Yes, I know there's Voter tutorial in cookbook. But I'm looking for something slightly different. I need two different layers of blacklisting:
- deny certain IP to access whole site
- deny certain IP to log in
I wrote Voter that checks if user's IP is in database. For first scenario, I wrote a kernel listener that checks every request and throws 403 in case it encounters banned user:
if (VoterInterface::ACCESS_DENIED === $this->voter->vote($token, $this, array())) {
throw new AccessDeniedHttpException('Blacklisted, punk!');
}
First problem lies in VoterInterface
itself, which forces me to use TokenInterface $token
, which I don't really need in this case. But that doesn't matter that much I guess. Next thing is that I actually had to use AccessDeniedHttpException
as AccessDeniedException
always tries to redirect me to login page and causes endless redirect loop in this case. I'd live with it as it works just fine in dev
environment, but when I switch to prod
I keep getting 503 with following in prod log:
[2011-11-21 20:54:04] security.INFO: Populated SecurityContext with an anonymous Token [] []
[2011-11-21 20:54:04] request.ERROR: Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException: Blacklisted, punk! (uncaught exception) at xxx line 28 [] []
[2011-11-21 20:54:04] request.ERROR: Exception thrown when handling an exception (Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException: Blacklisted, punk!) [] []
From what I've read, it might be problem with xdebug, but it happens even when I turn it off. I also tried vanilla \Exception
and it does the same thing. Anyone have any idea why it happens? Or maybe some other solution for such blacklisting case.
Also, I've no idea how to solve second case as I don't know how to stop user before he gets token assigned. My current solution is dealing with InteractiveLoginEvent, checking if user is blacklisted and if so, removing his token. It doesn't seem to be a safe one and I'm not really comfortable with it. So, any idea how to solve this one? I guess I'm just missing some obvious "pre login event".