundle_post_delete', roles: ROLE_ADMIN}
        - { path: '@my_bundle_post_*', roles: ROLE_USER}
        - { path: '@my_bundle_post', roles: IS_AUTHENTICATED_ANONYMOUSLY}
        - { path: ^/esi, roles: IS_AUTHENTICATED_ANONYMOUSLY, ip: 127.0.0.1 }
        - { path: ^/esi, roles: ROLE_NO_ACCESS }