1

I have a normal FOSUserBundle installed in my Symfony project. What I'm intending to do is provide my admin section further security by making it unknown to the public. What I want to do is throw a 404 error whenever somebody who is not an Admin tries to access the section directly, so nobody even knows at which address it is at, to prevent hacking attempts in the core. I set up an ExceptionListener, which works fine:

public function onKernelException(GetResponseForExceptionEvent $event) { $exception = $event->getException(); $templating = $this->container->get('templating'); $response = new Response($templating->render('ScatternoteBundle:Exception:error404.html.twig', array( 'exception' => $exception ))); $event->setResponse($response); }

From my error404.html.twig:

{% if 'No route found for' not in exception.message and exception.message != 'Impossible to access an attribute ("album") on a NULL variable ("") in "ScatternoteBundle:Song:song.html.twig" at line 3' and 'Access Denied' not in exception.message%} <span style="font-size:8pt; color:grey;">Not a 404: {{ exception.message }}; Code: {{ exception.code }}</span> <br><br> {% endif %}

However, it only works when one is logged in as a user. If I'm not logged in and try to access /admin, I am redirected automatically to /login by the FOSUserBundle. I've done a lot of research, however I couldn't find any information on how to stop this from happening, or where this event is actually handled in the bundle. I would greatly appreciate any help.

EDIT: My security.yaml:

security: # http://symfony.com/doc/current/book/security.html#encoding-the-user-s-password encoders: FOS\UserBundle\Model\UserInterface: sha512 # http://symfony.com/doc/current/book/security.html#hierarchical-roles role_hierarchy: ROLE_ADMIN: ROLE_USER ROLE_SUPER_ADMIN: ROLE_ADMIN # http://symfony.com/doc/current/book/security.html#where-do-users-come-from-user-providers providers: fos_userbundle: id: fos_user.user_provider.username_email # the main part of the security, where you can set up firewalls # for specific sections of your app firewalls: # disables authentication for assets and the profiler, adapt it according to your needs dev: pattern: ^/(_(profiler|wdt)|css|images|js)/ security: false # the login page has to be accessible for everybody demo_login: pattern: ^/demo/secured/login$ security: false main: pattern: ^/ form_login: provider: fos_userbundle csrf_provider: form.csrf_provider logout: true anonymous: true # secures part of the application demo_secured_area: pattern: ^/demo/secured/ # it's important to notice that in this case _demo_security_check and _demo_login # are route names and that they are specified in the AcmeDemoBundle form_login: check_path: _demo_security_check login_path: _demo_login logout: path: _demo_logout target: _demo #anonymous: ~ #http_basic: # realm: "Secured Demo Area" # with these settings you can restrict or allow access for different parts # of your application based on roles, ip, host or methods # http://symfony.com/doc/current/cookbook/security/access_control.html access_control: - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY } - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY } - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY } - { path: ^/admin, role: ROLE_ADMIN }
Improve this question
2
  • 1
    I can only guess that you have set firewals in security.yaml, and those firewalls redirect unauthorized user to login form Commented Feb 6, 2015 at 9:54
  • Thanks, but I haven't set any firewalls in my security.yaml, it only contains the default ones. Commented Feb 6, 2015 at 9:57

1 Answer 1

Reset to default
1

The login page has a public access so that's normal why FOSUser redirect user to login form (In order to access secured area). Also when a user access a secured area a 403 exception (access denied) is throw (not 404 not found). I think you should override the register action of FOSUser in the RegistrationController:

if ($user->hasRole('ROLE_ADMIN')) { $this->authenticateUser($user, $response); } else { throw new AccessDeniedException ('Oups !!! Access denied ' ) ; }
Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

I'm sorry, I'm not quite sure what you are aiming at. I want to stop FOSUser from redirecting me to the Login page if I try to access a secured area and am not logged in, so unlogged users are treated the same as logged users. I don't understand what that's got to do with registration.
that's what im saying override the controller when fos user redirect you to login page and redirect it to another page or throw an axception
But where is it redirecting me from /admin to /login? Certainly not in the RegistrationController. If I'm mistaken, please tell me where, because then I'm obviously too dumb to see...
In the loginAction of security controlleryou will find renderLogin there you can change the view (from login to a custom view ) or change the route and redirect to your own route
That would mean overriding the login action, which I don't want to do. I don't want to turn my login into a 404 page, because then nobody could log in, just delete the redirection.
|

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.