Search code examples
phpsymfonyhttp-status-code-403user-roles

Debugging Symfony 3.4 live - 403 page, possible User Roles issue

I am getting a 403 error when clicking on a link to the /admin/stats page when logged with User Role: ROLE_EXPL which should have access to the page. It works fine for ROLE_ADMIN which also has access to this page.

Looking at the code, there are three user roles and the link to the page in question /admin/stats is not displayed on the menu for the user role ROLE_PASS but is for the others. However, this link gives a 403 error for ROLE_EXPL but works fine for ROLE_ADMIN

Can anyone advise on where to start with debugging this?

Code: security.yaml

security:

    encoders:
        AppBundle\Entity\Pass:
            algorithm: bcrypt

    providers:
        pass_provider:
            entity:
                class: AppBundle:Pass
                property: username

    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false

        main:
            anonymous: ~
            provider: pass_provider
            switch_user: true
            form_login:
                login_path: login
                check_path: login
                default_target_path: /home
                always_use_default_target_path: true
            logout:
                path:   /logout
                target: /login
            logout_on_user_change: true
            remember_me:
                secret:   '%kernel.secret%'
                lifetime: 604800 # 1 week in seconds
                path:     /home

    role_hierarchy:
        ROLE_PASS:           ROLE_USER
        ROLE_EXPL:           ROLE_USER
        ROLE_ADMIN:          ROLE_USER

    access_control:
        - { path: ^/admin, roles: ROLE_ADMIN, requires_channel: '%https%' }
        - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: '%https%' }
        - { path: ^/forgotten_password, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: '%https%' }
        - { path: ^/reset_password, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: '%https%' }

Required outcome:

ROLE_EXPL Should have access to the page /admin/stats

Solution

  • I needed to add an extra line or "security pattern" to the security.yaml file for the /admin/stats URL.

    As Nico pointed out, only users with the role ROLE_ADMIN had access to the paths starting with /admin

    I therefore added the below line below the ^/admin path but this did not work. I moved it above that path and it worked but then broke the page for the other user, therefore the order of the security patterns is very important

    { path: ^/admin/stats, roles: ROLE_EXPL, requires_channel: '%https%' }

    I found out you can add multiple roles and this worked:

     access_control:
        - { path: ^/admin/stats, roles: [ROLE_EXPL,ROLE_ADMIN], requires_channel: '%https%' }
        - { path: ^/admin, roles: ROLE_ADMIN, requires_channel: '%https%' }
        - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: '%https%' }
        - { path: ^/forgotten_password, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: '%https%' }
        - { path: ^/reset_password, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: '%https%' }