5

I'm defining security for my website in security.yml

    - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/ad/new, role: ROLE_USER  }
    - { path: ^/myAds, role: ROLE_USER  }
    - { path: ^/payments, role: ROLE_USER  }
    - { path: ^/pay, role: ROLE_USER  }

But I'm not sure how such a route would be added here:

mybundle_contact_advertiser:
   path:    /ad/{id}/contact
   defaults:   { _controller: MyBundle:Default:contactAdvertiser,id:null}

How is the id defined, considering I can't do it like so:

    - { path: ^/ad, role: ROLE_USER  }

As a route like

mybundle_ad:
    path:      /ad/{id}
    defaults:  { _controller: MyBundle:Default:viewAd ,id:null}

Would not work for unregistered users.

George Irimiciuc
  • 4,573
  • 8
  • 44
  • 88
  • you dont need to add every route to the security.yml there are wildcards wich will work just like in regex to scan which subpart of routes needs an authenticated user and which route doesn't ... and besides if you put a paramter in the middle of your route which can be null your route can be /ad/null/contact ... do you really want that ? Why not make the parameter optional if it can be null – nixoschu Jan 18 '16 at 15:47
  • True, it shouldn't be null. – George Irimiciuc Jan 18 '16 at 18:48

2 Answers2

10

All answers from @turdaliev-nursultan work.

But if you know that the {id} parameter will always be an integer, there's an additional possible answer.

You can edit the security.yml file and add the following rule to the access_control list :

- { path: ^/ad/[0-9]+/contact$, role: ROLE_USER }

The [0-9]+ part means any string made of one or more digits from 0 to 9.

Keep also in mind that using any url like http://example.com/ad/foo/contact, where the parameter is not an existing id, will lead to an http 404 error.

Daishi
  • 12,681
  • 1
  • 19
  • 22
  • This might be invalid yaml you can use single quotes around the regex to prevent the yml parser from throwing an error when encountering the regex – nook Mar 31 '21 at 16:05
4

I have two solutions for you.

First, add prefix to routes which need authentication and authorization. Then simply add that that prefix to your security.yml file. This way you do not need to add all routes manually.

Second, change your route to:

mybundle_contact_advertiser:
   path:    /ad/contact/{id}
   defaults:   { _controller: MyBundle:Default:contactAdvertiser}

Then add the following to your security.yml file:

- { path: ^/ad/contact/, role: ROLE_USER  }

But, if you do not want to change the route then check authorization inside your action

 $this->denyAccessUnlessGranted('ROLE_ADMIN', null, 'Unable to access this page!');

Or

if (!$this->get('security.authorization_checker')->isGranted('IS_AUTHENTICATED_FULLY')) {
    throw $this->createAccessDeniedException();
}

Last but not least, you can use @Security annotation to secure your actions.

/**
 * @Security("has_role('ROLE_USER')")
 */
Turdaliev Nursultan
  • 2,538
  • 1
  • 22
  • 28
  • 5
    Found out that `^/ad/(.+)/contact` also works in the meantime. I knew most of your choices, and don't want to modify my route. The use of annotations doesn't really make sense as I don't really want to combine both annotations and .yml. It's either one or the other. – George Irimiciuc Jan 18 '16 at 19:09
  • @GeorgeIrimiciuc, thank you for sharing, I didn't know about using regex in routing security. Learnt something new today. – Turdaliev Nursultan Jan 18 '16 at 21:23