Chapters

36 Chapters | 1:50:44 |

01

Introduction

0:44
02

Security Fundamentals

3:47
03

Authorization with Access Control

2:08
04

Creating a Login Form (Part 1)

4:46
05

Creating a Login Form (Part 2)

3:57
06

Logging Out and Cleaning Up

5:03
07

Twig Security and IS_AUTHENTICATED_FULLY

2:41
08

Denying Access: AccessDeniedException

4:23
09

Entity Security

4:32
10

Saving Users

3:37
11

Adding Dynamic Roles to each User

4:56
12

Repository Security

4:20
13

Doctrine’s QueryBuilder

2:25
14

The UserProvider: Custom Logic to Load Security Users

3:15
15

User Serialization

2:16
16

Registration Form

3:11
17

Form Rendering

4:38
18

Using More Fields: email and repeated

2:31
19

Handling Form Submissions

4:22
20

Form: Default Data

2:10
21

Cleaning up with a plainPassword Field

1:34
22

Using an External Form Type Class

2:40
23

Registration Validation

3:36
24

Server-Side Validation

4:18
25

Adding a Flash Message

1:35
26

Automatically Authenticating after Registration

0:55
27

Functional Testing

5:04
28

Testing Forms

3:21
29

Controlling Data / Fixtures in a Test

3:23
30

More about Container, the “doctrine” Service and the Entity Manager

1:54
31

After-dinner Mint

3:35
32

Security: Creating Roles and Role Hierarchies

2:50
33

Switching Users / Impersonation

1:09
34

Whitelisting: Securing all Pages, except a few

2:15
35

Accessing the User

1:09
36

Remember Me Functionality

1:44

This tutorial has a new version, check it out!

> Symfony 2 > Starting in Symfony2: Course 2 (2.4+)

Buy Access to Course

03.

Authorization with Access Control

Autoplay

Previous Chapter

Next Chapter

Authorization with Access Control¶

Before we keep going with authentication and make it possible to login, let’s try out our first piece of authorization and start denying access!

Head back to security.yml. The easiest way to deny access is via the access_control section. Let’s use its regular expression coolness to protect any URLs that start with “/new” or “/create”.

Roles are given to a user when they login and if you’re not logged in, you don’t have any. Here, we’re saying that you at least need ROLE_USER to access these URLs:

# app/config/security.yml
security:
    # ...
    access_control:
        - { path: ^/new, roles: ROLE_USER }
        - { path: ^/create, roles: ROLE_USER }

Try it out! When we try to add an event, we’re redirected to /my-login-url. Hey! I know that URL! That’s what we put for the login_path config key.

So here’s the magic that just happened behind the scenes:

We tried to go to /new. Since our anonymous user doesn’t have any roles, the access controls kicked us out;
The firewall saves the day. Instead of giving us an access denied screen, it decides to give us a chance to login. The form_login key in tells the firewall that we want to use a good old fashioned login form, and that the login form should live at /my-login-url.

It’s our job to actually create the login page. And since we haven’t yet, we see the big ugly 404 error.

More access_control options¶

The access_control has a few more tricks to it. Head over to the Security chapter of the book and find the section on access_control. I want you to read this, but the most important thing to know is that only one access_control entry is matched on a request. Symfony goes down the list, finds the first match, and uses only it to check authorization. I’ll show you an example during the last chapter.

There’s also other goodies, like different access controls based on the user’s IP address or depending on which hostname is being accessed. You can even make it so that a user is redirected to https.

3 Comments

Sort By

rchdevel 6 years ago

Hello Ryan,

how could I achieve an authorization based on sub-domain ?
each sub-domain has it's own configuration and a user is linked to one or more sub-domains.
so when a user is logged in (switch sub-domain), I should check if he has authorization on that sub-domain. What event should I use to make the decision?
- I think kernel.request is not the good one, but neither security.interactive_login

just can't figure out an elegant solution for this.
any idea?

many thanks in advance,
Richard

1 | Reply |

weaverryan SFCASTS rchdevel 6 years ago

Hi Richard!

Hmm. I would add a kernel.request listener for this. There, IF the user is logged in and they are not linked to the sub-domain, you can take some action - like redirecting them to the main domain or rendering a special response/template that says they don't have access (you could also simply throw an AccessDeniedException, which will render the standard 403 error template).

Your setup might have some edge-cases I don't know about, which would make this messier than I'm describing - but this is definitely where I'd start. So, I think you and I were thinking fairly closely on this :).

Cheers!

1 | Reply |

rchdevel weaverryan 6 years ago

Hello Ryan,

thank you so much for your answer! yeap, finally I solved like this (using a kernel.request) and works like a charm...

many thanks once again,
Richard

| Reply |

Symfony 2

What PHP libraries does this tutorial use?

// composer.json
{
    "require": {
        "php": ">=5.3.3",
        "symfony/symfony": "~2.4", // v2.4.2
        "doctrine/orm": "~2.2,>=2.2.3", // v2.4.2
        "doctrine/doctrine-bundle": "~1.2", // v1.2.0
        "twig/extensions": "~1.0", // v1.0.1
        "symfony/assetic-bundle": "~2.3", // v2.3.0
        "symfony/swiftmailer-bundle": "~2.3", // v2.3.5
        "symfony/monolog-bundle": "~2.4", // v2.5.0
        "sensio/distribution-bundle": "~2.3", // v2.3.4
        "sensio/framework-extra-bundle": "~3.0", // v3.0.0
        "sensio/generator-bundle": "~2.3", // v2.3.4
        "incenteev/composer-parameter-handler": "~2.0", // v2.1.0
        "doctrine/doctrine-fixtures-bundle": "~2.2.0", // v2.2.0
        "ircmaxell/password-compat": "~1.0.3", // 1.0.3
        "phpunit/phpunit": "~4.1" // 4.1.0
    }
}