1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
security:
# https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
in_memory: { memory: ~ }
entity_provider:
entity:
class: App\Entity\User
property: username
api_key_user_provider:
id: App\Security\ApiKeyUserProvider
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
## API WITH JWT AUTH (login/password)
# login:
# pattern: ^/api/login
# stateless: true
# anonymous: true
# provider: api_key_user_provider
# form_login:
# check_path: /api/login_check
# success_handler: lexik_jwt_authentication.handler.authentication_success
# failure_handler: lexik_jwt_authentication.handler.authentication_failure
# require_previous_session: false
# api:
# pattern: ^/api/
# stateless: true
# anonymous: true
# provider: api_key_user_provider
# guard:
# authenticators:
# - lexik_jwt_authentication.jwt_token_authenticator
api:
pattern: ^/api
stateless: true
# can be set to false to disabled API doc available for anonymous user !
anonymous: true
guard:
authenticators:
- App\Security\ApiKeyAuthenticator
provider: api_key_user_provider
main:
pattern: ^/
form_login:
provider: fos_userbundle
login_path: fos_user_security_login
check_path: fos_user_security_check
csrf_token_generator: security.csrf.token_manager
success_handler: redirect.after.login
logout:
path: fos_user_security_logout
target: index
anonymous: true
guard:
authenticators:
- App\Security\EmailTokenAuthenticator
- App\Security\LoginAuthenticator
provider: fos_userbundle
entry_point: App\Security\LoginAuthenticator
remember_me:
secret: "%kernel.secret%"
lifetime: 1800
path: /
domain: ~
user_provider: fos_userbundle
always_remember_me: true
name: KOHINOSREMEMBERME
secure: true
samesite: strict
context: mlc_context
switch_user:
provider: fos_userbundle
access_denied_handler: App\Security\AccessDeniedHandler
user_checker: App\Security\UserChecker
encoders:
FOS\UserBundle\Model\UserInterface:
# Use native password encoder
# This value auto-selects the best possible hashing algorithm
# (i.e. Sodium / Bcrypt when available).
algorithm: auto
role_hierarchy:
ROLE_API: ROLE_USER
ROLE_ADHERENT: ROLE_USER
ROLE_PRESTATAIRE: ROLE_USER
ROLE_CAISSIER: ROLE_USER
ROLE_ADMIN_SIEGE: [ROLE_USER, ROLE_ADMIN]
ROLE_REDACTEUR: [ROLE_USER, ROLE_ADMIN]
ROLE_TRESORIER: [ROLE_USER, ROLE_ADMIN]
ROLE_CONTROLEUR: [ROLE_USER, ROLE_ADMIN]
ROLE_GESTION_GROUPE: [ROLE_USER, ROLE_ADMIN]
ROLE_COMPTOIR: [ROLE_USER, ROLE_ADMIN]
ROLE_CONTACT: [ROLE_USER, ROLE_ADMIN]
ROLE_ADMIN: [ROLE_USER, ROLE_SONATA_ADMIN]
# Comment ROLE_ALLOWED_TO_SWITCH to disable impersonating user in ADMIN
ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH, ROLE_API]
# Easy way to control access for large sections of your site
# Note: Only the *first* access control that matches will be used
access_control:
#
# @TODO : Improve access control !
#
# Admin login page needs to be accessed without credential
# - { path: ^/admin/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
# - { path: ^/admin/logout$, role: IS_AUTHENTICATED_ANONYMOUSLY }
# - { path: ^/admin/login_check$, role: IS_AUTHENTICATED_ANONYMOUSLY }
# - { path: ^/admin/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/gdpr/, role: [ROLE_SUPER_ADMIN] }
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: '%env(SECURE_SCHEME)%' }
# KOHINOS : deactivate register from FOSUserBundle !
- { path: ^/register, role: ROLE_ADMIN, requires_channel: '%env(SECURE_SCHEME)%' }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: '%env(SECURE_SCHEME)%' }
# Secured part of the site
# This config requires being logged for the whole site and having the admin role for the admin part.
# Change these rules to adapt them to your needs
- { path: ^/admin/, role: [ROLE_ADMIN], requires_channel: '%env(SECURE_SCHEME)%' }
# Bottom line can be uncommented to disabled API doc available for anonymous user !
# - { path: '^/api', roles: ROLE_API }
- { path: ^/.*, role: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: '%env(SECURE_SCHEME)%' }