I am making a site with Symfony3 and there is expected need for some pages to be firewall-ed. For user management i am using FosUserBundle ~2.0@dev.
Logging in and out works (so it seems to me that FosUserBundle is configured correctly).
I am expecting that login form is to be shown if page is firewalled.
BUT, these URLs does not respect firewall and display their content for anonymous users...
here is my security.yml configuration:
security:
encoders:
FOS\UserBundle\Model\UserInterface: bcrypt
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|img|js)/
security: false
main:
pattern: ^/
form_login:
provider: fos_userbundle
login_path: fos_user_security_login
check_path: fos_user_security_check
csrf_token_generator: security.csrf.token_manager
logout:
path: fos_user_security_logout
target: goods_list_exclusive
logout: true
anonymous: true
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/click_list, role: ROLE_ADMIN }
- { path: ^/admin/import_tev, role: ROLE_ADMIN }
- { path: ^/admin/delete_tev, role: ROLE_ADMIN }
- { path: ^/admin/, role: ROLE_ADMIN }
here is my routing:
app:
resource: "@AppBundle/Controller/"
type: annotation
# redirecting home
homepage:
path: /
defaults:
_controller: FrameworkBundle:Redirect:redirect
route: goods_list_exclusive
permanent: true
# redirecting home
homepage_lv:
path: /lv/
defaults:
_controller: FrameworkBundle:Redirect:redirect
route: goods_list_exclusive
permanent: true
# redirecting home
homepage_en:
path: /en/
defaults:
_controller: FrameworkBundle:Redirect:redirect
route: goods_list_exclusive
permanent: true
# redirecting home
homepage_ru:
path: /ru/
defaults:
_controller: FrameworkBundle:Redirect:redirect
route: goods_list_exclusive
permanent: true
goods_list_exclusive:
path: /{_locale}/goods-list-exclusive
defaults: { _controller: AppBundle:Goods:goodsListExclusive }
requirements:
_locale: lv|en|ru
goods_list_new:
path: /{_locale}/goods-list-new
defaults: { _controller: AppBundle:Goods:goodsListNew }
requirements:
_locale: lv|en|ru
goods_show:
path: /{_locale}/goods-show/{id}
defaults: { _controller: AppBundle:Goods:goodsShow }
requirements:
_locale: lv|en|ru
goods_external_link:
path: /{_locale}/goods-external-link/{id}
defaults: { _controller: AppBundle:Goods:goodsExternalLink }
requirements:
_locale: lv|en|ru
admin_import_tev:
path: /{_locale}/admin/import-tev
defaults: { _controller: AppBundle:Import:importTev }
requirements:
_locale: lv|en|ru
admin_delete_tev:
path: /{_locale}/admin/delete-tev
defaults: { _controller: AppBundle:Delete:deleteTev }
requirements:
_locale: lv|en|ru
admin_click_list:
path: /{_locale}/admin/click-list
defaults: { _controller: AppBundle:Click:clickList }
requirements:
_locale: lv|en|ru
admin:
path: /{_locale}/admin
defaults: { _controller: AppBundle:Default:admin }
requirements:
_locale: lv|en|ru
fos_user:
resource: "@FOSUserBundle/Resources/config/routing/all.xml"
prefix: /{_locale}
Thank you for your time.
The patterns in your access control rules that restrict access for anonymous users all start with /admin while the URL path starts with the locale. Thus you should update the patterns to match the actual path. For example, you can have something like this (it assumes that there always is a two-letter locale, but you can adapt it to your needs):
access_control:
# ...
- { path: '^/[a-z]{2}/admin/click_list', role: ROLE_ADMIN }
- { path: '^/[a-z]{2}/admin/import_tev', role: ROLE_ADMIN }
- { path: '^/[a-z]{2}/admin/delete_tev', role: ROLE_ADMIN }
- { path: '^/[a-z]{2}/admin/', role: ROLE_ADMIN }