Skip to content

K
kohinos
Switch branch/tag
Find file
Normal viewHistoryPermalink
security.yaml 6.2 KB
Newer Older
Initial commit
cd58f002
 
Damien Moulard committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 
# security:
#     # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
#     providers:
#         in_memory: { memory: ~ }
#     firewalls:
#         dev:
#             pattern: ^/(_(profiler|wdt)|css|images|js)/
#             security: false
#         main:
#             anonymous: true

#             # activate different ways to authenticate

#             # http_basic: true
#             # https://symfony.com/doc/current/security.html#a-configuring-how-your-users-will-authenticate

#             # form_login: true
#             # https://symfony.com/doc/current/security/form_login_setup.html

#     # Easy way to control access for large sections of your site
#     # Note: Only the *first* access control that matches will be used
#     access_control:
#         # - { path: ^/admin, roles: ROLE_ADMIN }
#         # - { path: ^/profile, roles: ROLE_USER }

security:
    # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
    providers:
        fos_userbundle:
            id: fos_user.user_provider.username_email
        in_memory: { memory: ~ }
        entity_provider:
            entity:
                class: App\Entity\User
                property: username
        api_key_user_provider:
            id: App\Security\ApiKeyUserProvider
    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false
        ## API WITH JWT AUTH (login/password)
        # login:
        #     pattern:  ^/api/login
        #     stateless: true
        #     anonymous: true
        #     provider: api_key_user_provider
        #     form_login:
        #         check_path:               /api/login_check
        #         success_handler:          lexik_jwt_authentication.handler.authentication_success
        #         failure_handler:          lexik_jwt_authentication.handler.authentication_failure
        #         require_previous_session: false
        # api:
        #     pattern:  ^/api/
        #     stateless: true
        #     anonymous: true
        #     provider: api_key_user_provider
        #     guard:
        #         authenticators:
        #             - lexik_jwt_authentication.jwt_token_authenticator
        api:
            pattern:  ^/api
            stateless: true
            # can be set to false to disabled API doc available for anonymous user !
            anonymous: true
            guard:
                authenticators:
                    - App\Security\ApiKeyAuthenticator
                provider: api_key_user_provider
        main:
            pattern: ^/
            form_login:
                provider: fos_userbundle
                login_path: fos_user_security_login
                check_path: fos_user_security_check
                csrf_token_generator: security.csrf.token_manager
                success_handler: redirect.after.login
            logout:
                path: fos_user_security_logout
                target: index
            anonymous: true
            guard:
                authenticators:
                    - App\Security\EmailTokenAuthenticator
                    - App\Security\LoginAuthenticator
                provider: fos_userbundle
                entry_point: App\Security\LoginAuthenticator
            remember_me:
                secret:         "%kernel.secret%"
                lifetime:       31536000
                path:           /
                domain:         ~
                user_provider:  fos_userbundle
                always_remember_me: true
            context: mlc_context
            switch_user:
                provider: fos_userbundle
            # access_denied_handler: App\Security\AccessDeniedHandler
#206: en admin, trésoriers et admins siège peuvent "voir les comptoirs"
e0839f9a
 
Mathieu Poisbeau committed
99
Initial commit
cd58f002
 
Damien Moulard committed
100 101 102 103 104 105 106 107 108 109 110 111 
    encoders:
        # FOS\UserBundle\Model\UserInterface: bcrypt
        FOS\UserBundle\Model\UserInterface:
            # Use native password encoder
            # This value auto-selects the best possible hashing algorithm
            # (i.e. Sodium when available).
            algorithm: auto

    role_hierarchy:
        ROLE_API:               ROLE_USER
        ROLE_ADHERENT:          ROLE_USER
        ROLE_PRESTATAIRE:       ROLE_USER
#206: en admin, trésoriers et admins siège peuvent "voir les comptoirs"
e0839f9a
 
Mathieu Poisbeau committed
112 
        ROLE_ADMIN_SIEGE:       [ROLE_USER, ROLE_ADMIN, ROLE_ADMIN_COMPTOIR_READER]
Initial commit
cd58f002
 
Damien Moulard committed
113 
        ROLE_REDACTEUR:         [ROLE_USER, ROLE_ADMIN]
#206: en admin, trésoriers et admins siège peuvent "voir les comptoirs"
e0839f9a
 
Mathieu Poisbeau committed
114 
        ROLE_TRESORIER:         [ROLE_USER, ROLE_ADMIN, ROLE_ADMIN_COMPTOIR_READER]
Initial commit
cd58f002
 
Damien Moulard committed
115 116 117 118 119 
        ROLE_CONTROLEUR:        [ROLE_USER, ROLE_ADMIN]
        ROLE_GESTION_GROUPE:    [ROLE_USER, ROLE_ADMIN]
        ROLE_COMPTOIR:          [ROLE_USER, ROLE_ADMIN]
        ROLE_CONTACT:           [ROLE_USER, ROLE_ADMIN]
        ROLE_ADMIN:             [ROLE_USER, ROLE_SONATA_ADMIN]
#206: en admin, trésoriers et admins siège peuvent "voir les comptoirs"
e0839f9a
 
Mathieu Poisbeau committed
120 121 122 
        ROLE_ADMIN_COMPTOIR_READER:
            - ROLE_ADMIN_COMPTOIR_GERER_LIST
            - ROLE_ADMIN_COMPTOIR_GERER_VIEW
Initial commit
cd58f002
 
Damien Moulard committed
123 124 125 126 127 
        ROLE_SUPER_ADMIN:       [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH, ROLE_API]

    # Easy way to control access for large sections of your site
    # Note: Only the *first* access control that matches will be used
    access_control:
#206: en admin, trésoriers et admins siège peuvent "voir les comptoirs"
e0839f9a
 
Mathieu Poisbeau committed
128 
        #
Initial commit
cd58f002
 
Damien Moulard committed
129 
        # @TODO : better access control !
#206: en admin, trésoriers et admins siège peuvent "voir les comptoirs"
e0839f9a
 
Mathieu Poisbeau committed
130 
        #
Initial commit
cd58f002
 
Damien Moulard committed
131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 
        # Admin login page needs to be accessed without credential
        # - { path: ^/admin/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        # - { path: ^/admin/logout$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        # - { path: ^/admin/login_check$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        # - { path: ^/admin/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
        # Secured part of the site
        # This config requires being logged for the whole site and having the admin role for the admin part.
        # Change these rules to adapt them to your needs
        # - { path: ^/admin/, role: [ROLE_SUPER_ADMIN, ROLE_SONATA_ADMIN, ROLE_ADMIN_SIEGE, ROLE_REDACTEUR, ROLE_TRESORIER, ROLE_CONTROLEUR, ROLE_GESTION_GROUPE, ROLE_COMPTOIR, ROLE_CONTACT] }
        - { path: ^/admin/, role: [ROLE_ADMIN] }
        # Bottom line can be uncommented to disabled API doc available for anonymous user !
        # - { path: '^/api', roles: ROLE_API }
        - { path: ^/.*, role: IS_AUTHENTICATED_ANONYMOUSLY }