如何防止Symfony ADMIN_ROLE模拟SUPER_ADMIN_ROLE?

时间:2016-06-18 03:09:09

标签: symfony impersonation

问题是......

我将ADMIN_ROLE配置为模拟任何用户。 但我有一个SUPER_AMIN_ROLE,我可以添加新的ADMIN,并更改一些重要的应用程序。

如何阻止这些ADMIN_ROLE模拟我的帐户?

此时我被拦了......

这是我的security.yml文件:

# To get started with security, check out the documentation:
# http://symfony.com/doc/current/book/security.html
security:
    encoders:
        AppBundle\Entity\Cliente: bcrypt
    # http://symfony.com/doc/current/book/security.html#where-do-users-come-from-user-providers
    providers:
        our_db_provider:
            entity:
              class: AppBundle:Cliente
              property: cpf

    firewalls:
        # disables authentication for assets and the profiler, adapt it according to your needs
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false

        main:
            anonymous: ~
            form_login:
              login_path: login
              check_path: login
            # activate different ways to authenticate

            # http_basic: ~
            # http://symfony.com/doc/current/book/security.html#a-configuring-how-your-users-will-authenticate

            # form_login: ~
            # http://symfony.com/doc/current/cookbook/security/form_login_setup.html
            logout:
                path:   /logout
                target: /login
                invalidate_session: true
            remember_me:
                secret:   ~damMe~HIDDED
                lifetime: ~damMe~HIDDED
                path:     /dashboard
            switch_user: { role: ROLE_ADMIN }

    access_control:
        - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/cadastro, roles: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/dashboard, roles: IS_AUTHENTICATED_REMEMBERED }
        - { path: ^/cliente, roles: [ IS_AUTHENTICATED_FULLY, USER_ROLE ] }
        - { path: ^/indicados, roles: [ IS_AUTHENTICATED_FULLY, USER_ROLE ] }
        - { path: ^/, roles: IS_AUTHENTICATED_ANONYMOUSLY }

    role_hierarchy:
        ROLE_ADMIN:       [ROLE_USER, ROLE_REGIONAL, ROLE_ALLOWED_TO_SWITCH]
        ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]

1 个答案:

答案 0 :(得分:1)

无论你或许你可能没有,假冒背后都没有逻辑。

您可以做的是实现一个事件监听器来监听security.switch_user。你有目标用户。您不知道该人的层次结构所分配的实际角色,因此您必须找到另一种方法来确定它们是否可能。就个人而言,我不喜欢层次结构,因为ROLES用于识别而不是授权。

在这种情况下,您可以抛出异常,但我不确定这对顺序请求的效果如何。

请查看有关此事件的the documentationHere您可以看到该事件包含的内容。