Multiple roles required for same url in symfony 2

Question

This is how my security.yml looks like for access control list:

access_control:
    - { path: ^/admin, roles: IS_AUTHENTICATED_FULLY }
    - { path: ^/admin, roles: ROLE_ADMIN }

What I want to do is that user must have both roles (ROLE_ADMIN and IS_AUTHENTICATED_FULLY) in order to access the path as defined. But with above rules, if the user has any one of the role, the user can access the path as defined which i dont want. I also tried giving rule as follow with no success:

 - { path: ^/admin, roles:[ROLE_ADMIN,IS_AUTHENTICATED_FULLY] }

How can I add rule that requires user to have both roles in order to access the path defined ?

so, did you found an answer? The one you checked as right seems to be wrong. — Electronick, Apr 25 '17 at 16:05

score 1 · Accepted Answer · answered Feb 10 '13 at 14:20

1

IS_AUTHENTICATED_FULLY

returns true when ever a user is actually authenticated.

Anonymous users are technically authenticated, meaning that the isAuthenticated() method of an anonymous user object will return true. To check if your user is actually authenticated, check for the IS_AUTHENTICATED_FULLY role.

So if a user has a role ROLE_ADMIN and is logged in, he is fully authenticated. As a result there is no need to set this requirement:

- { path: ^/admin, roles: IS_AUTHENTICATED_FULLY }

because you have (see below) which includes beeing fully authenticated

- { path: ^/admin, roles: ROLE_ADMIN }

And

- { path: ^/admin, roles: IS_AUTHENTICATED_FULLY }

will allow any user to see the admin section.

Read: http://symfony.com/doc/current/book/security.html

answered Feb 10 '13 at 14:20

DarkLeafyGreen

69,338
131
383
601

IS_AUTHENTICATED_REMEMBERED means the user is logged in with cookie and IS_AUTHENTICATED_FULLY means the user must log in through login page. So according to u, when the user is not logged in, the user still can access admin section? – sonam Feb 10 '13 at 14:28
Well Anonymous users cannot access the admin page, i have tested it – sonam Feb 10 '13 at 14:31
no, it means that any user who is authenticated through login can see admin page – DarkLeafyGreen Feb 10 '13 at 14:40
1

You don't need to require both rules, ROLE_ADMIN is enough, because it includes beeing authenticated fully or remembered. – DarkLeafyGreen Feb 10 '13 at 14:41
yes thats true, what I want is the admin users must have roles IS_AUTHENTICATED_FULLY i.e the admin users must be fully authenticated (not cookie based authentication for admin) – sonam Feb 10 '13 at 14:42
oh thanks. so if i had required multiple roles, then - { path: ^/admin, roles:[ROLE_ADMIN,IS_AUTHENTICATED_FULLY] } should work right? – sonam Feb 10 '13 at 14:43
I am not sure about that, if there is an AND or an OR between the roles. You should check this. – DarkLeafyGreen Feb 10 '13 at 14:50
The default behavior is OR unless you set the strategy to `unanimous` – Colin O'Dell Jul 16 '20 at 23:58

Marius Balčytis · Answer 2 · 2014-04-11T08:42:51.737

Looking at the problem itself, not at your specific situation.

If you need user to have all specified roles to access some path, this needs more configuration, as default RoleVoter grants access if current security token has at least one of specified roles.

RoleVoter grants access if token has at least one of passed roles, but Security component passes each of specified roles individually to each of the voters. So to change OR behaviour to AND behaviour all you need to do is to change decition manager strategy:

# app/config/security.yml
security:
    access_decision_manager:
        # strategy can be: affirmative (default one), unanimous or consensus
        strategy: unanimous # if any voter returns ACCESS_DENIED, access is denied

score -1 · Answer 3 · answered Feb 19 '16 at 17:45

If i didn't get you wrong , i think hierarchical roles
is a better approach http://symfony.com/doc/current/book/security.html#hierarchical-roles) .

#Hierarchical Roles
Instead of associating many roles to users, you can define role inheritance rules by creating a role hierarchy:

YAML

app/config/security.yml
security:
    ...

    role_hierarchy:
        ROLE_ADMIN:       ROLE_USER
        ROLE_SUPER_ADMIN:       ROLE_ADMIN
        ROLE_BOTH_ROLE_TOGETHER: [IS_AUTHENTICATED_FULLY,ROLE_ADMIN]

And them oyu can check for the hierarchy.

`IS_AUTHENTICATED_FULLY` is not treated as a role, at least not in Symfony 4, so this check won't work. — Colin O'Dell, Jul 16 '20 at 23:57

Multiple roles required for same url in symfony 2

3 Answers3

Linked