Macbernie Macbernie - 3 months ago 23
PHP Question

Silex Defining Access Rules

I follow the Silex documention section http://silex.sensiolabs.org/doc/providers/security.html#defining-access-rules

And here is my confirguration

'security.role_hierarchy' => [
'ROLE_ADMIN' => [
'ROLE_USER',
],
'ROLE_SUPER_ADMIN' => [
'ROLE_USER',
'ROLE_ADMIN',
'ROLE_ALLOWED_TO_SWITCH'
]
],
'security.access_rules' => [
[ '^.*$', 'IS_AUTHENTICATED_ANONYMOUSLY' ],
[ '^/account', 'ROLE_USER' ],
[ '^/admin', 'ROLE_ADMIN' ]
]


So what I need is quite simple, an anonymous user can access everywhere (except the /account/* and /admin/* paths), a user with "ROLE_USER" can access averywhere and /account/* paths, but not /admin/* paths, and a user with "ROLE_ADMIN" can access everywhere.

I make a very basic controller to test if a user is redirected if he's not a "ROLE_ADMIN":

$app->get('/admin', function () use ($app) {

return 1;
})->bind('admin');


But not at all. He can acces to /admin, with a printed "1" on the page...

According to the doc:

With the above configuration, users must have the ROLE_ADMIN to access the /admin section of the website [...] (if that's not the case, the user will be automatically redirected).

Answer

Definitely the order of the rules is important, only one will be matched. Silex will look at each starting at the top, and stop as soon as it finds one security.access_rules entry that matches the URL, in other words, Silex will decide which security.access_rules to use based on the URI and the first rule that matches is used. So you need move the first rule to end to resolve this:

'security.access_rules' => [
    [ '^/account', 'ROLE_USER' ],
    [ '^/admin', 'ROLE_ADMIN' ],
    [ '^.*$', 'IS_AUTHENTICATED_ANONYMOUSLY' ],
]
Comments