问题是......
我将ADMIN_ROLE配置为模拟任何用户。 但我有一个SUPER_AMIN_ROLE,我可以添加新的ADMIN,并更改一些重要的应用程序。
如何阻止这些ADMIN_ROLE模拟我的帐户?
此时我被拦了......
这是我的security.yml文件:
# To get started with security, check out the documentation:
# http://symfony.com/doc/current/book/security.html
security:
encoders:
AppBundle\Entity\Cliente: bcrypt
# http://symfony.com/doc/current/book/security.html#where-do-users-come-from-user-providers
providers:
our_db_provider:
entity:
class: AppBundle:Cliente
property: cpf
firewalls:
# disables authentication for assets and the profiler, adapt it according to your needs
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
anonymous: ~
form_login:
login_path: login
check_path: login
# activate different ways to authenticate
# http_basic: ~
# http://symfony.com/doc/current/book/security.html#a-configuring-how-your-users-will-authenticate
# form_login: ~
# http://symfony.com/doc/current/cookbook/security/form_login_setup.html
logout:
path: /logout
target: /login
invalidate_session: true
remember_me:
secret: ~damMe~HIDDED
lifetime: ~damMe~HIDDED
path: /dashboard
switch_user: { role: ROLE_ADMIN }
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/cadastro, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/dashboard, roles: IS_AUTHENTICATED_REMEMBERED }
- { path: ^/cliente, roles: [ IS_AUTHENTICATED_FULLY, USER_ROLE ] }
- { path: ^/indicados, roles: [ IS_AUTHENTICATED_FULLY, USER_ROLE ] }
- { path: ^/, roles: IS_AUTHENTICATED_ANONYMOUSLY }
role_hierarchy:
ROLE_ADMIN: [ROLE_USER, ROLE_REGIONAL, ROLE_ALLOWED_TO_SWITCH]
ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
答案 0 :(得分:1)
无论你或许你可能没有,假冒背后都没有逻辑。
您可以做的是实现一个事件监听器来监听security.switch_user
。你有目标用户。您不知道该人的层次结构所分配的实际角色,因此您必须找到另一种方法来确定它们是否可能。就个人而言,我不喜欢层次结构,因为ROLES用于识别而不是授权。
在这种情况下,您可以抛出异常,但我不确定这对顺序请求的效果如何。
请查看有关此事件的the documentation。 Here您可以看到该事件包含的内容。