Reputation: 4168
Restricting admin access to url pattern in Symfony2
I'm developing a small back-office in Symfony2 and I would like users granted with ROLE_ADMIN to only be able to access pages with a ^/admin/ URL pattern (and also ^/logout$).
So far I've managed to restrict other users from accessing these pages using access control:
// security.yml
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
secured_area:
pattern: ^/
anonymous: ~
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
login_path: /login
logout:
invalidate_session: false
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/, role: ROLE_USER }
But I can't find how to restrict admin users to these pages. What would be the best way to achieve this?
Upvotes: 0
Views: 1722
Answers (3)
Reputation: 1754
Your issue is most likely a little hidden gem in FOSUserBundle. If you login as an admin and then check the profiler you will see that your user has both ROLE_ADMIN and ROLE_USER, which is why they can access your secured pages. If you look in the Model of the FOSUserBundle you'll see in the User class that when you call getRoles() on a user there is always a default role added to the array. This constant is set in the UserInterface class as ROLE_USER.
There are many solutions you could explore but probably the most straightforward is simply for you to use another role for your front-end users. If you use a role ROLE_CUSTOMER for example, admin users will not get this role unless you explicitly define it in the role hierarchy. That way, both sets of users will be restricted to their respective sections.
Upvotes: 2
Reputation: 1764
I think your problem is one of conception and not of programming. By definition, an administrator has access to all of the pages, that's what an administrator is for. To counter your problem you could either modify the role_hierarchy in the security.yml file:
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
What that means is that, whatever a ROLE_USER request, the ROLE_ADMIN can access. If you remove that hierarchy, you could have an administrator NOT have an access to the user pages.
The option I would recommend is to simply create a new role, something like ROLE_MANAGER which can only access the ^/admin/ URL, this would be more appropriate for your case.
Upvotes: 2
Reputation: 4835
Use this form:
access_control:
- { path: ^/admin, roles: ROLE_ADMIN }
For more information click on the following link - http://symfony.com/doc/current/book/security.html
Upvotes: 0
Related Questions
- Symfony 2 access_controll redirection with params
- Secure all urls in Symfony2
- symfony 3 - how to allow unauthenticated access to a URL prefix
- How to match url's against Symfony's security access control
- Symfony2 : controlling access to a ressource
- Symfony2 Access Control/Security
- symfony2/php: restrict urls to specific users only
- Symfony2 security allowing all URLs and not blocking anything
- Symfony2 per-host access control
- URL hacking in symfony admin generator