Symfony 403 thrown with correct role

0
votes

Weird issue here.

I have a 403 error when I try to access a endpoint of my API whereas the users's role is correct.

Here's my route's annotation (I'm using FosRestBundle)

/**
* @Rest\Get("home/{id}/versions", requirements={"id"="\d+"})
* @Security("has_role('ROLE_ADMIN_HOME_VIEW')")
* @Rest\View()
*/

The Symfony Profiler tells me that the route is correctly matched and that I have the requested role, here's the list of inherited roles But an AccessDeniedHttpException exception is thrown.

Obviously, if I remove the @Security line from my annotation, everything is fine.

But the most frustrating part is that I have another similar route in the same controller that is working, with same security requirements, here is its annotation.

/**
* @Rest\Get("/home/{locale}/{version}", requirements={"version"="\d+", "locale"="[a-z]{2}"} , defaults={"version" = null})")
* @Security("has_role('ROLE_ADMIN_HOME_VIEW')")
* @Rest\View()
*/
1
symfonysymfony-securitysymfony-routing
does the profiler tell you what the API user roles are? If not, try returning connected user's roles and see what it says - might be different to what you're expectingtreyBake
Yes it does, I've also dumped it and it's correct, anyway, the other route with same requirements works well.loicb

1 Answers

0
votes

The problem is my role_hierarchy list syntax.

Here the faulty one : 

  role_hierarchy:
    ROLE_ADMIN: ROLE_USER
    ROLE_SUPER_ADMIN:
      ROLE_ADMIN
      ROLE_ADMIN_SPEAKER_VIEW
      ROLE_ADMIN_SPEAKER_CREATE
      ROLE_ADMIN_SPEAKER_EDIT
      ROLE_ADMIN_SPEAKER_DELETE
      ROLE_ADMIN_PAGE_VIEW
      ROLE_ADMIN_PAGE_CREATE
      ROLE_ADMIN_PAGE_EDIT
      ROLE_ADMIN_PAGE_DELETE
      ROLE_ADMIN_NEWS_VIEW
      ROLE_ADMIN_NEWS_CREATE
      ROLE_ADMIN_NEWS_EDIT
      ROLE_ADMIN_NEWS_DELETE
      ROLE_ADMIN_USER_VIEW
      ROLE_ADMIN_USER_CREATE
      ROLE_ADMIN_USER_EDIT
      ROLE_ADMIN_USER_DELETE
      ROLE_ADMIN_CONTENT_VIEW
      ROLE_ADMIN_CONTENT_CREATE
      ROLE_ADMIN_CONTENT_EDIT
      ROLE_ADMIN_CONTENT_DELETE
      ROLE_ADMIN_HOME_VIEW
      ROLE_ADMIN_HOME_CREATE
      ROLE_ADMIN_HOME_EDIT
      ROLE_ADMIN_HOME_DELETE
    ROLE_GOD: ROLE_SUPER_ADMIN

Here the correct one :

  role_hierarchy:
    ROLE_ADMIN: ROLE_USER
    ROLE_SUPER_ADMIN:
      - ROLE_ADMIN
      - ROLE_ADMIN_SPEAKER_VIEW
      - ROLE_ADMIN_SPEAKER_CREATE
      - ROLE_ADMIN_SPEAKER_EDIT
      - ROLE_ADMIN_SPEAKER_DELETE
      - ROLE_ADMIN_PAGE_VIEW
      - ROLE_ADMIN_PAGE_CREATE
      - ROLE_ADMIN_PAGE_EDIT
      - ROLE_ADMIN_PAGE_DELETE
      - ROLE_ADMIN_NEWS_VIEW
      - ROLE_ADMIN_NEWS_CREATE
      - ROLE_ADMIN_NEWS_EDIT
      - ROLE_ADMIN_NEWS_DELETE
      - ROLE_ADMIN_USER_VIEW
      - ROLE_ADMIN_USER_CREATE
      - ROLE_ADMIN_USER_EDIT
      - ROLE_ADMIN_USER_DELETE
      - ROLE_ADMIN_CONTENT_VIEW
      - ROLE_ADMIN_CONTENT_CREATE
      - ROLE_ADMIN_CONTENT_EDIT
      - ROLE_ADMIN_CONTENT_DELETE
      - ROLE_ADMIN_HOME_VIEW
      - ROLE_ADMIN_HOME_CREATE
      - ROLE_ADMIN_HOME_EDIT
      - ROLE_ADMIN_HOME_DELETE
    ROLE_GOD: ROLE_SUPER_ADMIN

To bad no error were thrown about it though.