@@ -682,6 +682,11 @@ see :doc:`/cookbook/security/form_login`.
682682 for different firewalls. But usually for most applications, having one
683683 main firewall is enough.
684684
685+ **5. Routing error pages are not covered by firewalls **
686+
687+ As Routing is done *before * security, Routing error pages are not covered
688+ by any firewall.
689+
685690Authorization
686691-------------
687692
@@ -1005,73 +1010,6 @@ the user will be redirected to ``https``:
10051010 ),
10061011 ),
10071012
1008- book-security-securing-controller :
1009-
1010- Securing a Controller
1011- ~~~~~~~~~~~~~~~~~~~~~
1012-
1013- Protecting your application based on URL patterns is easy, but may not be
1014- fine-grained enough in certain cases. When necessary, you can easily force
1015- authorization from inside a controller::
1016-
1017- // ...
1018- use Symfony\Component\Security\Core\Exception\AccessDeniedException;
1019-
1020- public function helloAction($name)
1021- {
1022- if (false === $this->get('security.context')->isGranted('ROLE_ADMIN')) {
1023- throw new AccessDeniedException();
1024- }
1025-
1026- // ...
1027- }
1028-
1029- .. _book-security-securing-controller-annotations :
1030-
1031- You can also choose to install and use the optional JMSSecurityExtraBundle,
1032- which can secure your controller using annotations::
1033-
1034- // ...
1035- use JMS\SecurityExtraBundle\Annotation\Secure;
1036-
1037- /**
1038- * @Secure(roles="ROLE_ADMIN")
1039- */
1040- public function helloAction($name)
1041- {
1042- // ...
1043- }
1044-
1045- For more information, see the `JMSSecurityExtraBundle `_ documentation.
1046-
1047- Securing other Services
1048- ~~~~~~~~~~~~~~~~~~~~~~~
1049-
1050- In fact, anything in Symfony can be protected using a strategy similar to
1051- the one seen in the previous section. For example, suppose you have a service
1052- (i.e. a PHP class) whose job is to send emails from one user to another.
1053- You can restrict use of this class - no matter where it's being used from -
1054- to users that have a specific role.
1055-
1056- For more information on how you can use the Security component to secure
1057- different services and methods in your application, see:doc: `/cookbook/security/securing_services `.
1058-
1059- Access Control Lists (ACLs): Securing Individual Database Objects
1060- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1061-
1062- Imagine you are designing a blog system where your users can comment on your
1063- posts. Now, you want a user to be able to edit their own comments, but not
1064- those of other users. Also, as the admin user, you yourself want to be able
1065- to edit *all * comments.
1066-
1067- The Security component comes with an optional access control list (ACL) system
1068- that you can use when you need to control access to individual instances
1069- of an object in your system. *Without * ACL, you can secure your system so that
1070- only certain users can edit blog comments in general. But *with * ACL, you
1071- can restrict or allow access on a comment-by-comment basis.
1072-
1073- For more information, see the cookbook article::doc: `/cookbook/security/acl `.
1074-
10751013
10761014-----
10771015
@@ -1668,6 +1606,111 @@ In the above configuration, users with ``ROLE_ADMIN`` role will also have the
16681606``ROLE_USER `` role. The ``ROLE_SUPER_ADMIN `` role has ``ROLE_ADMIN ``, ``ROLE_ALLOWED_TO_SWITCH ``
16691607and ``ROLE_USER `` (inherited from ``ROLE_ADMIN ``).
16701608
1609+ Access Control
1610+ --------------
1611+
1612+ Now that you have Users and Roles, you can go further than URL patterns based authorization.
1613+
1614+ .. _book-security-securing-controller :
1615+
1616+ Access Control in Controllers
1617+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1618+
1619+ Protecting your application based on URL patterns is easy, but may not be
1620+ fine-grained enough in certain cases. When necessary, you can easily force
1621+ authorization from inside a controller::
1622+
1623+ // ...
1624+ use Symfony\Component\Security\Core\Exception\AccessDeniedException;
1625+
1626+ public function helloAction($name)
1627+ {
1628+ if (false === $this->get('security.context')->isGranted('ROLE_ADMIN')) {
1629+ throw new AccessDeniedException();
1630+ }
1631+
1632+ // ...
1633+ }
1634+
1635+ ..caution ::
1636+
1637+ A firewall must be active or an exception will be thrown when the ``isGranted() ``
1638+ method is called. It's almost always a good idea to have a main firewall that
1639+ covers all URLs (as it has been shown in this chapter).
