Symfony2 - 设置安全 access_control 只允许匿名认证 [英] Symfony2 - set security access_control to allow only authenticated anonymously
问题描述
假设我在 security.yml 下有我的 access_control 块:
Let's say I have my access_control block under the security.yml:
access_control:
- { path: ^/$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/reset-password, roles: IS_AUTHENTICATED_ANONYMOUSLY }
在这种情况下,每个人都可以进入homepage 和reset-password 页面.但我想只允许匿名用户访问这些页面.完全通过身份验证的用户应该会收到 403 访问被拒绝错误 或 404 页面未找到.
In this case everyone is alowed to enter homepage and reset-password pages. But I would like to allow these pages only for users authenticated anonymously. Fully authenticated users should get an 403 access denied error or 404 page not found.
根据文档和allow_if 我应该能够创建角色表达式来定义访问权限.但如果我这样做:
According documentation with allow_if I should be ablo to create role expressions to define access. But if I do it like this:
access_control:
- { path: ^/reset-password, allow_if: "has_role('IS_AUTHENTICATED_ANONYMOUSLY') and not has_role('IS_AUTHENTICATED_FULLY')" }
现在遵循完全认证的用户(登录)的想法不应该被允许访问该页面并且匿名认证应该能够访问,但是,不幸的是,没有用户能够访问它......
Now following the idea fully authenticated users (logged in) shouldn't be allowed to access the page and anonymously authenticated should be able to access, but, unfortunatelly, none of users are able to access it...
对我缺少什么有任何想法吗?
Any ideas what I am missing?
更新
这使它按照正确答案的建议工作:
This got it working as suggested bellow by correct answer:
- { path: ^/reset-password, allow_if: "is_anonymous() and !is_authenticated()" }
推荐答案
您确定可以使用 has_role() 测试 IS_* 吗?这些行为就像角色,但它们不是角色.也许这就是为什么它总是返回 false:
Are you sure you can test IS_* using has_role()? These act like roles but they're not roles. Maybe that's why it always returns false:
看来您最好在 allow_if 表达式中使用 is_anonymous() 和 is_authenticated() 自定义函数.
It seems like you should better use is_anonymous() and is_authenticated() custom functions in the allow_if expression.
这篇关于Symfony2 - 设置安全 access_control 只允许匿名认证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
