Francesco Arreghini
Francesco Arreghini

Reputation: 99

Symfony access control by roles

I have FOSUserBundle and I want to do a simple access list path that if an user is not logged it will send to login page and if is not ROLE_ADMIN o other he can't go to /admin page .

I write this in my security.yml:

access_control:
    - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/, role: IS_AUTHENTICATED_FULLY }
    - { path: ^/admin, role: ROLE_ADMIN }

but now all user logged can go to /admin page...

I don't understand my wrong.

Upvotes: 1

Views: 1511

Answers (3)

Imanali Mamadiev
Imanali Mamadiev

Reputation: 2654

Just remove

- { path: ^/, role: IS_AUTHENTICATED_FULLY }

Upvotes: 0

sensorario
sensorario

Reputation: 21610

Try to change

    - { path: ^/, role: IS_AUTHENTICATED_FULLY }
    - { path: ^/admin, role: ROLE_ADMIN }

to

    - { path: ^/admin, role: ROLE_ADMIN }
    - { path: ^/, role: IS_AUTHENTICATED_FULLY }

Upvotes: 4

DonCallisto
DonCallisto

Reputation: 29912

Rules are parsed in the order they're written so,

- { path: ^/, role: IS_AUTHENTICATED_FULLY }

will grant access to all areas under / if user is authenticated

You need to switch last two rules and all will surely work as you expect.

Upvotes: 4

Related Questions