Search code examples
symfonyfosuserbundlesymfony-2.5

Register and Reset form always available

today I have noticed I can always access the register and reset form regardless if I am authenticated or not.

Here is my security.yml:

security:
    encoders:
        FOS\UserBundle\Model\UserInterface: sha512

    role_hierarchy:
        ROLE_ADMIN:       ROLE_USER
        ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]

    providers:
        fos_userbundle:
            id: fos_user.user_provider.username

    firewalls:
        dev:
            pattern:  ^/(_(profiler|wdt)|css|images|js)/
            security: false
        main:
            pattern: ^/
            form_login:
                provider: fos_userbundle
                csrf_provider: form.csrf_provider
            logout:
                delete_cookies:
                    activeGame: {}
            anonymous:    true

    access_control:
        - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/admin/, role: ROLE_ADMIN }

Regarding http://symfony.com/doc/current/cookbook/security/remember_me.html#forcing-the-user-to-re-authenticate-before-accessing-certain-resources it seems "normal" to be able to access this pages.

But how can I "easily" disable it for authenticated user or did I miss anything?

Thanks in advance!

Solution

  • You may be able to accomplish what you are looking for by using the newly introduced allow_if expression for access controls.

    - { path: ^/register, allow_if: "not is_authenticated()" }

    Another way may be:

    - { path: ^/register, allow_if: "user == 'anon'" }

    I havent fully tested this but it should only allow users who are not authenticated fully or authenticated remembered to access that path

    Here is a little bit about the security

    Here are some of the variable and functions available in expressions

    Then here is some info on the Expressions you can use in allow_if

    IF however, you do not want to throw a 403 Access Denied Exception when logged in users try and access those pages. Instead you would like to redirect them elsewhere then you can add a check to their respective controller actions. Something like:

    public function registerAction()
{
    if (true === $this->get('security.context')->isGranted('IS_AUTHENTICATED_REMEMBERED')) {
        return $this->redirect($this->generateUrl('some_route_to_send_them_to'));
    }

    // ...
}