Symfony - Security strategy unanimous show voters involved

1
votes

I'm trying to use ACLs, and as suggested I switched the security strategy to unanimous.

Since then, several URLs don't authorize my user to access anymore.
However it should according to my firewall configuration (I'm able to control this with default strategy).

I understand that unanimous strategy denies access if at least one voter doesn't grant.

So the question is:

For a given request in case of denied access,
how to know which are the involved voters in order to know which one is denying access ?

3
securitysymfonyaclfirewall

3 Answers

3
votes

I had the same issue since switching access_decision_manager strategy to unanimous. Since Symfony 2.4, expressions are built in by default, and I used this to solve the issue.

For my access control to use multiple roles I had:

access_control:
    - { path: ^/, roles: [ROLE_ADMIN, ROLE_MANAGER, ROLE_EDITOR] }

After changing to:

access_control:
       - { path: ^/, allow_if: "has_role('ROLE_ADMIN') or has_role('ROLE_MANAGER') or has_role('ROLE_EDITOR')" }

It solved the unanimous issue, hope it helps you or anyone out there.

0
votes

I were not able to find a way to see the involved voters in case of denied access but:

I finally found what was denied: With unanimous strategy, when your security/access_control defines routes against multiple roles, your user must be granted to all to have access. It is logical actually...

That does not answer to the question but I think that is good to keep in mind when using unanimous security strategy.

0
votes

For your question: how to know which are the involved voters in order to know which one is denying access ?

The answer: You should search for the tag name "security.voter" in your services. All security voters are registered that way. All these voters are always used.

For the part of: For a given request in case of denied access,

The answer:

As each request has a different approach to the security voters, based on a token, it is almost impossible to see which voter denied you access without debugging. Use a tool like Xdebug to see the flow of the voters if you really want to know.

You could make a Unit Test for your code to see if it is accessible at the time of a certain request though.