@@ -22,10 +22,10 @@ for each ``access_control`` entry, which determines whether or not a given
2222access control should be used on this request. The following ``access_control ``
2323options are used for matching:
2424
25- * ``path ``
26- * ``ip `` or ``ips `` ( netmasks are also supported)
27- * ``host ``
28- * ``methods ``
25+ * ``path ``: a regular expression (without delimiters)
26+ * ``ip `` or ``ips ``: netmasks are also supported
27+ * ``host ``: a regular expression
28+ * ``methods ``: one or many methods
2929
3030Take the following ``access_control `` entries as an example:
3131
@@ -37,10 +37,11 @@ Take the following ``access_control`` entries as an example:
3737 security :
3838 # ...
3939 access_control :
40- - { path: ^/admin, roles: ROLE_USER_IP, ip: 127.0.0.1 }
41- - { path: ^/admin, roles: ROLE_USER_HOST, host: symfony\.com$ }
42- - { path: ^/admin, roles: ROLE_USER_METHOD, methods: [POST, PUT] }
43- - { path: ^/admin, roles: ROLE_USER }
40+ - { path: '^/admin', roles: ROLE_USER_IP, ip: 127.0.0.1 }
41+ - { path: '^/admin', roles: ROLE_USER_HOST, host: symfony\.com$ }
42+ - { path: '^/admin', roles: ROLE_USER_METHOD, methods: [POST, PUT] }
43+ # Defining many roles means we need one of them (like an OR condition)
44+ - { path: '^/admin', roles: [ROLE_MANAGER, ROLE_ADMIN] }
4445
4546code-block :: xml
4647
@@ -57,7 +58,8 @@ Take the following ``access_control`` entries as an example:
5758 <rule path =" ^/admin" role =" ROLE_USER_IP" ip =" 127.0.0.1"
5859 <rule path =" ^/admin" role =" ROLE_USER_HOST" host =" symfony\.com$"
5960 <rule path =" ^/admin" role =" ROLE_USER_METHOD" methods =" POST, PUT"
60- <rule path =" ^/admin" role =" ROLE_USER"
61+ <!-- Defining many roles, mean we need one of them (like an OR condition) -->
62+ <rule path =" ^/admin" roles =" ROLE_ADMIN, ROLE_MANAGER"
6163 </config >
6264 </srv : container >
6365
@@ -69,31 +71,32 @@ Take the following ``access_control`` entries as an example:
6971 'access_control' => [
7072 [
7173 'path' => '^/admin',
72- 'role ' => 'ROLE_USER_IP',
73- 'ip ' => '127.0.0.1',
74+ 'roles ' => 'ROLE_USER_IP',
75+ 'ips ' => '127.0.0.1',
7476 ],
7577 [
7678 'path' => '^/admin',
77- 'role ' => 'ROLE_USER_HOST',
79+ 'roles ' => 'ROLE_USER_HOST',
7880 'host' => 'symfony\.com$',
7981 ],
8082 [
8183 'path' => '^/admin',
82- 'role ' => 'ROLE_USER_METHOD',
84+ 'roles ' => 'ROLE_USER_METHOD',
8385 'methods' => 'POST, PUT',
8486 ],
8587 [
8688 'path' => '^/admin',
87- 'role' => 'ROLE_USER',
89+ // Defining many roles, mean we need one of them (like an OR condition)
90+ 'roles' => ['ROLE_MANAGER', 'ROLE_ADMIN'],
8891 ],
8992 ],
9093 ]);
9194
9295access_control ``
9396to use based on the URI, the client's IP address, the incoming host name,
9497and the request method. Remember, the first rule that matches is used, and
95- if ``ip ``, ``host `` or ``method `` are not specified for an entry, that `` access_control ``
96- will match any ``ip ``, ``host `` or ``method ``:
98+ if ``ips ``, ``host `` or ``methods `` are not specified for an entry, that
99+ `` access_control `` will match any ``ips ``, ``host `` or ``methods ``:
97100
98101+-----------------+-------------+-------------+------------+--------------------------------+-------------------------------------------------------------+
99102| URI | IP | HOST | METHOD | ``access_control `` | Why? |
@@ -114,9 +117,10 @@ will match any ``ip``, ``host`` or ``method``:
114117| ``/admin/user `` | 168.0.0.1 | example.com | POST | rule #3 (``ROLE_USER_METHOD ``) | The ``ip `` and ``host `` don't match the first two entries, |
115118| | | | | | but the third - ``ROLE_USER_METHOD `` - matches and is used. |
116119+-----------------+-------------+-------------+------------+--------------------------------+-------------------------------------------------------------+
117- | ``/admin/user `` | 168.0.0.1 | example.com | GET | rule #4 (``ROLE_USER ``) | The ``ip ``, ``host `` and ``method `` prevent the first |
120+ | ``/admin/user `` | 168.0.0.1 | example.com | GET | rule #4 (``ROLE_MANAGER ``) | The ``ip ``, ``host `` and ``method `` prevent the first |
118121| | | | | | three entries from matching. But since the URI matches the |
119- | | | | | | ``path `` pattern of the ``ROLE_USER `` entry, it is used. |
122+ | | | | | | ``path `` pattern, then the ``ROLE_MANAGER `` (or the |
123+ | | | | | | ``ROLE_ADMIN ``) is used. |
120124+-----------------+-------------+-------------+------------+--------------------------------+-------------------------------------------------------------+
121125| ``/foo `` | 127.0.0.1 | symfony.com | POST | matches no entries | This doesn't match any ``access_control `` rules, since its |
122126| | | | | | URI doesn't match any of the ``path `` values. |
@@ -144,6 +148,14 @@ options:
144148 does not match this value (e.g. ``https ``), the user will be redirected
145149 (e.g. redirected from ``http `` to ``https ``, or vice versa).