1640+
1641+ .. _book-security-securing-controller-annotations :
1642+
1643+ You can also choose to install and use the optional `JMSSecurityExtraBundle `_,
1644+ which can secure your controller using annotations::
1645+
1646+ // ...
1647+ use JMS\SecurityExtraBundle\Annotation\Secure;
1648+
1649+ /**
1650+ * @Secure(roles="ROLE_ADMIN")
1651+ */
1652+ public function helloAction($name)
1653+ {
1654+ // ...
1655+ }
1656+
1657+ Access Control in Other Services
1658+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1659+
1660+ In fact, anything in Symfony can be protected using a strategy similar to
1661+ the one seen in the previous section. For example, suppose you have a service
1662+ (i.e. a PHP class) whose job is to send emails from one user to another.
1663+ You can restrict use of this class - no matter where it's being used from -
1664+ to users that have a specific role.
1665+
1666+ For more information on how you can use the Security component to secure
1667+ different services and methods in your application, see:doc: `/cookbook/security/securing_services `.
1668+
1669+ .. _book-security-template :
1670+
1671+ Access Control in Templates
1672+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
1673+
1674+ If you want to check if the current user has a role inside a template, use
1675+ the built-in helper function:
1676+
1677+ ..configuration-block ::
1678+
1679+ ..code-block ::html+jinja
1680+
1681+ {% if is_granted('ROLE_ADMIN') %}
1682+ <a href="...">Delete</a>
1683+ {% endif %}
1684+
1685+ ..code-block ::html+php
1686+
1687+ <?php if ($view['security']->isGranted('ROLE_ADMIN')): ?>
1688+ <a href="...">Delete</a>
1689+ <?php endif; ?>
1690+
1691+ ..note ::
1692+
1693+ If you use this function and are *not * at a URL behind a firewall
1694+ active, an exception will be thrown. Again, it's almost always a good
1695+ idea to have a main firewall that covers all URLs (as has been shown
1696+ in this chapter).
1697+
1698+ Access Control Lists (ACLs): Securing Individual Database Objects
1699+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1700+
1701+ Imagine you are designing a blog system where your users can comment on your
1702+ posts. Now, you want a user to be able to edit their own comments, but not
1703+ those of other users. Also, as the admin user, you yourself want to be able
1704+ to edit *all * comments.
1705+
1706+ The Security component comes with an optional access control list (ACL) system
1707+ that you can use when you need to control access to individual instances
1708+ of an object in your system. *Without * ACL, you can secure your system so that
1709+ only certain users can edit blog comments in general. But *with * ACL, you
1710+ can restrict or allow access on a comment-by-comment basis.
1711+
1712+ For more information, see the cookbook article::doc: `/cookbook/security/acl `.
1713+
16711714Logging Out
16721715-----------
16731716
@@ -1779,58 +1822,6 @@ is defined by the ``target`` parameter above (e.g. the ``homepage``). For
17791822more information on configuring the logout, see the
17801823:doc: `Security Configuration Reference </reference/configuration/security >`.
17811824
1782- .. _book-security-template :
1783-
1784- Access Control in Templates
1785- ---------------------------
1786-
1787- If you want to check if the current user has a role inside a template, use
1788- the built-in helper function:
1789-
1790- ..configuration-block ::
1791-
1792- ..code-block ::html+jinja
1793-
1794- {% if is_granted('ROLE_ADMIN') %}
1795- <a href="...">Delete</a>
1796- {% endif %}
1797-
1798- ..code-block ::html+php
1799-
1800- <?php if ($view['security']->isGranted('ROLE_ADMIN')): ?>
1801- <a href="...">Delete</a>
1802- <?php endif; ?>
1803-
1804- ..note ::
1805-
1806- If you use this function and are *not * at a URL where there is a firewall
1807- active, an exception will be thrown. Again, it's almost always a good
1808- idea to have a main firewall that covers all URLs (as has been shown
1809- in this chapter).
1810-
1811- Access Control in Controllers
1812- -----------------------------
1813-
1814- If you want to check if the current user has a role in your controller, use
1815- the:method: `Symfony\\ Component\\ Security\\ Core\\ SecurityContext::isGranted `
1816- method of the security context::
1817-
1818- public function indexAction()
1819- {
1820- // show different content to admin users
1821- if ($this->get('security.context')->isGranted('ROLE_ADMIN')) {
1822- // ... load admin content here
1823- }
1824-
1825- // ... load other regular content here
1826- }
1827-
1828- ..note ::
1829-
1830- A firewall must be active or an exception will be thrown when the ``isGranted ``
1831- method is called. See the note above about templates for more details.
1832-
1833-
18341825Stateless Authentication
18351826------------------------
18361827