Symfony2 access control not working

Question

In my access control I have a bunch of rules but none of them seem to be working. I belong to a group that does not have the role and I am still able to access all the routes. I tried adding dollar signs to the end of the paths but that did not work. I also tried reordering the paths and that failed as well. Any advice will help!

here is my security.yml file

security:
    encoders:
        FOS\UserBundle\Model\UserInterface: sha512

    role_hierarchy:
        ROLE_ADMIN:       ROLE_USER
        ROLE_SUPER_ADMIN: ROLE_ADMIN

    providers:
         fos_userbundle:
            id: fos_user.user_provider.username

    firewalls:
        main:
            pattern: ^/
            form_login:
                provider: fos_userbundle
                csrf_provider: form.csrf_provider
            logout:       true
            anonymous:    true

    access_control:
        - { path: ^/system/staff/add, roles: ROLE_ADD_STAFF }
        - { path: ^/system/staff/edit, roles: ROLE_EDIT_STAFF }
        - { path: ^/system/staff, roles: ROLE_VIEW_STAFF }

        - { path: ^/system/profile/edit, roles: ROLE_USER }
        - { path: ^/system/profile, roles: ROLE_USER }

        - { path: ^/system/officer/add, roles: ROLE_ADD_OFFICER }
        - { path: ^/system/officer/edit, roles: ROLE_EDIT_OFFICER }
        - { path: ^/system/officer, roles: ROLE_VIEW_OFFICER }

        - { path: ^/system/job/add, roles: ROLE_ADD_JOBS }
        - { path: ^/system/job/edit, roles: ROLE_EDIT_JOBS }
        - { path: ^/system/job, roles: ROLE_VIEW_JOBS }

        - { path: ^/system/company/add, roles: ROLE_ADD_COMPANIES }
        - { path: ^/system/company/edit, roles: ROLE_EDIT_COMPANIES }
        - { path: ^/system/company, role: ROLE_VIEW_COMPANIES }

        - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/system, roles: ROLE_USER }

for example my current group does not have the ROLE_EDIT_STAFF role yet I am still able to access the path.

Answer 1

Every time you make a request symfony will check your access controls to find one that works.

When you request /system/staff/edit heres what happens.

For your setup it finds:

- { path: ^/system/staff/edit, roles: ROLE_EDIT_STAFF }

But since you dont have the role ROLE_EDIT_STAFF it moves on.

It now matches:

- { path: ^/system/staff, roles: ROLE_VIEW_STAFF }

Because your route does start with ^/system/staff. And you have ROLE_VIEW_STAFF so you are granted access.

In additon to that one you have:

- { path: ^/system, roles: ROLE_USER }

Which means that anyone who has the ROLE_USER can access any route that starts with /system.

Whether its /system/admin/delete-all for just /system It matches them both.

If you want to use strict route controls i would recommend dropping the ^ from the start of the routes unless you really mean to match any routes starting with what follows the ^.