I'm trying to learn the Symfony roles and security. My current security.yml file, looks like this:
role_hierarchy:
ROLE_USER: ROLE_DO_ALMOST_NOTHING
ROLE_EDITOR: [ ROLE_USER, ROLE_ALLOWED_TO_EDIT ]
ROLE_CONTRIBUTOR: [ ROLE_EDITOR, ROLE_ALLOWED_TO_CONTRIBUTE ]
ROLE_ADMIN: [ ROLE_CONTRIBUTOR ]
ROLE_SUPER_ADMIN: [ ROLE_ADMIN, ROLE_ALLOWED_TO_DO_ANY_THING ]
access_control:
- { path: ^/admin, roles: ROLE_USER }
- { path: ^/admin/editor, roles: ROLE_ADMIN }
- { path: ^/editor, roles: ROLE_EDITOR }
- { path: ^/contributor, roles: ROLE_CONTRIBUTOR }
- { path: ^/super, roles: ROLE_SUPER_ADMIN }
And I'm using this setup for my users:
providers:
in_memory:
memory:
users:
person:
password: password!
roles: 'ROLE_USER'
admin:
password: password2
roles: 'ROLE_ADMIN'
Here is my problem. I'm been missing around with the access_control portion of security, however, the path ^/admin/editor with the roles marked as ROLE_ADMIN will allow the user person to access the route even though the person user didn't have the role of ROLE_ADMIN. I was wondering if this is because the route itself is shared by the same controller as the ^admin route? Or done someone see where I might have gone wrong with the code, since the user person can access the route that I they shouldn't.
The other routes:
- { path: ^/editor, roles: ROLE_EDITOR }
- { path: ^/contributor, roles: ROLE_CONTRIBUTOR }
- { path: ^/super, roles: ROLE_SUPER_ADMIN }
Work as expected.
