Authorization: access_control and Roles

Yo Bertin van den Ham!

Your config is totally the way to handle this :). When you use access_control, there are 2 strategies:

A) Use some access_control to deny access to just a few pages
B) Deny access to the entire site (or some entire section - like /cms) and then "whitelist" a one (or a few) URL under /cms that should be public.

You're using strategy (B), and you're using it just fine :). We talk a bit about this in an older tutorial - but this part is still relevant: https://knpuniversity.com/s...

Cheers!

No i cant go to /cms/login its takes long to load and then it says to many redirects. But with above config it works

Hey Bertin,

Your setup looks valid for me, you need to understand why you have those redirects. And Symfony can help with it, In your config_dev.yml file enable intercepting redirects:

web_profiler:
    intercept_redirects: true

And try again. You'll see where you're redirected manually following intercepted redirects.

Btw, important question, can you get to the /cms/login page and see the login form? Or are you redirected immediately? And where your login form submit data? What URL?

Cheers!

Fixed:

    access_control:
         - { path: ^/cms/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
         - { path: ^/cms, roles: ROLE_USER }

Is there a better way?

Iam trying to create the following login hierarchy with routes.

Login page is at :example.com/cms/login
Logout page is at: example.com/cms/logout
Actually cms (dashboard) is at: example.com/cms/

How could i setup this hierarchy. Because now i get ERR_TOO_MANY_REDIRECTS

Yeah that works too :)
When you want to apply the same rules to a set of paths, I find it easier doing it via "access_control", but actually that's completely up to you

Cheers!

Diego Aguiar Thank you for the reply. Works. But find out it might be a better way controller wide access controls with @Security :).

Hey Yahya A. Erturan

That's happening because if you are not logged in, you will be redirected to the login page, but your access control rule says that you must own "ROLE_USER" in order to access to any page, that's why you end up into an infinite loop of redirections.
You have to allow some paths to be accessible to everybody (Like the login page). Try adding this to your access control:

access_control:
    - { path: ^/login$, roles: IS_AUTHENTICATED_ANONYMOUSLY }

You can read more info about it here: https://symfony.com/doc/cur...

Cheers!

On onAuthenticationFailure @ AbstractGuardAuthenticator it redirects to 'loginUrl'. That's why I think :) We need to override it on LoginFormAuthenticator but how to fill it?

public function onAuthenticationFailure(Request $request, AuthenticationException $exception)
{
if ($request->getSession() instanceof SessionInterface) {
$request->getSession()->set(Security::AUTHENTICATION_ERROR, $exception);
}

$url = $this->getLoginUrl();

return new RedirectResponse($url);
}

Hi, I am working authentication system throughout this tutorial. And authorization works nice if I navigate `/admin` for example. But when I add this to security.yaml file `access_control: - { path: ^/, roles: ROLE_USER }` and navigate to `/` page it says: `This page isn’t working symfony3.dev redirected you too many times.` Any idea why?

Jarvis!

Nice to hear from you man! So wow, I *hate* when things only work in dev. It's rare... but it's bad news when it happens! So first, does the problem exist locally on your machine, or only on the production machine? From your description, it sounds like it exists *locally* (but of course in the prod environment). I just want to make sure it's not some issue with the specific *machine*.

Next, when it doesn't work, what does that mean exactly? Do you mean that the access_control is basically ignored and all users (even anonymous) have access? Or, is it requiring login... but not requiring ROLE_ADMIN? And can you post the full access_control section? As you know, only *one* access control is matched per request... so one thing I'm thinking about is whether or not a different access control is being hit, for some reason.

And here are a few other things to try: change logging on prod to log everything (basically, copy the config_dev.yml logging stuff into config_prod.yml temporarily. This may help, because you can see all of the info in the logs. You could also temporarily enable the WebProfilerBundle for *all* environment in AppKernel, then copy the web_profiler config from config_dev.yml to config_prod.yml, but change intercept_redirects to true. As you also know, sometimes things get tricky with security because it redirects and you don't see what *really* happened before the redirect. This might help that.

Phew! Hopefully that gives you something to at least start on :).

Cheers and stay dry ;)

Okay... so I have a unique issue with the `access_control` still. However, this issue only exists in production. We are unsure how to figure out what's the cause. Any pointers?

Very similar to this comment: https://knpuniversity.com/s... we have a final access_control that basically requires everyone to be logged in. We are trying to set that to an even "higher" role of an Admin as we are only releasing a portion of our functionality, and instead of making a bunch of code changes just wanted to catch everything here, and this would also allow `admins` of a particular level to be able to still see and test the new functionality before we enable it for the "lesser" users. Our `access_control` works in `dev` mode (app_dev.php). However, no amount of cache clearing `rm -rf` seems to make this work in production.

Would love some ideas/thoughts on this!

Thanks!
Jarvis

Hey Ruslan!

Good find! This was an oversight on my part honestly. I also implement CSRF protection (not using forms) here: https://knpuniversity.com/s... (that page isn't released at *this* moment, but will be in a week or so!)

Cheers!

Ok, I think I've found how to make csrf check working. Here is the one of Ryan's commits where he implements csrt check: https://github.com/knpunive...

It's strange, but if I change csrf token using developer tools in Chrome, so that it normally should not be valid, I still will be logged in. But if I look into symfony profiler under the tab 'Forms', there will be an error message 'The CSRF token is invalid. Please try to resubmit the form.'

So it looks like Guard detects that csrf token is wrong, but doesn't do anything.

I've tried to add to LoginForm.php following lines, but can't resolve this issue:

public function configureOptions(OptionsResolver $resolver)
{
$resolver->setDefaults(array(
'csrf_protection' => true
));
}

Hey Joe,

Hm, I see. I think somehow your default user equality test is failed. It's difficult to say why this happens, probably you have some problems with serialization/unserialization, but I'm not sure about it. Or maybe the object is modified during the runtime, probably by some event listeners, etc. and that's why default equality test failed. Anyway, with EquatableInterface you override the default implementation of users equality test.

Cheers!

Hi, Victor!

I have - { path: ^/, roles: ROLE_USER } in security.yml under access_control, despite the fact that it still does not work :(

I was able to fix it by implementing the Entity class (User) with EquatableInferface (class User implements UserInterface, EquatableInterface) and adding the following method:

...
public function isEqualTo(UserInterface $user)
{
return $this->id === $user->getId();
}

Any idea as to why this is happening?

Thanks!

Hey Joe,

Most of the time it's due to a misconfiguration of your firewall, ensure you have a firewall which applies for all your pages, i.e. which has "pattern: ^/".

Cheers!

Problem solved with EquatableInterface :)

Cheers

I have successfully login, but in the tool bar below, in the user section, it says "Authentication: No". Any help?