Problems with security.yml on symfony

2
votes

I'm trying to configure some security in an Application developed on Symfony 1.4 with the sfGuardPlugin 5.0.0.

The requirements say that the admin user can do everything and the viewer can only list and see the records.

This is the security.yml that I'm using in the directory config of the module:

index:
    is_secure: true
    credentials: [[ admin, viewer ]]

show:
    is_secure: true
    credentials: [[ admin, viewer ]]

all:
    is_secure: true
    credentials: [ admin ]

But I don't know why when I try to make one of the actions allowed for the viewer It stops with the message "Not allowed".

Here is the stack trace:

1    sfPatternRouting   Connect sfRoute "sf_guard_signin" (/guard/login)
2    sfPatternRouting   Connect sfRoute "sf_guard_signout" (/guard/logout)
3    sfPatternRouting   Match route "homepage" (/) for / with parameters 
  array ( 'module' => 'strain', 'action' => 'index',)
4    sfFilterChain  Executing filter "sfRenderingFilter"
5    sfFilterChain  Executing filter "sfBasicSecurityFilter"
6    Doctrine_Connection_Mysql  exec : SET NAMES 'UTF8' - ()
7    Doctrine_Connection_Statement  execute : SELECT s.id AS s__id, s.first_name AS 
 s__first_name, s.last_name AS s__last_name, s.email_address AS s__email_address, s.username 
 AS s__username, s.algorithm AS s__algorithm, s.salt AS s__salt, s.password AS s__password, 
 s.is_active AS s__is_active, s.is_super_admin AS s__is_super_admin, s.last_login AS 
 s__last_login, s.avatar AS s__avatar, s.token AS s__token, s.notify_new_order AS 
 s__notify_new_order, s.notify_ready_order AS s__notify_ready_order, s.initials AS 
 s__initials, s.created_at AS s__created_at, s.updated_at AS s__updated_at FROM sf_guard_user 
 s WHERE (s.id = ?) LIMIT 1 - (25)
8    sfBasicSecurityFilter  Action "strain/index" requires credentials 
  "[admin, viewer]", forwarding to "sfGuardAuth/secure"
9    sfFilterChain  Executing filter "sfRenderingFilter"
10   sfFilterChain  Executing filter "InboxFilter"
11   Doctrine_Connection_Statement  execute : DELETE FROM notification WHERE 
   (status = ? AND updated_at < ?) - (2, 2012-05-19 14:21:05)
12   sfFilterChain  Executing filter "sfExecutionFilter"
13   sfGuardAuthActions Call "sfGuardAuthActions->executeSecure()"
14   sfPHPView  Render "sf_app_dir/modules/sfGuardAuth/templates/secureSuccess.php"
15   main   Call "sfGuardAuth->executeSignin_form()"
16   sfPartialView  Render "sf_app_dir/modules/sfGuardAuth/templates/_signin_form.php"
17   main   Set slot "error_message"
18   sfPHPView  Decorate content with "sf_app_dir/templates/login.php"
19   sfPHPView  Render "sf_app_dir/templates/login.php"
20   main   Get slot "error_message"
21   sfWebResponse  Send status "HTTP/1.1 403 Forbidden"
22   sfWebResponse  Send header "Content-Type: text/html; charset=utf-8"

Any clue?

2
phpsecuritysymfony1symfony-1.4sfguard
Could you add the stacktrace to the message (to see which module / action are called) ?j0k
I have edited the message to add the stacktrace.graffiacane
Debug toolbar => Config => Globals => session => symfony/user/sfUser/credentials: ['?'], try to view the credentials with other actions, if it is already set or not. It is viewer or admin or blank ?Sanjay
sfBasicSecurityFilter check for [admin, viewer] credentials (admin AND viewer), not for [[admin, viewer]] (admin OR viewer) do you have cleared your cache ./symfony cc?Visavì

2 Answers

1
votes

Finally I found the problem, it was not that the application were asking for the two credentials, the issue was that Symfony was looking at the table permissions, and I was using the group.

Thanks a lot for all your answers.

0
votes

According to the stacktrace, the user need to have both admin and viewer credentials.

If it wasn't the case, the error should be (note the [[ & ]]) :

Action "strain/index" requires credentials "[[admin, viewer]]", forwarding to "sfGuardAuth/secure"

Re-check your security.yml or paste the full file in your question.