0

Here's my situation:

I'm working on a Symfony 3.4 project. I've enabled the switch_user setting in security.yml and I'm able to log in instead of the users.

However, I have a question about the rights.

I have three user groups/roles:

  • BASIC_USER: can't login in place of any other user.
  • ADVANCED_USER: can connect instead of BASIC_USER users but not instead of ADVANCED_USER or ADMIN_USER users.
  • ADMIN_USER: can connect in place of any user, even ADMIN_USERs.

If I give the role ROLE_ALLOWED_TO_SWITCH to my ADVANCED_USER users they will be able to log in as ADMIN_USER using a URL of this type: https://mywebsite.com/?_switch_user=adminemail@mywebsite.com

How can I block them to do this?

Thank you in advance for your help and have a nice week.

sisischakal
  • 51
  • 5
  • 1
    You can protect url with ROLE ADMIN_USER in security file. I believe this should work – threeside Apr 27 '20 at 22:55
  • Thanks for your answer. It might be working for the admin URL, but how to forbid users with ADVANCED_USER to impersonate the other users with ADVANCED_USER ? – sisischakal May 04 '20 at 18:31
  • 1
    You can Make a condition on original user role. Look https://symfony.com/doc/current/security/impersonating_user.html#finding-the-original-user – threeside May 05 '20 at 20:21
  • Thank you, that's what I have done, but I'm not really satisfied with this solution. If you have access to ROLE_PREVIOUS_ADMIN it means that the user already have impersonate the other user. And even if you can block him at this moment, I was wondering if it was possible to block him before impersonating someone that he is not supposed to impersonate. Have a good day. – sisischakal May 11 '20 at 14:50

0 Answers0