Symfony2 Firewall: security / web folder
I am developing an SF2 web application that is completely behind a firewall: no one has to see or change anything before logging (other than the login form, of course).
So here is a portion of firewall
my file security.yml
:
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main_login:
pattern: ^/login$
anonymous: true
main:
pattern: ^/
anonymous: false
form_login:
login_path: fos_user_security_login
check_path: fos_user_security_check
logout:
path: fos_user_security_logout
target: /
This works great: if I type url http://mywebsite.com/app.php/article/show/1
and not unblocked, I am redirected to the login page.
My problem is that I have multiple documents and media located in the Symfony directory web
(for example myapp/web/document/myTextFile.txt
). They are available through my application for registered users, but also for unregistered users !
Anyone who types http://mywebsite.com/app.php/document/myTextFile.txt
can upload the file ...
Why pattern: ^/
doesn't the string interfere with this? Is the web
default folder excluded because it contains app.php
both js/
and the css/
folder?
How can I protect my documents?
Update: displaying protected images
I tried the solution Jerry suggested, it works great to secure the download of my documents.
However, I also have photos in my folder document
and I would like to display these images directly included in the respective pages.
For example, in there http://mywebsite.com/app.php/article/show/1
will be text and an image myapp/app/Resources/document/AAA.jpg
, and in there http://mywebsite.com/app.php/article/show/2
will be text and an image myapp/app/Resources/document/BBB.jpg
, etc.
I tried to do this with Assetic, but it seems like this is done for "static" images (like the top logo or images that are not object dependent).
The solution I see is to convert the image to Base64 and include it like this: <img alt="" src="data:image/png;base64(...)" />
but that seems really ugly ...
source to share
The web directory is your public root directory served by the web server (Apache / Nginx / ...).
By default, any request for an existing file will not let Symfony pass at all, so no firewall settings will prevent you from accessing files located in the website root directory.
A clean solution is to move these files to a different directory outside of the website, for example app/Resources/uploads
. Then you can write a Symfony controller to load those files.
source to share