Symfony2 - set security access_control to allow anonymous authentication only

Question

Symfony2 - set security access_control to allow anonymous authentication only

Let's say I have my access_controlblock under security.yml:

access_control:
    - { path: ^/$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/reset-password, roles: IS_AUTHENTICATED_ANONYMOUSLY }

In this case, everyone can enter the pages homepageand reset-password. But I would like to allow these pages only for users anonymously anonymous. Fully Authenticated Users Must Receive 403 access denied errorOr 404 page not found.

According to the documentation with allow_ifI should be ablo to create role expressions to define access. But if I do it like this:

access_control:
    - { path: ^/reset-password, allow_if: "has_role('IS_AUTHENTICATED_ANONYMOUSLY') and not has_role('IS_AUTHENTICATED_FULLY')" }

Now, following the idea, fully authorized users (login) should not have access to the page, and anonymous authentication should have access, but, unfortunately, none of the users can access it ...

Any ideas what I am missing?

UPDATE

This made it work, as suggested below, with the correct answer:

- { path: ^/reset-password, allow_if: "is_anonymous() and !is_authenticated()" }

+4

php access-control symfony symfony-security

Ignas damunskis Oct 11 '16 at 8:46

source share

1 answer

martin · Accepted Answer · 2016-10-11T09:06:19+0000

Are you sure you can check IS_*with has_role()? They act as roles, but they are not roles. Perhaps that is why it always returns false:

http://symfony.com/doc/current/security.html#checking-to-see-if-a-user-is-logged-in-is-authenticated-fully

, is_anonymous() is_authenticated() allow_if.

http://symfony.com/doc/current/expressions.html#security-expression-variables

Symfony2 - set security access_control to allow anonymous authentication only

More articles: