I’m working on a legacy project with a lot of ancient staffs. There’re huge numbers of actions which are used really rare. Half a year ago we upgraded from Symfony 2.8 to Symfony 4.4. All worked pretty well until a manager tried to use one of the old action that now returns AccessDeniedException: Access Denied.
I’ve checked Symfony documentation and all seems pretty straightforward for me.
The documentation says:
Checking to see if a User is Logged In (IS_AUTHENTICATED_FULLY)
If you only want to check if a user is logged in (you don’t care about roles), you have two options. First, if you’ve given every user ROLE_USER, you can check for that role.
There is app/config/security.yml with the next configuration:
security:
access_decision_manager:
strategy: unanimous
allow_if_all_abstain: true
encoders:
FOSUserBundleModelUserInterface:
algorithm: sha512
encode_as_base64: false
iterations: 1
role_hierarchy:
ROLE_CUSTOMER_ADMIN: ROLE_USER
ROLE_ADMIN: ROLE_USER
ROLE_ADMIN_CAN_EDIT_PERMISSIONS: ROLE_ADMIN
ROLE_SUPER_ADMIN: ROLE_ADMIN_CAN_EDIT_PERMISSIONS
providers:
fos_user:
id: fos_user.user_provider.username
firewalls:
main:
pattern: ^/
form_login:
provider: fos_user
default_target_path: /user-post-login
always_use_default_target_path: true
login_path: user_security_login
check_path: fos_user_security_check
logout:
path: /logout
target: /login
handlers: [mp.logout_handler]
invalidate_session: false
anonymous: ~
remember_me:
secret: "%secret%"
lifetime: 31536000 # 365 days in seconds
path: /
domain: ~ # Defaults to the current domain from $_SERVER
access_control:
- { path: ^/login, role: IS_AUTHENTICATED_ANONYMOUSLY }
...
- { path: ^/api, role: IS_AUTHENTICATED_ANONYMOUSLY }
...
- { path: ^/admin/select-customer-status, role: [ROLE_CUSTOMER_ADMIN, ROLE_SUPER_ADMIN] }
...
- { path: ^/admin, role: ROLE_USER }
My current user has the role ROLE_SUPER_ADMIN, according to role_hierarchy this role has ROLE_USER in ancestors, but when I try to open http://localhost:8080/admin/select-customer-status/1 I get this Access Denied exception.
I tried to debug and figured out this exception arose in SymfonyComponentSecurityHttpFirewallAccessListener
But the real problem is that Voter is checking for IS_AUTHENTICATED_FULLY under the hood, but this one isn’t present in $attributes.
Another interesting thing is when I add this configuration directly to Action it works as expected and no exception is thrown:
/**
* @Route("/admin/update-user-permissions/{id}", name="update_user_permissions")
* @Method({"POST"})
*
* @IsGranted("ROLE_SUPER_ADMIN")
* @IsGranted("ROLE_CUSTOMER_ADMIN")
*/
Can anybody help with this strange behaviour?
P.S. There is a similar question, but it’s for Symfony 2 and not reliable for me.
Advertisement
Answer
what apparently happens, is, that all of the roles mentioned are required, i.e. both ROLE_SUPER_ADMIN as well as ROLE_CUSTOMER_ADMIN. As far as I understand your problem description, your user is either, but not both.
The screenshot you provided shows the access manager handling the request at the bottom:
which clearly shows, that the AuthenticatedVoter is NOT the problem, because it abstains (since it only votes on IS_AUTHENTICATED_* roles (for example IS_AUTHENTICATED_FULLY), which is also easily seen in its code.
However, as can be easily seen as well, both roles are checked separately(!). The RoleHierarchyVoter now tries to see, if the ROLE_CUSTOMER_ADMIN is granted, and I assume your user has the ROLE_SUPER_ADMIN, which the RoleHierarchyVoter will expand by using the hierarchy to ROLE_SUPER_ADMIN,ROLE_ADMIN_CAN_EDIT_PERMISSIONS, ROLE_ADMIN and ROLE_USER. None of which is ROLE_CUSTOMER_ADMIN.
As I have suggested in a comment, you might want to choose to add a new ROLE that both extended admin roles hold. if ROLE_ADMIN is not appropriate, maybe a ROLE_EXTENDED_ADMIN or something.
ROLE_CUSTOMER_ADMIN: [ROLE_ADMIN, ROLE_EXTENDED_ADMIN] ROLE_SUPER_ADMIN: [ROLE_ADMIN_CAN_EDIT_PERMISSIONS, ROLE_EXTENDED_ADMIN]
and then in access control:
- { path: ^/admin/select-customer-status, roles: ROLE_EXTENDED_ADMIN }