Debugging Symfony 3.4 live - 403 page, possible User Roles issue

Question

I am getting a 403 error when clicking on a link to the /admin/stats page when logged with User Role: ROLE_EXPL which should have access to the page. It works fine for ROLE_ADMIN which also has access to this page.

Looking at the code, there are three user roles and the link to the page in question /admin/stats is not displayed on the menu for the user role ROLE_PASS but is for the others. However, this link gives a 403 error for ROLE_EXPL but works fine for ROLE_ADMIN

Can anyone advise on where to start with debugging this?

Code: security.yaml

security:

    encoders:
        AppBundle\Entity\Pass:
            algorithm: bcrypt

    providers:
        pass_provider:
            entity:
                class: AppBundle:Pass
                property: username

    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false

        main:
            anonymous: ~
            provider: pass_provider
            switch_user: true
            form_login:
                login_path: login
                check_path: login
                default_target_path: /home
                always_use_default_target_path: true
            logout:
                path:   /logout
                target: /login
            logout_on_user_change: true
            remember_me:
                secret:   '%kernel.secret%'
                lifetime: 604800 # 1 week in seconds
                path:     /home

    role_hierarchy:
        ROLE_PASS:           ROLE_USER
        ROLE_EXPL:           ROLE_USER
        ROLE_ADMIN:          ROLE_USER

    access_control:
        - { path: ^/admin, roles: ROLE_ADMIN, requires_channel: '%https%' }
        - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: '%https%' }
        - { path: ^/forgotten_password, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: '%https%' }
        - { path: ^/reset_password, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: '%https%' }

Required outcome:

ROLE_EXPL Should have access to the page /admin/stats

What do you want to achieve? 403 indicates "Forbidden", and if this works using another user with the proper roles, everything sounds fine? — Nico Haase, Aug 03 '21 at 10:43
The link for that user should not be forbidden. The links shows in the admin panel for that user but why is it coming as forbidden? How do I change that? — LeeTee, Aug 03 '21 at 12:26

score 1 · Answer 1 · answered Aug 03 '21 at 12:50

1

If any user with the role ROLE_EXPL should have access to /admin/stats, you need to change the access_control settings. Currently it says:

        - { path: ^/admin, roles: ROLE_ADMIN, requires_channel: '%https%' }

...which means: only users with the role ROLE_ADMIN have access to the paths starting with /admin

answered Aug 03 '21 at 12:50

Nico Haase

11,420
35
43
69

Yes it looks like the developer missed another line for the path /admin/stats; So do you think this I should add this line above or below the one above? { path: ^/admin/stats, roles: ROLE_EXPL, requires_channel: '%https%' } Any chance you could clarify that by amending the anwser, thanks :) – LeeTee Aug 03 '21 at 15:10
I cannot decide whether you **should** do that. If it resolves your problem, go for it - but I cannot tell you whether this opens up this route to other users who should not have access to it or not – Nico Haase Aug 03 '21 at 15:16
Ok, I tried to add it above but it didnt work, so I added it below, and it worked but then broke for the other user. – LeeTee Aug 03 '21 at 18:01

score 0 · Accepted Answer · answered Aug 03 '21 at 18:14

I needed to add an extra line or "security pattern" to the security.yaml file for the /admin/stats URL.

As Nico pointed out, only users with the role ROLE_ADMIN had access to the paths starting with /admin

I therefore added the below line below the ^/admin path but this did not work. I moved it above that path and it worked but then broke the page for the other user, therefore the order of the security patterns is very important

{ path: ^/admin/stats, roles: ROLE_EXPL, requires_channel: '%https%' }

I found out you can add multiple roles and this worked:

 access_control:
        - { path: ^/admin/stats, roles: [ROLE_EXPL,ROLE_ADMIN], requires_channel: '%https%' }
        - { path: ^/admin, roles: ROLE_ADMIN, requires_channel: '%https%' }
        - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: '%https%' }
        - { path: ^/forgotten_password, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: '%https%' }
        - { path: ^/reset_password, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: '%https%' }

Debugging Symfony 3.4 live - 403 page, possible User Roles issue

2 Answers2