Here's my situation:
I'm working on a Symfony 3.4 project. I've enabled the switch_user setting in security.yml and I'm able to log in instead of the users.
However, I have a question about the rights.
I have three user groups/roles:
- BASIC_USER: can't login in place of any other user.
- ADVANCED_USER: can connect instead of BASIC_USER users but not instead of ADVANCED_USER or ADMIN_USER users.
- ADMIN_USER: can connect in place of any user, even ADMIN_USERs.
If I give the role ROLE_ALLOWED_TO_SWITCH to my ADVANCED_USER users they will be able to log in as ADMIN_USER using a URL of this type: https://mywebsite.com/?_switch_user=adminemail@mywebsite.com
How can I block them to do this?
Thank you in advance for your help and have a nice week.