Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Symfony access control with variable inside route

Tags:

php

symfony

symfony-security

I'm defining security for my website in security.yml

    - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/ad/new, role: ROLE_USER  }
    - { path: ^/myAds, role: ROLE_USER  }
    - { path: ^/payments, role: ROLE_USER  }
    - { path: ^/pay, role: ROLE_USER  }

But I'm not sure how such a route would be added here:

mybundle_contact_advertiser:
   path:    /ad/{id}/contact
   defaults:   { _controller: MyBundle:Default:contactAdvertiser,id:null}

How is the id defined, considering I can't do it like so:

    - { path: ^/ad, role: ROLE_USER  }

As a route like 

mybundle_ad:
    path:      /ad/{id}
    defaults:  { _controller: MyBundle:Default:viewAd ,id:null}

Would not work for unregistered users.

like image 392
George Irimiciuc Avatar asked Dec 11 '22 18:12

George Irimiciuc

2 Answers

All answers from @turdaliev-nursultan work.

But if you know that the {id} parameter will always be an integer, there's an additional possible answer.

You can edit the security.yml file and add the following rule to the access_control list :

- { path: ^/ad/[0-9]+/contact$, role: ROLE_USER }

The [0-9]+ part means any string made of one or more digits from 0 to 9.

Keep also in mind that using any url like http://example.com/ad/foo/contact, where the parameter is not an existing id, will lead to an http 404 error.

like image 200
Daishi Avatar answered Dec 17 '22 05:12

Daishi

I have two solutions for you.

First, add prefix to routes which need authentication and authorization. Then simply add that that prefix to your security.yml file. This way you do not need to add all routes manually.

Second, change your route to:

mybundle_contact_advertiser:
   path:    /ad/contact/{id}
   defaults:   { _controller: MyBundle:Default:contactAdvertiser}

Then add the following to your security.yml file:

- { path: ^/ad/contact/, role: ROLE_USER  }

But, if you do not want to change the route then check authorization inside your action

 $this->denyAccessUnlessGranted('ROLE_ADMIN', null, 'Unable to access this page!');

Or

if (!$this->get('security.authorization_checker')->isGranted('IS_AUTHENTICATED_FULLY')) {
    throw $this->createAccessDeniedException();
}

Last but not least, you can use @Security annotation to secure your actions.

/**
 * @Security("has_role('ROLE_USER')")
 */
like image 26
Turdaliev Nursultan Avatar answered Dec 17 '22 06:12

Turdaliev Nursultan
Sign in to Comment

Related questions

Cannot access Eloquent attributes on Twig
Symfony form collection not saving reference
Laravel 5 Middleware "Owner"?
PHP: How to store session in cookie
Generating and downloading an excel file generates a ERR_INVALID_RESPONSE
How to sanitize a string without losing HTML and removing JS /SQL
PHP - Add null character to string
Split string on spaces except words in quotes
How to pass variable to @extends blade
How to find out the version number in cakephp v3.0?
Laravel - How to register custom broadcaster
Retrieving Google Search Analytics by "google-api-php-client" library
how to make a php function loop every 5 seconds
pagination buttons limits in yii2
Could not open input file: app/console (Symfony 2)
PHP: Convert epoch to MySQL DateTime format
CHange php 5.4 to 5.5 on Hostgator
Laravel 5 Class 'Intervention\Image\ImageServiceProvider' not found
XAMPP apache Http server has stopped working
laravel firstOrCreate not working properly?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!