Symfony isGranted("ROLE_ADMIN") not working properly

Question

I have a security.yaml like this:


        api_documentary:
            pattern:    ^/api/v1/documentary
            fos_oauth:  true
            stateless:  false
            methods: [POST, PUT, DELETE]


        - { path: ^/api/v1/documentary, roles: IS_AUTHENTICATED_ANONYMOUSLY }

I want the firewall to be on (accessed by access token) on the following routes ^/api/v1/documentary POST, PUT, DELETE

I want the firewall to be off on the routes: GET and GET ALL

If I exclude GET from methods: [] above I can access them publicly, however something weird happens:

The isGranted doesn't work, even though the user has the following roles [ROLE_USER, ROLE_ADMIN] it doesn't seem to notice.

if (!$this->isGranted('ROLE_ADMIN')) {
            return new JsonResponse("Not granted");
        }

If I add to api_documentary:

methods: [GET, POST, PUT, DELETE]

isGranted works but the GET method will no longer be public.

This sounds odd, indeed. Which firewalls, user providers and authenticators are you using? Have you checked the security panel on the profiler toolbar to see if there is anything that looks different when using either approach (with vs. without GET)? — dbrumann, Aug 09 '19 at 11:16

Symfony isGranted("ROLE_ADMIN") not working properly

0 Answers0