security: # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers providers: fos_userbundle: id: fos_user.user_provider.username_email in_memory: { memory: ~ } entity_provider: entity: class: App\Entity\User property: username api_key_user_provider: id: App\Security\ApiKeyUserProvider firewalls: dev: pattern: ^/(_(profiler|wdt)|css|images|js)/ security: false ## API WITH JWT AUTH (login/password) # login: # pattern: ^/api/login # stateless: true # anonymous: true # provider: api_key_user_provider # form_login: # check_path: /api/login_check # success_handler: lexik_jwt_authentication.handler.authentication_success # failure_handler: lexik_jwt_authentication.handler.authentication_failure # require_previous_session: false # api: # pattern: ^/api/ # stateless: true # anonymous: true # provider: api_key_user_provider # guard: # authenticators: # - lexik_jwt_authentication.jwt_token_authenticator api: pattern: ^/api stateless: true # can be set to false to disabled API doc available for anonymous user ! anonymous: true guard: authenticators: - App\Security\ApiKeyAuthenticator provider: api_key_user_provider main: pattern: ^/ form_login: provider: fos_userbundle login_path: fos_user_security_login check_path: fos_user_security_check csrf_token_generator: security.csrf.token_manager success_handler: redirect.after.login logout: path: fos_user_security_logout target: index anonymous: true guard: authenticators: - App\Security\EmailTokenAuthenticator - App\Security\LoginAuthenticator provider: fos_userbundle entry_point: App\Security\LoginAuthenticator remember_me: secret: "%kernel.secret%" lifetime: 604800 path: / domain: ~ user_provider: fos_userbundle always_remember_me: true name: KOHINOSREMEMBERME secure: true samesite: strict context: mlc_context switch_user: provider: fos_userbundle access_denied_handler: App\Security\AccessDeniedHandler user_checker: App\Security\UserChecker encoders: FOS\UserBundle\Model\UserInterface: # Use native password encoder # This value auto-selects the best possible hashing algorithm # (i.e. Sodium / Bcrypt when available). algorithm: auto role_hierarchy: ROLE_API: ROLE_USER ROLE_ADHERENT: ROLE_USER ROLE_PRESTATAIRE: ROLE_USER ROLE_CAISSIER: ROLE_USER ROLE_ADMIN_SIEGE: [ROLE_USER, ROLE_ADMIN] ROLE_REDACTEUR: [ROLE_USER, ROLE_ADMIN] ROLE_TRESORIER: [ROLE_USER, ROLE_ADMIN] ROLE_CONTROLEUR: [ROLE_USER, ROLE_ADMIN] ROLE_GESTION_GROUPE: [ROLE_USER, ROLE_ADMIN] ROLE_COMPTOIR: [ROLE_USER, ROLE_ADMIN] ROLE_CONTACT: [ROLE_USER, ROLE_ADMIN] ROLE_ADMIN: [ROLE_USER, ROLE_SONATA_ADMIN] # Comment ROLE_ALLOWED_TO_SWITCH to disable impersonating user in ADMIN ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH, ROLE_API] # Easy way to control access for large sections of your site # Note: Only the *first* access control that matches will be used access_control: # # @TODO : Improve access control ! # # Admin login page needs to be accessed without credential # - { path: ^/admin/login$, role: IS_AUTHENTICATED_ANONYMOUSLY } # - { path: ^/admin/logout$, role: IS_AUTHENTICATED_ANONYMOUSLY } # - { path: ^/admin/login_check$, role: IS_AUTHENTICATED_ANONYMOUSLY } # - { path: ^/admin/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY } - { path: ^/gdpr/, role: [ROLE_SUPER_ADMIN] } - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: '%env(SECURE_SCHEME)%' } # KOHINOS : deactivate register from FOSUserBundle ! - { path: ^/register, role: ROLE_ADMIN, requires_channel: '%env(SECURE_SCHEME)%' } - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: '%env(SECURE_SCHEME)%' } # Secured part of the site # This config requires being logged for the whole site and having the admin role for the admin part. # Change these rules to adapt them to your needs - { path: ^/admin/, role: [ROLE_ADMIN], requires_channel: '%env(SECURE_SCHEME)%' } # Bottom line can be uncommented to disabled API doc available for anonymous user ! # - { path: '^/api', roles: ROLE_API } - { path: ^/.*, role: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: '%env(SECURE_SCHEME)%' }