How do I check for user role in symfony2 for urls not falling under patterns defined security.yml?

Question

I have a admin panel and I have defined a role for it ROLE_ADMIN. In my security.yml file I am using a pattern ^/admin/* so every thing under /admin requires ROLE_ADMIN. Now in frontend of my app I need to check user role and if role is ROLE_ADMIN render one file and otherwise render another file. This url does not fall under the pattern defined in security.yml.

So how do I check whether the user is admin or a normal user on the homepage which does not fall under the pattern defined in security.yml ?

Elnur Abdurrakhimov · Accepted Answer · 2017-02-13T04:05:08.233

31

Enable the firewall on the whole app using the ^/ pattern, permit anonymous access and use access_control to restrict access:

security:
    firewalls:
        secured_area:
            pattern: ^/
            anonymous: ~

    access_control:
        - { path: ^/admin, roles: ROLE_ADMIN }

As @itsmequinn suggested, use the isGranted() method of the security context:

if ($this->get('security.context')->isGranted('ROLE_BRAND')) {
    // the user has the ROLE_BRAND role, so act accordingly
}

In Symfony 2.6, security.context has been split into two separate services. Hence you need to use the security.authorization_checker service to solve the problem:

if ($this->get('security.authorization_checker')->isGranted('ROLE_BRAND')) {
    // the user has the ROLE_BRAND role, so act accordingly
}

edited Feb 13 '17 at 04:05

answered Sep 06 '12 at 06:36

Elnur Abdurrakhimov

44,533
10
148
133

The thing is I already had 2 roles defined one `ROLE_ADMIN` for pattern example.com/admin/* and other `ROLE_BRAND` for example.com/brand/dashboard/* with separate login page. Now I want to check on page example.com whether it is an anonymous user or a guy who has a role `ROLE_BRAND` – aditya Sep 07 '12 at 04:57
1

@Elnur Abdurrakhimov forgotten to close if statement. It should be if ($this->get('security.context')->isGranted('ROLE_BRAND')) { // } – hywak Sep 30 '14 at 07:43
This is deprecated since version 2.6 and will be removed in 3.0. See answer by @Anil below. – Marvin Rabe Jan 25 '17 at 18:46
AFAIK, the PHP community is probably the only one where people prefer creating a separate answer instead of just updating a perfectly valid and accepted but outdated answer. Meh. – Elnur Abdurrakhimov Feb 13 '17 at 04:07

score 20 · Answer 2 · edited May 23 '17 at 11:46

SecurityContext will be deprecated in `Symfony 3.0`

Prior to Symfony 2.6 you would use SecurityContext.
SecurityContext will be deprecated in Symfony 3.0 in favour of the AuthorizationChecker.

For Symfony 2.6+ & Symfony 3.0 use AuthorizationChecker.

Symfony 2.5 (and below)

if ($this->get('security.context')->isGranted('ROLE_ADMIN')) {
    # User is a ROLE_ADMIN
}

Symfony 2.6 (and above)

if ($this->get('security.authorization_checker')->isGranted('ROLE_ADMIN')) {
    # User is a ROLE_ADMIN
}

Similar Question: How to check if an user is logged in Symfony2 inside a controller?

Read more the docs here: AuthorizationChecker

score 5 · Answer 3 · answered Sep 05 '12 at 18:54

5

Are you in the controller for the page? If so, use the isGranted method of the security context: Access Controls for Controllers

answered Sep 05 '12 at 18:54

itsmequinn

1,054
1
8
21

Actually there is no firewall configured for that url so security context contains no authentication. How do i configure firewall for a particular URL so that it can be viewed by everyone and if the role is `ROLE_ADMIN` I give some extra features on my home page – aditya Sep 06 '12 at 05:15
Elnur's answer below will help you with that. You need to enable a firewall on all paths but allow anonymous users to access `^/` and authenticated users to access whatever it is you want to lock down. After that you can use `isGranted`. If the user is anonymous, they will match `isGranted('IS_AUTHENTICATED_FULLY')`. Otherwise, they will match for whatever roles they are granted. – itsmequinn Sep 06 '12 at 10:52

score 1 · Answer 4 · answered Dec 06 '15 at 20:27

1

Easiest solution for this are annotations. Instead of this:

    if ($this->get('security.authorization_checker')->isGranted('ROLE_ADMIN')) {
       # User is a ROLE_ADMIN
    }

.. try use this:

/**
 * ...
 * @Security("has_role('ROLE_ADMIN')")
 */

.. or :

/**
 * ...
 * @Security("is_granted('POST_ADD', post)")
 */
public function addAction(Post $post){...}

You can read more about Security annotations here. Annotations are best practice in Symfony 2 look here Enjoy!

answered Dec 06 '15 at 20:27

Franky238

511
5
21

Ok but is there a way to redirect if you don't meet the role you need to access the page? – Alfonso Fernandez-Ocampo Oct 04 '16 at 17:31
everything you can set up in access control – Franky238 Oct 05 '16 at 12:01

score 1 · Answer 5 · answered Feb 17 '19 at 12:25

1

In Symfony 4 and above you should use code like below, instead of using services like $this->get('security.authorization_checker'):

$hasAccess = $this->isGranted('ROLE_ADMIN');
$this->denyAccessUnlessGranted('ROLE_ADMIN');

Symfony security

answered Feb 17 '19 at 12:25

P. Piotr

11
2
1

How do I check for user role in symfony2 for urls not falling under patterns defined security.yml?

5 Answers5

SecurityContext will be deprecated in `Symfony 3.0`

Symfony 2.5 (and below)

Symfony 2.6 (and above)

Linked

How do I check for user role in symfony2 for urls not falling under patterns defined security.yml?

5 Answers5

SecurityContext will be deprecated in Symfony 3.0

Symfony 2.5 (and below)

Symfony 2.6 (and above)

Linked

SecurityContext will be deprecated in `Symfony 3.0`