Symfony2-设置安全性access_control以仅允许匿名认证 [英] Symfony2 - set security access_control to allow only authenticated anonymously
问题描述
假设我在 security.yml 下有我的 access_control 块:
access_control:
- { path: ^/$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/reset-password, roles: IS_AUTHENTICATED_ANONYMOUSLY }
在这种情况下,每个人都可以进入主页和重置密码页面。但我只想允许这些页面供匿名身份验证的用户使用。经过完全身份验证的用户应收到 403访问被拒绝错误或未找到 404页面。
In this case everyone is alowed to enter homepage and reset-password pages. But I would like to allow these pages only for users authenticated anonymously. Fully authenticated users should get an 403 access denied error or 404 page not found.
根据文档和 allow_if 我应该能够创建用于定义访问权限的角色表达式。但是,如果我这样做:
According documentation with allow_if I should be ablo to create role expressions to define access. But if I do it like this:
access_control:
- { path: ^/reset-password, allow_if: "has_role('IS_AUTHENTICATED_ANONYMOUSLY') and not has_role('IS_AUTHENTICATED_FULLY')" }
现在遵循这个想法完全不允许经过身份验证的用户(登录)访问该页面,并且应该能够匿名访问身份验证的页面,但是不幸的是,没有用户能够访问该页面...
Now following the idea fully authenticated users (logged in) shouldn't be allowed to access the page and anonymously authenticated should be able to access, but, unfortunatelly, none of users are able to access it...
有什么想法吗?
更新
This got it working as suggested bellow by correct answer:
- { path: ^/reset-password, allow_if: "is_anonymous() and !is_authenticated()" }
推荐答案
您可以使用 has_role()测试 IS _ * 吗?这些角色就像角色,但不是角色。也许这就是为什么它总是返回 false 的原因:
Are you sure you can test IS_* using has_role()? These act like roles but they're not roles. Maybe that's why it always returns false:
- http://symfony.com/doc/current/security.html#checking-to-see-if-a-user-is-logged-in-is-authenticated-fully
似乎您最好使用 is_anonymous()和 is_authenticated() allow_if 表达式中的自定义函数。
It seems like you should better use is_anonymous() and is_authenticated() custom functions in the allow_if expression.
- http://symfony.com/doc/current/expressions.html#security-expression-variables
这篇关于Symfony2-设置安全性access_control以仅允许匿名认证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
