This tutorial has a new version, check it out!

Twig Security and IS_AUTHENTICATED_FULLY

Keep on Learning!

If you liked what you've learned so far, dive in!
Subscribe to get access to this tutorial plus
video, code and script downloads.

Start your All-Access Pass
Buy just this tutorial for $12.00

Twig Security and IS_AUTHENTICATED_FULLY

Since logging out works, let’s add a link to actually do it.

We already know logging out in Symfony is really easy. As long as the logout key is present under our firewall and we have a route to /logout, we can surf there and it’ll just work. Symfony takes care of the details behind the scenes.

Security Inside Twig: is_granted

Open up the homepage template and add the logout link. This is just like generating any other URL: use the Twig path function and pass it the name of the route:

{# src/Yoda/EventBundle/Resources/views/Event/index.html.twig #}
{# ... #}

<a class="button" href="{{ path('event_new') }}">Create new event</a>

<a class="link" href="{{ path('logout') }}">Logout</a>

{# ... #}

It works of course, but we don’t want to show it unless the user is actually logged in. To test for this, use the Twig is_granted function and pass it a special IS_AUTHENTICATED_REMEMBERED string:

{% if is_granted('IS_AUTHENTICATED_REMEMBERED') %}
    <a class="link" href="{{ path('logout') }}">Logout</a>
{% endif %}

And that works perfectly!

Trust Levels: IS_AUTHENTICATED_ANONYMOUSLY, IS_AUTHENTICATED_REMEMBERED, IS_AUTHENTICATED_FULLY

is_granted is how you check security in Twig, and we also could have passed normal roles here like ROLE_USER and ROLE_ADMIN, instead of this IS_AUTHENTICATED_REMEMBERED thingy. So in addition to checking to see if the user has a given role, Symfony has 3 other special security checks you can use.

  • First, IS_AUTHENTICATED_REMEMBERED is given to all users who are logged in. They may have actually logged in during the session or may be logged in because they have a “remember me” cookie.
  • Second, IS_AUTHENTICATED_FULLY is actually stronger. You only have this if you’ve actually logged in during this session. If you’re logged in because of a remember me cookie, you won’t have this;
  • Finally, IS_AUTHENTICATED_ANONYMOUSLY is given to all users, even if you’re not logged in. And since literally everyone has this, it seems worthless But it actually does have a use if you need to white-list URLs that should be public. I’ll show you an example in the last chapter.

Since we’re checking for IS_AUTHENTICATED_REMEMBERED, we’re showing the logout link to anyone who is logged in, via a remember me cookie or because they recently entered their password. We want to let both types of users logout.

Let’s get super fancy and add a login link for those anonymous souls:

{# src/Yoda/EventBundle/Resources/views/Event/index.html.twig #}
{# ... #}

{% if is_granted('IS_AUTHENTICATED_REMEMBERED') %}
    <a class="link" href="{{ path('logout') }}">Logout</a>
{% else %}
    <a class="link" href="{{ path('login_form') }}">Login</a>
{% endif %}

You’ll probably want to use IS_AUTHENTICATED_REMEMBERED almost everywhere and save IS_AUTHENTICATED_FULLY for pages that need to be really secure, like checkout. If the user is only IS_AUTHENTICATED_REMEMBERED and hits one of those pages, they’ll be redirected to login.

Leave a comment!

What PHP libraries does this tutorial use?

// composer.json
{
    "require": {
        "php": ">=5.3.3",
        "symfony/symfony": "~2.4", // v2.4.2
        "doctrine/orm": "~2.2,>=2.2.3", // v2.4.2
        "doctrine/doctrine-bundle": "~1.2", // v1.2.0
        "twig/extensions": "~1.0", // v1.0.1
        "symfony/assetic-bundle": "~2.3", // v2.3.0
        "symfony/swiftmailer-bundle": "~2.3", // v2.3.5
        "symfony/monolog-bundle": "~2.4", // v2.5.0
        "sensio/distribution-bundle": "~2.3", // v2.3.4
        "sensio/framework-extra-bundle": "~3.0", // v3.0.0
        "sensio/generator-bundle": "~2.3", // v2.3.4
        "incenteev/composer-parameter-handler": "~2.0", // v2.1.0
        "doctrine/doctrine-fixtures-bundle": "~2.2.0", // v2.2.0
        "ircmaxell/password-compat": "~1.0.3", // 1.0.3
        "phpunit/phpunit": "~4.1" // 4.1.0
    }
}