Reset register and form are always available
I noticed today that I can always access the register and reset form regardless of whether I am authenticated or not.
Here is my security.yml:
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout:
delete_cookies:
activeGame: {}
anonymous: true
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
With respect to http://symfony.com/doc/current/cookbook/security/remember_me.html#forcing-the-user-to-re-authenticate-before-accessing-certain-resources it seems "normal" to access these pages.
But how can I "easily" disable it for the authenticated user or am I missing something?
Thanks in advance!
source to share
You can accomplish what you are looking for using the new allow_if expression for access controls.
- { path: ^/register, allow_if: "not is_authenticated()" }
Another way:
- { path: ^/register, allow_if: "user == 'anon'" }
I have not fully tested this, but should allow users who are not fully authenticated or authenticated remembered to access this path.
Here's a little about security
Here are some of the variables and functions available in expressions
Then, here is some information on expressions you can use inallow_if
IF, however, you don't want to throw a 403 Access Denied Exception when logged in users try to use these pages. Instead, you want to redirect them elsewhere, then you can add validation to the appropriate controller actions. Something like:
public function registerAction()
{
if (true === $this->get('security.context')->isGranted('IS_AUTHENTICATED_REMEMBERED')) {
return $this->redirect($this->generateUrl('some_route_to_send_them_to'));
}
// ...
}
source to share