I have days trying to make this work and I can't so as a last resort I hope any can help me here. The point is that my application, as every application has a frontend which should be accessed by any user registered in the system except those that have, so far, the role ROLE_ADMIN and a backend which so otherwise, should have access only users with ROLE_ADMIN and normal users who do not own roles or having the default role ROLE_USER should neither be able to login.
The problem I have is that, regardless, if I sign with any normal user without permissions to the admin (lacks ROLE_ADMIN) and access to the URL app.php/admin them can enter without any problem which is completely wrong. On the other hand if I try to log on to the frontend with any user with ROLE_ADMIN can do it without any problem and this should not happen.
This is my configuration security.yml:
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
login_path: /login
check_path: /login_check
default_target_path: home
always_use_default_target_path: true
use_referer: true
logout:
path: fos_user_security_logout
target: /
invalidate_session: true
anonymous: ~
access_control:
# Anonymous area
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/isLoggedIn$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/registro, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/cedula, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/rif, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/correo, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/usuario, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/razon_social, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/registro_mercantil, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/padre, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/correo_alternativo, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/paises, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/estados, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/ciudades, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/municipios, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/parroquias, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/empresas, role: IS_AUTHENTICATED_ANONYMOUSLY }
# Secured area
- { path: ^/, role: ROLE_USER }
- { path: ^/admin, role: ROLE_ADMIN }
What am I doing wrong? Can anyone give me any suggestions?
I have read docs from top to bottom several times but don't get what I'm doing wrong
Access control works very similar to routing, the first match is the one executed.
This means that requests for /admin will be matched with:
- { path: ^/, role: ROLE_USER }
You should put your /admin rule first. Also, I find it much better practice to secure the controllers whenever you can (which avoids common problems like these): http://symfony.com/doc/current/book/security.html#securing-controllers-and-other-code