Access to /admin, why any user logged into the system can access?

Question

I have days trying to make this work and I can't so as a last resort I hope any can help me here. The point is that my application, as every application has a frontend which should be accessed by any user registered in the system except those that have, so far, the role ROLE_ADMIN and a backend which so otherwise, should have access only users with ROLE_ADMIN and normal users who do not own roles or having the default role ROLE_USER should neither be able to login.

The problem I have is that, regardless, if I sign with any normal user without permissions to the admin (lacks ROLE_ADMIN) and access to the URL app.php/admin them can enter without any problem which is completely wrong. On the other hand if I try to log on to the frontend with any user with ROLE_ADMIN can do it without any problem and this should not happen.

This is my configuration security.yml:

security:
    encoders:
        FOS\UserBundle\Model\UserInterface: sha512

    providers:
        fos_userbundle:
            id: fos_user.user_provider.username_email

    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false
        main:
            pattern: ^/
            form_login:
                provider: fos_userbundle
                csrf_provider: form.csrf_provider
                login_path:  /login
                check_path:  /login_check
                default_target_path: home
                always_use_default_target_path: true
                use_referer: true
            logout:
                 path: fos_user_security_logout
                 target: /
                 invalidate_session: true
            anonymous: ~

    access_control:
        # Anonymous area
        - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/isLoggedIn$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/registro, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/cedula, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/rif, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/correo, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/usuario, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/razon_social, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/registro_mercantil, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/padre, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/correo_alternativo, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/paises, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/estados, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/ciudades, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/municipios, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/parroquias, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/empresas, role: IS_AUTHENTICATED_ANONYMOUSLY }

        # Secured area
        - { path: ^/, role: ROLE_USER }
        - { path: ^/admin, role: ROLE_ADMIN }

What am I doing wrong? Can anyone give me any suggestions?

I have read docs from top to bottom several times but don't get what I'm doing wrong

I assume the spaces in your regex? Any reason why you put them? — Gerry, Feb 05 '15 at 13:50
@Gerry a typo while copy & paste, in my `security.yml` they doesn't exists — ReynierPM, Feb 05 '15 at 13:51
`^/admin` should be before `^/`. All routes are being caught by the first one so all users can access not caught before that. — qooplmao, Feb 05 '15 at 13:52
@Qoop you mean this `- { path: ^/admin, role: ROLE_ADMIN } - { path: ^/, role: ROLE_USER }`? — ReynierPM, Feb 05 '15 at 13:54
^/ is matched before ^/admin.. You should really develop a habit of adding things like `^/` at the very end, always.. — Broncha, Feb 05 '15 at 13:59
@Qoop sorry for hijack this thread but can you take a look into [this](http://stackoverflow.com/questions/28346219/preventing-users-login-from-non-authorized-area)? — ReynierPM, Feb 05 '15 at 14:14
No @GuyT, I came to the same conclusion as Qoop did, and actually wrote an answer. — Gerry, Feb 05 '15 at 14:28

score 3 · Accepted Answer · answered Feb 05 '15 at 13:56

3

Access control works very similar to routing, the first match is the one executed.

This means that requests for /admin will be matched with:

- { path: ^/, role: ROLE_USER }

You should put your /admin rule first. Also, I find it much better practice to secure the controllers whenever you can (which avoids common problems like these): http://symfony.com/doc/current/book/security.html#securing-controllers-and-other-code

answered Feb 05 '15 at 13:56

Gerry

6,012
21
33

Well the problem with secure controllers is that I'm using the [EasyAdminBundle](https://github.com/javiereguiluz/EasyAdminBundle) bundle and do not know how to achieve that using it, if you know will be fine to let me know – ReynierPM Feb 05 '15 at 13:59
@ReynierPM : the firewall is app-based, so it should work with EasyAdminBundle or any other bundle. – A.L Feb 05 '15 at 23:07
@A.L what you mean with _the firewall is app-based_? Can you provide some example by using `EasyAdminBundle`? – ReynierPM Feb 05 '15 at 23:10
I don't know EasyAdminBundle, but I used SonataAdminBundle and it creates an `/admin` URL, so I just had to add `- { path: ^/admin, role: ROLE_ADMIN }` in `security.yml` in order to enable the firewall. – A.L Feb 05 '15 at 23:12

Access to /admin, why any user logged into the system can access?

1 Answers1