I am getting a 403 error when clicking on a link to the /admin/stats page when logged with User Role: ROLE_EXPL which should have access to the page. It works fine for ROLE_ADMIN which also has access to this page.
Looking at the code, there are three user roles and the link to the page in question /admin/stats is not displayed on the menu for the user role ROLE_PASS but is for the others. However, this link gives a 403 error for ROLE_EXPL but works fine for ROLE_ADMIN
Can anyone advise on where to start with debugging this?
Code: security.yaml
security:
encoders:
AppBundle\Entity\Pass:
algorithm: bcrypt
providers:
pass_provider:
entity:
class: AppBundle:Pass
property: username
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
anonymous: ~
provider: pass_provider
switch_user: true
form_login:
login_path: login
check_path: login
default_target_path: /home
always_use_default_target_path: true
logout:
path: /logout
target: /login
logout_on_user_change: true
remember_me:
secret: '%kernel.secret%'
lifetime: 604800 # 1 week in seconds
path: /home
role_hierarchy:
ROLE_PASS: ROLE_USER
ROLE_EXPL: ROLE_USER
ROLE_ADMIN: ROLE_USER
access_control:
- { path: ^/admin, roles: ROLE_ADMIN, requires_channel: '%https%' }
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: '%https%' }
- { path: ^/forgotten_password, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: '%https%' }
- { path: ^/reset_password, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: '%https%' }
Required outcome:
ROLE_EXPL Should have access to the page /admin/stats
I needed to add an extra line or "security pattern" to the security.yaml file for the /admin/stats URL.
As Nico pointed out, only users with the role ROLE_ADMIN had access to the paths starting with /admin
I therefore added the below line below the ^/admin path but this did not work. I moved it above that path and it worked but then broke the page for the other user, therefore the order of the security patterns is very important
{ path: ^/admin/stats, roles: ROLE_EXPL, requires_channel: '%https%' }
I found out you can add multiple roles and this worked:
access_control:
- { path: ^/admin/stats, roles: [ROLE_EXPL,ROLE_ADMIN], requires_channel: '%https%' }
- { path: ^/admin, roles: ROLE_ADMIN, requires_channel: '%https%' }
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: '%https%' }
- { path: ^/forgotten_password, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: '%https%' }
- { path: ^/reset_password, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: '%https%' }