Omar Trkzi
Reputation: 301
Allow different roles to access the index page
This is the security.yaml :
security:
access_control:
- ...
- { path: ^/, roles: ROLE_USER }
- { path: ^/*, roles: ROLE_ADMIN }
Expected behavior:
Allowing every user (isGranted('ROLE_USER') upon creation) to access the index page routed in @Route("/","index"), and denying them from accessing any page (not mentioned in a previous access control) with a route like "/example", unless they have the ROLE_ADMIN role.
Actual behavior:
Allows every user (with role ROLE_USER) to access any page (not mentioned in a previous access control) with a route like "/example"
Notes
- Since 'Only the first access control that matches will be used', I guess that the route
/is considered part of/*in Symfony, and even though that explains the behavior. It still doesn't solve how to make the index page/accessible by some users yet restrict access to pages like/example. - I could restrict access to every page with a route like
/examplewith- { path: ^/example, roles: ROLE_ADMIN }, but that doesn't look clean since it may cause security vulnerabilities later on.
Upvotes: 0
Views: 51
Answers (1)
Omar Trkzi
Reputation: 301
As @A.L said in his comment, this worked for me:
security:
access_control:
- ...
- { path: ^/$, roles: ROLE_USER }
- { path: ^/*, roles: ROLE_ADMIN }
However, if you think there is a better way to achieve the same result, your answer would be appreciated.
Upvotes: 1
Related Questions
- Symfony restrict page access to a group of people
- User Admin login, give users elevated permissions - Symfony 4
- restrict access to login symfony depending on the role
- How to deny access to all pages in Symfony 2
- What is the proper way to prevent not logged in users to acces specific pages
- Roles assignement in Symfony 2
- symfony2 security roles
- Symfony2 Access Control/Security
- prevent some user from viewing some pages
- Symfony access_control by role