I have this scenario.
My site has a secured part. Security is, I think, correctly configured.
If I try to open a secured URL from browser, I am asked to type username and password.
Symfony profiler shows correctly user context after logon
The homepage (root route) is not secured (the profiler shows here the anonymous context)
Now the problem:
If, in the twig template of the homepage, I put something like this
{{ render(path('secured_route')) }}
the content of the secured route is rendered!
I expected to get some kind of exception or the login window!
Is this a bug or am I missing something?
When rendering a controller this way, you're bypassing the router, so securities related to routes are bypassed too.
The best you can do is to restraint your controller to logged-in users using the #Security annotation:
/**
* #Security("has_role('IS_AUTHENTICATED_REMEMBERED')")
*/
By using "render" from twig you are skipping the security checks related to routes, if you don't need to get the content in the anonymous context, you could check the role from Twig before rendering the controller, something like:
{% if is_granted('ROLE_USER') %}
{{ render(path('secured_route')) }}
{% endif %}
Related
I'm in the process of building a headless implementation of Shopify+.
I'm trying to setup the shopify email reset notification to redirect back to my site (in this case just localhost) but I need it to also pass the recovery token.
I can't find any documentation on how to get only the token in the email template. I want to replace the link below with something like http://localhost:8449/auth/reset/{{ ??resettoken?? }}.
My question is how do I get just the token part without the URL in the Liquid email template? And is there a documentation somewhere I should follow for this?
You can use the split tag and extract the token, please check the below code.
{% assign resetUrlData = customer.reset_password_url | split: "/" %}
{% assign resetUrl = "http://localhost:8449/auth/reset/" | append: resetUrlData[6] %}
Add this code on the top of the template or before the start of the table tag, or anywhere in the code where you want, and after that replace the "Reset your password link" anchor tag code with the below code.
Reset your password
How can disable the cookie consent tool?
I know the is no option (Shopware issue NEXT-9096)
You have to disable it in the template.
I tried storefront/layout/cookie/cookie-permission.html.twig but that's not working.
To disable the cookie notification create a new file in your plugin YourPlugin/src/Resources/views/storefront/layout/cookie/cookie-permission.html.twig with the content:
{% sw_extends '#Storefront/storefront/layout/cookie/cookie-permission.html.twig' %}
{% block layout_cookie_permission_inner %}
{% endblock %}
This will disable the layout_cookie_permission_inner block containing the cookie notification.
You can disable this without changing template.
Use option in:
Settings > Basic information > Security and Privacy > Use Default Cookie Notification
"You can deactivate the default cookie notification if you are using a third party solution."
I have an MVC 5 Site, using a shared _Layout view.
In this _Layout view i render my scripts in the bottom part, after the body.
#Scripts.Render("~/bundles/jquery")
#Scripts.Render("~/bundles/jqueryui")
#*BootStrap must be loaded after JQuery UI in order to override the tooltip function*#
#Scripts.Render("~/bundles/bootstrap")
#Scripts.Render("~/bundles/jqueryval")
#Scripts.Render("~/bundles/Session")
My Problem now, is that i want to include the Session Bundle in every page, except my Login pages.
In other words, i want to use the Session Bundle only for pages where the user is logged in and they have an active session.
How can i check for this condition in my _Layout View and render the Script Render conditionally?
In other pages, i would add a bool field to my Model and then use an C# If construction to only render the Script part if true, but i do not have a Model in my _Layout View.
I am also using custom, very simple login methods, so i am not using the Identity Framework of MVC5.
EDIT
I was suggested to use the Request object
#if (Request.IsAuthenticated) { #Render...}
This does not work since im using custom login, that does not work with the built in framework.
I read up on how this field works, here How does Request.IsAuthenticated work?
