php - What is the proper way to prevent not logged in users to acces specific pages -



php - What is the proper way to prevent not logged in users to acces specific pages -

i have next construction on website:

/login page, when goes website, automatically on page. not needed logged in.

when logs in, on /game/welcome page. there on can acces /game/account , such pages.

now when go straight /game/welcome, without logging in, can acces page. how can prevent this?

this security.yml file:

# can read more security in related section of documentation # http://symfony.com/doc/current/book/security.html security: # http://symfony.com/doc/current/book/security.html#encoding-the-user-s-password encoders: login\loginbundle\entity\user: sha512 #algorithm: sha1 #iterations: 1 #encode_as_base64: true #login\loginbundle\entity\user: sha512 # http://symfony.com/doc/current/book/security.html#hierarchical-roles role_hierarchy: role_admin: role_user role_super_admin: [role_user, role_admin, role_allowed_to_switch] # http://symfony.com/doc/current/book/security.html#where-do-users-come-from-user-providers providers: user: entity: class: login\loginbundle\entity\user property: username #in_memory: #memory: #users: #user: { password: userpass, roles: [ 'role_user' ] } #admin: { password: adminpass, roles: [ 'role_admin' ] } # main part of security, can set firewalls # specific sections of app firewalls: secured_area: pattern: ^/ anonymous: ~ form_login: login_path: login check_path: login_check access_control: - { path: ^/login, roles: is_authenticated_anonymously }

typically checking role_user should suffice, though more safe check role is_authenticated_fully, set automatically security component authenticated users if want differentiate anonymous users.

instead of taking path of setting access_control in security.yml other answers suggest, i'd recommend securing individual controllers instead.

this has advantage of not inadvertently disabling security when changing route url patterns, or making mistakes in regular expressions, see happening lot.

with sensioframeworkextrabundle can secure controllers annotation:

use sensio\bundle\frameworkextrabundle\configuration\security; utilize symfony\bundle\frameworkbundle\controller\controller; class democontroller extends controller { /** * @security("has_role('is_authenticated_fully')") */ public function indexaction() { // ... } }

if don't annotations, can check in controller code follows (when extending default controller class):

use symfony\bundle\frameworkbundle\controller\controller; class democontroller extends controller { public function indexaction() { if (false === $this->get('security.context')->isgranted('is_authenticated_fully')) { throw $this->createaccessdeniedexception('unable access page!'); } // ... } }

php security symfony2

Comments

Post a Comment

Popular posts from this blog

c - Compilation of a code: unkown type name string -

c - Compilation of a code: unkown type name string - i have next lines of code compiler says following: "unknown type name 'string'" both in declaration , definition of function. can tell me what's wrong? thanks. #include <stdio.h> #include <stdlib.h> #include <string.h> void frecognizeclient(string *actualclient) there no string type in c. need utilize array so: char array[10]; then can pass in function: void frecognizeclient(char *actualclient); c arrays string compilation
Read more

java - Bypassing "final local variable defined in an enclosing type" -

java - Bypassing "final local variable defined in an enclosing type" - i'm writing programme , i'm getting "the final local variable asd cannot assigned, since it's defined in enclosing type". i provide illustration not code produces error aswell. have arraylist utilize later (if define within button can't utilize later on), outside of button, pressing button should give values arraylist. in illustration "create new arraylist" cause same problem. button btn = new button("asd"); final arraylist asd = new arraylist(); btn.setonaction(new eventhandler<actionevent>() { public void handle(final actionevent event) { asd = new arraylist(); //here's error.. } }); clear arraylist , add together values. java javafx
Read more

json - Hibernate and Jackson (java.lang.IllegalStateException: Cannot call sendError() after the response has been committed) -

json - Hibernate and Jackson (java.lang.IllegalStateException: Cannot call sendError() after the response has been committed) - hello have problem hibernate , jackson. have 2 pojos @entity @table(name = "users") public class user implements serializable { static final long serialversionuid = 4235637833262722256l; @id @generatedvalue private int id; @column(name = "creation_date") private date creationdate; @column(name = "first_name") private string firstname; @column(name = "last_name") private string lastname; @version @column(name = "version") private int version; @column(name = "e_mail") private string email; @column(name = "enabled") private boolean enabled; @column(name = "login") private string login; @column(name = "password") private string password; @jsonmanagedreference("role") @onetomany(mappedby = "user", cascade = cascadetype.all,fetch = fetchtyp...
Read more