I'm quite new to Sonata Admin Bundle and I'm trying to make the User bundle work, however what I really need is just to limit acces to the admin area to a single administrator so it may be a bit of an overhead. Is it feasibile with all the symfony dynamic routing to secure the access with something as simple as an .htaccess rule or sth similar?
I'd recommend restricting access to /admin path to a role (e.g. ROLE_ADMIN) and assigning the role only to the user, that should have said access:
# app/config/security.yml
security:
# ...
access_control:
# require ROLE_ADMIN for /admin*
- { path: ^/admin, roles: ROLE_ADMIN }
For more info on Access Controll see documentation.
Related
I have a firewall rule which together with annotations allows only access to actions as specific user.
Additionally I would love to block ANY login if it is not coming from a certain network. Searching for a solution I came across additional access_control rules following this guide.
The problem there is, if I restrict my login page via IP rules. I always get an ERR_TOO_MANY_REDIRECTSerror if someone tries to reach it. I would rather love to have a "Page not Found" message to not even make someone from outside aware there could be any login.
How can I do this with Symfony?
security.yml:
security:
...
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
default:
form_login:
provider: fos_userbundle
login_path: /login
use_forward: false
logout: true
anonymous: true
access_control:
- { path: ^/logout$, role: ROLE_ADMIN }
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https, ips: [127.0.0.1, fe80::1, ::1]}
- { path: ^/login$, roles: ROLE_NO_ACCESS }
- { path: ^/admin, role: ROLE_ADMIN, requires_channel: https}
If I am not mistaken, what Symfony does here, is try and match the role of the user to what is required for the path.
If it doesn't match one of those roles, it sends the user to the login page.
The problem is, the login page is where the user has just come from. Thus the user gets into an infinite loop as their condition can never be met.
I would suggest putting the login page itself outside of the firewall and just put the IP check within the code of the LOGIN page and if not met, dump out somewhere else, which isn't within the firewall.
This question already has an answer here:
FOSUserbundle + Additional HTTP auth without user getting ROLE_USER
(1 answer)
Closed 8 years ago.
I need to secure my whole web site (because it's in development). To achieve this, I want to put a simple HTTP Auth with static credentials in front of the whole web site. The user should not be able to see anything without entering the correct data.
I could use the .htaccess file, but the problem is that I have one VIRTUAL directory "/api" (using mod_rewrite) that I want to secure with another password / user combination. So I cannot simply put a .htaccess under /api that disables the general HTTP auth and enables another one.
So I have to do it with the Symfony2 security component. But I have absolutely no idea how.
Another problem is that I am using the FOSUserBundle. ==> I want the HTTP auth to be independent from the FOSUserBundle login. After entering the user / password of the HTTP auth, the user should not be logged in. He should be acting as a normal guest until he uses the FOSUserBundle login form.
Is there any way to do this in Symfony2?
All you have to do is put in your security.yml something like this:
security:
firewalls:
basic_secured_area:
pattern: ^/
anonymous: ~
http_basic:
realm: "Secured Demo Area"
fos_authentication:
pattern: ^/
#here you configure your FOSUserBundle security
providers:
in_memory:
memory:
users:
ryan: { password: ryanpass, roles: 'ROLE_USER' }
admin: { password: kitten, roles: 'ROLE_ADMIN' }
This will secure whole site because of url pattern: ^/ with http basic security. This is separate security than FOSUserBundle, authenticating in http basic won't make you logged in your FOSUserBundle.
Find complete guide here
I do log in the user very well. It is working fine in symfony2. During registration in the DB the role and a state_id are going to be saved.
role: ROLE_USER
state_id: 4 //e.g. has only permissions to do some extra actions
Is there a way in symfony2 in the security.yml that I give permissions to targets with role and state_id?
Better use different roles for this, not a state id. For example: ROLE_USER, ROLE_USER_4, etc.
I'm trying to understand something about Symfony and the "super admin".
When I use FOSUser to create a user with super admin privileges
php app/console fos:user:create adminuser --super-admin
I'd firstly like to know what means (from the doc)
[...]Specifying the --super-admin option will flag the user as a super admin[...]
I imagine it means granting ROLE_SUPER_ADMIN to the user because I don't see any super-admin field in the user table.
Secondly, while (still from the doc)
A super admin has access to any part of your application
security:
role_hierarchy:
ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH, ...]
Why do we still need to configure the access hierarchy for it ?
Looking at FOSUserBundle's code you will find that the CreateUserCommand if invoked with the --super-admin flag will call the UserManipulator with a boolean argument $superadmin=true.
Now the UserManipulator calls the UserManager who will create a User Object, call it's setSuperAdmin() method and persist the new user afterwards.
The method looks as follows:
public function setSuperAdmin($boolean)
{
if (true === $boolean) {
$this->addRole(static::ROLE_SUPER_ADMIN);
} else {
$this->removeRole(static::ROLE_SUPER_ADMIN);
}
return $this;
}
So answering your first question:
Yes, the --super-admin flag causes FOSUserBundle to create a new user with the ROLE_SUPER_ADMIN role.
You still have to include the role hierarchy in your security configuration because the ROLE_SUPER_ADMIN role basically doesn't differ from any other role.
It's just a convention provided by the Symfony standard edition that users with role ROLE_SUPER_ADMIN should not have any access restrictions.
If you want the ROLE_SUPER_ADMIN to bypass all security voters by default - have a look at JMSSecurityExtraBundle's IddqdVoter which implements this for the special role ROLE_IDDQD. But this has already been suggested in your other question here.
By defining the hierarchy, you explicitly grant it the ROLE_ADMIN and ROLE_ALLOWED_TO_SWITCH roles (or other custom roles you could have)
If you comment this line, and you try to access with your ROLE_SUPER_ADMIN user to an action with a ROLE_ADMIN check, you will get a not allowed error.
The ROLE_SUPER_ADMIN is just a convention for the name the super administrator role should have, but it does not have privileges by it's own, you have to explicitly grant them to it.
I need to find a way to set access to url by function.
For example, Can I set 'access control' in security.yml this way:
access_control:
- { path: ^/admin$, function: checkadmin() }
In the other words, symfony run 'checkadmin()' function, and that function return a boolean value , so check access the path.
Or exist other ways?
You have to provide a role when configuring an access control rule. That part of the security bundle (authorization) only cares about matching requests with required roles.
With that concrete rule, define a custom role like so:
access_control:
- { path: ^/admin$, role: CHECK_ADMIN }
Then the question becomes, how can I dynamically add a role to a user?
The answer is a Security Voter:
http://kriswallsmith.net/post/15994931191/symfony2-security-voters (best explination)
Dynamically adding roles to a user
http://symfony.com/doc/current/cookbook/security/voters.html