My ROLE_ADMIN user can access to backend/user URL although I didn't grant him the permission to do so. This is the first time I'm using FOS so I might be doing a silly mistake below. I read the documentation. What should I do to avoid this access problem?
Thanks in advance
security.yml
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/backend, role: ROLE_ADMIN }
- { path: ^/backend/user, role: ROLE_SUPER_ADMIN }
USERS
mbp:symfony$ php app/console fos:user:create user user@foobar user
Created user user
mbp:symfony$ php app/console fos:user:promote user ROLE_USER
User "user" did already have "ROLE_USER" role.
mbp:symfony$ php app/console fos:user:create admin admin@foobar admin
Created user admin
mbp:symfony$ php app/console fos:user:promote admin ROLE_ADMIN
Role "ROLE_ADMIN" has been added to user "admin".
mbp:symfony$ php app/console fos:user:create superadmin superadmin@foobar superadmin
Created user superadmin
mbp:symfony$ php app/console fos:user:promote superadmin ROLE_SUPER_ADMIN
Role "ROLE_SUPER_ADMIN" has been added to user "superadmin".
The access control uses the first matching rule to enforce access so your rules are stopping at - { path: ^/backend, role: ROLE_ADMIN } meaning that the rule after is never been reached.
To get this working in the way that you were expecting your should switch the order of your rules around to match..
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/backend/user, role: ROLE_SUPER_ADMIN }
- { path: ^/backend, role: ROLE_ADMIN }
In your code, regular expression pattern is matching the ROLE_ADMIN before ROLE_SUPER_ADMIN. Try on this way :- { path: ^/backend/user, roles: ROLE_SUPER_ADMIN } - { path: ^/backend, roles: ROLE_ADMIN }