I do log in the user very well. It is working fine in symfony2. During registration in the DB the role and a state_id are going to be saved.
role: ROLE_USER
state_id: 4 //e.g. has only permissions to do some extra actions
Is there a way in symfony2 in the security.yml that I give permissions to targets with role and state_id?
Better use different roles for this, not a state id. For example: ROLE_USER, ROLE_USER_4, etc.
Related
I have a jhipster microservice named as blog and a jhipster gateway.
I have created a entity named "Farmer".
I have Created below two users in keycloak.
Users:
Pradeep and
Rahul
1) FOR ROLE_ADMIN
2) For ROLE_USER
While Accessing enitity in Admin panel in jhipster gateway, I am getting unauthorized error for admin (Pradeep), whereas for user (rahul) I am able to access entity.
PFB screenshots.
i) Admin Panel Home Page
ii) Admin Entity Page
When admin tries to click on farmer entity below is the error I am getting.
iii) User Home Page
iv) User Entity Page
When user (rahul) tries to access farmer entity he is able to access it.
Please let me know what could be the issue.
Admin users should also have the ROLE_USER role in order to access entity page. This is because the entity routes are secured by default to the ROLE_USER role.
For example, notice the authorities array in the bank-account.route.ts from the sample app:
{
path: '',
component: BankAccountComponent,
data: {
authorities: ['ROLE_USER'],
pageTitle: 'jhipsterSampleApplicationApp.bankAccount.home.title'
},
canActivate: [UserRouteAccessService]
},
I'm quite new to Sonata Admin Bundle and I'm trying to make the User bundle work, however what I really need is just to limit acces to the admin area to a single administrator so it may be a bit of an overhead. Is it feasibile with all the symfony dynamic routing to secure the access with something as simple as an .htaccess rule or sth similar?
I'd recommend restricting access to /admin path to a role (e.g. ROLE_ADMIN) and assigning the role only to the user, that should have said access:
# app/config/security.yml
security:
# ...
access_control:
# require ROLE_ADMIN for /admin*
- { path: ^/admin, roles: ROLE_ADMIN }
For more info on Access Controll see documentation.
I'm trying to understand something about Symfony and the "super admin".
When I use FOSUser to create a user with super admin privileges
php app/console fos:user:create adminuser --super-admin
I'd firstly like to know what means (from the doc)
[...]Specifying the --super-admin option will flag the user as a super admin[...]
I imagine it means granting ROLE_SUPER_ADMIN to the user because I don't see any super-admin field in the user table.
Secondly, while (still from the doc)
A super admin has access to any part of your application
security:
role_hierarchy:
ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH, ...]
Why do we still need to configure the access hierarchy for it ?
Looking at FOSUserBundle's code you will find that the CreateUserCommand if invoked with the --super-admin flag will call the UserManipulator with a boolean argument $superadmin=true.
Now the UserManipulator calls the UserManager who will create a User Object, call it's setSuperAdmin() method and persist the new user afterwards.
The method looks as follows:
public function setSuperAdmin($boolean)
{
if (true === $boolean) {
$this->addRole(static::ROLE_SUPER_ADMIN);
} else {
$this->removeRole(static::ROLE_SUPER_ADMIN);
}
return $this;
}
So answering your first question:
Yes, the --super-admin flag causes FOSUserBundle to create a new user with the ROLE_SUPER_ADMIN role.
You still have to include the role hierarchy in your security configuration because the ROLE_SUPER_ADMIN role basically doesn't differ from any other role.
It's just a convention provided by the Symfony standard edition that users with role ROLE_SUPER_ADMIN should not have any access restrictions.
If you want the ROLE_SUPER_ADMIN to bypass all security voters by default - have a look at JMSSecurityExtraBundle's IddqdVoter which implements this for the special role ROLE_IDDQD. But this has already been suggested in your other question here.
By defining the hierarchy, you explicitly grant it the ROLE_ADMIN and ROLE_ALLOWED_TO_SWITCH roles (or other custom roles you could have)
If you comment this line, and you try to access with your ROLE_SUPER_ADMIN user to an action with a ROLE_ADMIN check, you will get a not allowed error.
The ROLE_SUPER_ADMIN is just a convention for the name the super administrator role should have, but it does not have privileges by it's own, you have to explicitly grant them to it.
I need to find a way to set access to url by function.
For example, Can I set 'access control' in security.yml this way:
access_control:
- { path: ^/admin$, function: checkadmin() }
In the other words, symfony run 'checkadmin()' function, and that function return a boolean value , so check access the path.
Or exist other ways?
You have to provide a role when configuring an access control rule. That part of the security bundle (authorization) only cares about matching requests with required roles.
With that concrete rule, define a custom role like so:
access_control:
- { path: ^/admin$, role: CHECK_ADMIN }
Then the question becomes, how can I dynamically add a role to a user?
The answer is a Security Voter:
http://kriswallsmith.net/post/15994931191/symfony2-security-voters (best explination)
Dynamically adding roles to a user
http://symfony.com/doc/current/cookbook/security/voters.html
I am using a solution similar to http://blog.jmoz.co.uk/symfony2-fosuserbundle-role-entities
So I have a Role entity that implements RoleInterface and I have a modified User entity that is set up to have a ManyToMany relationship with the Roles.
This allows me to use code like this
$user = $this->get('security.context')->getToken()->getUser();
$role = new Role('ROLE_TEST');
$user->addRole($role);
$em = $this->getDoctrine()->getEntityManager();
$em->persist($role);
$em->persist($user);
$em->flush();
I can then check if a user has a role with
$user = $this->get('security.context')->getToken()->getUser();
if($user->hasRole('ROLE_TEST')){
//do stuff...
}
This solution is ok, but I need to have access to the security context and use code like this:
if($this->get('security.context')->isGranted('ROLE_TEST')){
//do stuff...
}
And in the security.yml cofig file I would like to use the access_control code like this:
access_control:
- { path: ^/test$, role: ROLE_TEST }
Do I need a custom user manager for this? The roles that are assigned to a user in the database are not being carried over to the built in Symfony security system.
In other words when I view the security section of the profiler it shows that the user is assigned to Roles [ROLE_USER], but I am hoping to get it so the system will also recognize the roles that I have set in the database for the logged in user such as ROLE_TEST.
The reason that this was not working is because I was still logged in with the same session. Logging out and then back in again to refresh the session with the new roles does the trick. DOH!