Access deny all controllers except few. Symfony 3

Question

How to deny access to all controllers except some? I have roles: ROLE_SUPER_ADMIN, ROLE_ADMIN, ROLE_MANAGER.

If I use annotations, then everything is fine. The index method is available to the manager, the ROLE_MANAGER in the method overrides the ROLE_ADMIN

/**
 * @Security("has_role('ROLE_ADMIN')")
 */
 class TestController extends Controller
{
    /**
     * @Security("has_role('ROLE_MANAGER')")
     */
    public function index(): Response
    {
        return new Response('Test');
    }
 }

If I deny access to everyone except admins, then the override in the controller does not work. My access_control in security.yml:

access_control:
    - { path: ^/login,      role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/,       role: ROLE_ADMIN }

I can write all the routes in the access_control, but the list is too big and it's inconvenient. And it is more convenient to use annotations in the controller.

I want to do this so that when a new controller is created, it is only available to ROLE_ADMIN by default.

This sounds like a bad development process to me. effectively whitelisting certain controllers or controller functions or routes with a "too big" list sounds like it's perfectly fitting (hey, at least you got regexes at your disposal to match the paths) — Jakumi, Dec 20 '20 at 15:08
Like @Jakumi I have some doubts regarding your design however a [before filter](https://symfony.com/doc/current/event_dispatcher/before_after_filters.html) using a kernel.controller event subscriber will do the trick. — Cerad, Dec 20 '20 at 15:20

Access deny all controllers except few. Symfony 3

0 Answers0