我有这个role_hierarchy:
role_hierarchy:
ROLE_USER: [ROLE_EDITOR, ROLE_WEBSITE]
ROLE_ADMIN: ROLE_USER
然后
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: ROLE_ADMIN }
- { path: ^/, role: ROLE_USER }
非注册用户应该能够访问登录页面, 管理员应该使用注册页面(我只希望管理员能够添加新用户),注册用户(编辑或网站)应该看到主页(/)
现在,如果我是用户EDITOR,我用
保护资源{% if is_granted('ROLE_WEBSITE') %}
我可以看到资源,但这不是我想要的。实际上在剖析器中我可以看到:
Roles [ROLE_EDITOR, ROLE_USER]
Inherited Roles [ROLE_EDITOR, ROLE_WEBSITE]
因此编辑器用户继承了ROLE_WEBSITE角色。我该如何解决这个问题?
感谢 中号
完整的security.yml
security:
encoders:
FOS\UserBundle\Model\UserInterface: bcrypt
role_hierarchy:
ROLE_USER: [ROLE_EDITOR, ROLE_WEBSITE]
ROLE_ADMIN: ROLE_USER
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_token_generator: security.csrf.token_manager
logout: true
anonymous: true
guard:
authenticators:
- app.token_authenticator
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: ROLE_ADMIN }
- { path: ^/, role: ROLE_USER }
答案 0 :(得分:0)
1st) Login to MySql (i.e. mysql -u uname -p
where uname is user try 'root').
2nd) Run this SQL:
SELECT id,username,roles FROM fos_user;
This will display all the roles given to each user. Then you can see who has "ROLE_EDITOR" and "ROLE_WEBSITE". Then exit mysql.
Use the following (examples) to manage the particular users:
php bin/console fos:user:promote uname ROLE_EDITOR
php bin/console fos:user:demote uname ROLE_EDITOR
Then, since ROLE_EDITOR & ROLE_WEBSITE sounds like is should be below ROLE_USER, I think you need this change:
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: ROLE_ADMIN }
- { path: ^/, role: [ROLE_EDITOR,ROLE_WEBSITE] }
I think that might work. Try it. If not, maybe you can filter more based on path prefixes. Hope this helps.
答案 1 :(得分:0)
role_hierarchy:
ROLE_USER: ROLE_EDITOR
ROLE_USER: ROLE_WEBSITE
ROLE_ADMIN: ROLE_USER