Clever Geek Handbook

Reset register and form are always available

I noticed today that I can always access the register and reset form regardless of whether I am authenticated or not.

Here is my security.yml:

security:
    encoders:
        FOS\UserBundle\Model\UserInterface: sha512

    role_hierarchy:
        ROLE_ADMIN:       ROLE_USER
        ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]

    providers:
        fos_userbundle:
            id: fos_user.user_provider.username

    firewalls:
        dev:
            pattern:  ^/(_(profiler|wdt)|css|images|js)/
            security: false
        main:
            pattern: ^/
            form_login:
                provider: fos_userbundle
                csrf_provider: form.csrf_provider
            logout:
                delete_cookies:
                    activeGame: {}
            anonymous:    true

    access_control:
        - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/admin/, role: ROLE_ADMIN }

With respect to http://symfony.com/doc/current/cookbook/security/remember_me.html#forcing-the-user-to-re-authenticate-before-accessing-certain-resources it seems "normal" to access these pages.

But how can I "easily" disable it for the authenticated user or am I missing something?

Thanks in advance!

+3


source to share


1 answer


You can accomplish what you are looking for using the new allow_if expression for access controls.

- { path: ^/register, allow_if: "not is_authenticated()" }

Another way:

- { path: ^/register, allow_if: "user == 'anon'" }

I have not fully tested this, but should allow users who are not fully authenticated or authenticated remembered to access this path.



Here's a little about security

Here are some of the variables and functions available in expressions

Then, here is some information on expressions you can use inallow_if

IF, however, you don't want to throw a 403 Access Denied Exception when logged in users try to use these pages. Instead, you want to redirect them elsewhere, then you can add validation to the appropriate controller actions. Something like:

public function registerAction()
{
    if (true === $this->get('security.context')->isGranted('IS_AUTHENTICATED_REMEMBERED')) {
        return $this->redirect($this->generateUrl('some_route_to_send_them_to'));
    }

    // ...
}
+3


source






More articles:


All Articles