security.yaml 5.49 KB
Newer Older
Julien Jorry committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64
security:
    # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
    providers:
        fos_userbundle:
            id: fos_user.user_provider.username_email
        in_memory: { memory: ~ }
        entity_provider:
            entity:
                class: App\Entity\User
                property: username
        api_key_user_provider:
            id: App\Security\ApiKeyUserProvider
    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false
        ## API WITH JWT AUTH (login/password)
        # login:
        #     pattern:  ^/api/login
        #     stateless: true
        #     anonymous: true
        #     provider: api_key_user_provider
        #     form_login:
        #         check_path:               /api/login_check
        #         success_handler:          lexik_jwt_authentication.handler.authentication_success
        #         failure_handler:          lexik_jwt_authentication.handler.authentication_failure
        #         require_previous_session: false
        # api:
        #     pattern:  ^/api/
        #     stateless: true
        #     anonymous: true
        #     provider: api_key_user_provider
        #     guard:
        #         authenticators:
        #             - lexik_jwt_authentication.jwt_token_authenticator
        api:
            pattern:  ^/api
            stateless: true
            # can be set to false to disabled API doc available for anonymous user !
            anonymous: true
            guard:
                authenticators:
                    - App\Security\ApiKeyAuthenticator
                provider: api_key_user_provider
        main:
            pattern: ^/
            form_login:
                provider: fos_userbundle
                login_path: fos_user_security_login
                check_path: fos_user_security_check
                csrf_token_generator: security.csrf.token_manager
                success_handler: redirect.after.login
            logout:
                path: fos_user_security_logout
                target: index
            anonymous: true
            guard:
                authenticators:
                    - App\Security\EmailTokenAuthenticator
                    - App\Security\LoginAuthenticator
                provider: fos_userbundle
                entry_point: App\Security\LoginAuthenticator
            remember_me:
                secret:         "%kernel.secret%"
65
                lifetime:       604800
Julien Jorry committed
66 67 68 69
                path:           /
                domain:         ~
                user_provider:  fos_userbundle
                always_remember_me: true
70 71 72
                name: KOHINOSREMEMBERME
                secure: true
                samesite: strict
Julien Jorry committed
73 74 75 76
            context: mlc_context
            switch_user:
                provider: fos_userbundle
            access_denied_handler: App\Security\AccessDeniedHandler
77
            user_checker: App\Security\UserChecker
Julien Jorry committed
78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125
       
    encoders:
        FOS\UserBundle\Model\UserInterface:
            # Use native password encoder
            # This value auto-selects the best possible hashing algorithm
            # (i.e. Sodium / Bcrypt when available).
            algorithm: auto

    role_hierarchy:
        ROLE_API:               ROLE_USER
        ROLE_ADHERENT:          ROLE_USER
        ROLE_PRESTATAIRE:       ROLE_USER
        ROLE_CAISSIER:          ROLE_USER
        ROLE_ADMIN_SIEGE:       [ROLE_USER, ROLE_ADMIN]
        ROLE_REDACTEUR:         [ROLE_USER, ROLE_ADMIN]
        ROLE_TRESORIER:         [ROLE_USER, ROLE_ADMIN]
        ROLE_CONTROLEUR:        [ROLE_USER, ROLE_ADMIN]
        ROLE_GESTION_GROUPE:    [ROLE_USER, ROLE_ADMIN]
        ROLE_COMPTOIR:          [ROLE_USER, ROLE_ADMIN]
        ROLE_CONTACT:           [ROLE_USER, ROLE_ADMIN]
        ROLE_ADMIN:             [ROLE_USER, ROLE_SONATA_ADMIN]
        # Comment ROLE_ALLOWED_TO_SWITCH to disable impersonating user in ADMIN
        ROLE_SUPER_ADMIN:       [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH, ROLE_API]

    # Easy way to control access for large sections of your site
    # Note: Only the *first* access control that matches will be used
    access_control:
        # 
        # @TODO : Improve access control !
        # 
        # Admin login page needs to be accessed without credential
        # - { path: ^/admin/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        # - { path: ^/admin/logout$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        # - { path: ^/admin/login_check$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        # - { path: ^/admin/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/gdpr/, role: [ROLE_SUPER_ADMIN] }
        - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: '%env(SECURE_SCHEME)%' }
        # KOHINOS : deactivate register from FOSUserBundle !
        - { path: ^/register, role: ROLE_ADMIN, requires_channel: '%env(SECURE_SCHEME)%' }
        - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: '%env(SECURE_SCHEME)%' }
        # Secured part of the site
        # This config requires being logged for the whole site and having the admin role for the admin part.
        # Change these rules to adapt them to your needs
        - { path: ^/admin/, role: [ROLE_ADMIN], requires_channel: '%env(SECURE_SCHEME)%' }
        # Bottom line can be uncommented to disabled API doc available for anonymous user !
        # - { path: '^/api', roles: ROLE_API }
        - { path: ^/.*, role: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: '%env(SECURE_SCHEME)%' }