The problem is still unresolved
#if (Request.IsAuthenticated)
{
// Render stuff for authenticated user
}
I found an Answer.
access session variable from layout page ASP.NET MVC3 RAZOR
I am able to access the Session object from my Layout. Using that, i can check if my custom authentication object is null. If its not null, the user is logged in
#if (Session["BrugerSession"] != null)
{
#Scripts.Render("~/bundles/Session")
}
I'm using the Symfony framework with the FOS User Bundle. I'm using the security context to determine which menu items and other items to display.
$securityContext = $this->get('security.context');
if ($securityContext->isGranted($report['Permission'])){
//add the menu item...
}
Is there any way to give a anonymous user a security context of 'ROLE_USER'? I've got logged in users working properly.
I tried adding the line:
role_hierarchy:
IS_AUTHENTICATED_ANONYMOUSLY: ROLE_USER
to my security.yml hoping this would do it, but apparently not. I've Googled around a little bit and read the documentation.
I imagine that:
if ($securityContext->isGranted($report['Permission'])
|| ($report['Permission'] === 'ROLE_USER' && $securityContext->is_anonymous()))
would work, but this feels like kind of a hack (and not very DRY)
Edit:
This is for an intranet site. I've got a table that contains names of reports. Some reports should be able to be seen by everyone, regardless of if they are logged in or not. Some reports require permissions to view. I don't want to create several hundred users when only a handful will need access.
If you are trying to give access to people to a given url why not simply authorize it this way ?
You have 2 method to achieve this: create a firewall authorization or role defined a url
1) Firewall autorization
firewalls:
test:
pattern: ^/ws // you url or schema url with regex
anonymous: true
2) url with a role defined access
access_control:
- { path: ^/given-url, roles: IS_AUTHENTICATED_ANONYMOUSLY }
// in app/config/security.yml
in both case, non authenticated user and authenticated user will have access to this url
By the way , if you want to test (in order to display some user variables) if a user is authenticated or not , just make your test in twig
{% if app.user is defined and app.user is not null %}
The user {{ app.user.username }} is connected.
{% else %}
No user connected
{% end %}
EDIT : Content based view : juste create a route for your action which would not match your firewall rules
I have setup custom error pages to display for certain HTTP errors in the folder:
app/Resources/TwigBundle/views/Exception/
The 403 page (error403.html.twig) works and displays as expected.
The 500 page (error500.html.twig) works and displays as expected.
The 404 page (error404.html.twig) throws a 500 server error:
PHP Fatal error: Uncaught exception 'Symfony\Component\Routing\Exception\ResourceNotFoundException'
The error is being thrown by doing an auth check to display certain menu items for users that are or aren't authenticated:
{% if is_granted('IS_AUTHENTICATED_FULLY') %}
If I remove that check and just allow all menu items to display, the page loads the error page as expected. Again, the 403 page displays as it should and utilizes the auth checks without a problem.
I'm stuck on this one. The pages are EXACTLY the same, apart from the filename.
If symfony < 2.8 :
{% if app.user is not null and is_granted('ROLE_ADMIN') %}
See : https://github.com/symfony/symfony-docs/issues/2078
Edit from Dec 17 '15:
This is no longer needed since 2.8,
{% if is_granted('ROLE_ADMIN') %}
works fine now.
source: http://symfony.com/blog/new-in-symfony-2-8-dx-improvements#allow-to-check-for-security-even-in-pages-not-covered-by-firewalls
You can't use the is_granted in a 404 page since 2.1:
It's mentioned in the upgrade file
The Firewall listener is now registered after the Router listener. This means that specific Firewall URLs (like /login_check and /logout) must now have proper routes defined in your routing configuration. Also, if you have a custom 404 error page, make sure that you do not use any security related features such as is_granted on it.
See:
https://github.com/symfony/symfony/blob/master/UPGRADE-2.1.md#security
I would suggest checking for app.security.token to be more strict and evaluate to true even when user is anonymous.
If you check for app.user it will evaluate false in Exception templates, but even when the firewall is present (= regular templates) but the user is not logged. This will prevent - for example - the display of a login button.
See: https://github.com/symfony/symfony-docs/pull/2359