146150
151+ .. tip ::
152+
153+ Behind the scenes, the array value of ``roles `` is passed as the
154+ ``$attributes `` argument to each voter in the application with the
155+ :class: `Symfony\\ Component\\ HttpFoundation\\ Request ` as ``$subject ``. You
156+ can learn how to use your custom attributes by reading
157+ :ref: `security/custom-voter `.
158+
147159.. tip ::
148160
149161 If access is denied, the system will try to authenticate the user if not
@@ -180,8 +192,8 @@ pattern so that it is only accessible by requests from the local server itself:
180192 access_control :
181193 #
182194 # the 'ips' option supports IP addresses and subnet masks
183- - { path: ^/internal, roles: IS_AUTHENTICATED_ANONYMOUSLY, ips: [127.0.0.1, ::1, 192.168.0.1/24] }
184- - { path: ^/internal, roles: ROLE_NO_ACCESS }
195+ - { path: ' ^/internal' , roles: IS_AUTHENTICATED_ANONYMOUSLY, ips: [127.0.0.1, ::1, 192.168.0.1/24] }
196+ - { path: ' ^/internal' , roles: ROLE_NO_ACCESS }
185197
186198code-block :: xml
187199
@@ -214,13 +226,13 @@ pattern so that it is only accessible by requests from the local server itself:
214226 'access_control' => [
215227 [
216228 'path' => '^/internal',
217- 'role ' => 'IS_AUTHENTICATED_ANONYMOUSLY',
229+ 'roles ' => 'IS_AUTHENTICATED_ANONYMOUSLY',
218230 // the 'ips' option supports IP addresses and subnet masks
219231 'ips' => ['127.0.0.1', '::1'],
220232 ],
221233 [
222234 'path' => '^/internal',
223- 'role ' => 'ROLE_NO_ACCESS',
235+ 'roles ' => 'ROLE_NO_ACCESS',
224236 ],
225237 ],
226238 ]);
265277 access_control :
266278 -
267279 path : ^/_internal/secure
268- allow_if : " '127.0.0.1' == request.getClientIp() or has_role('ROLE_ADMIN')"
280+ roles : ' ROLE_ADMIN'
281+ // with this expression, we need it to be true OR a ROLE_ADMIN
282+ allow_if : " '127.0.0.1' == request.getClientIp() or request.header.has('X-Secure-Access')"
269283
270284code-block :: xml
271285
279293
280294 <config >
281295 <rule path =" ^/_internal/secure"
282- allow-if =" '127.0.0.1' == request.getClientIp() or has_role('ROLE_ADMIN')"
296+ role =" ROLE_ADMIN"
297+ <!-- with this expression, we need it to be true OR a ROLE_ADMIN -->
298+ allow-if="'127.0.0.1' == request.getClientIp() or request.header.has('X-Secure-Access')" />
283299 </config >
284300 </srv : container >
285301
@@ -288,13 +304,27 @@ key:
288304 'access_control' => [
289305 [
290306 'path' => '^/_internal/secure',
291- 'allow_if' => '"127.0.0.1" == request.getClientIp() or has_role("ROLE_ADMIN")',
307+ 'roles' => 'ROLE_ADMIN',
308+ // with this expression, we need it to be true OR a ROLE_ADMIN
309+ 'allow_if' => '"127.0.0.1" == request.getClientIp() or request.header.has('X-Secure-Access')',
292310 ],
293311 ],
294312
295- /_internal/secure ``,
296- they will only be granted access if the IP address is ``127.0.0.1 `` or if
297- the user has the ``ROLE_ADMIN `` role.
313+
314+ ``/_internal/secure ``, they will only be granted access if the IP address is
315+ ``127.0.0.1 `` or a secure header, or if the user has the ``ROLE_ADMIN `` role.
316+
317+ .. note ::
318+
319+ Internally ``allow_if `` triggers the built-in
320+ :class: `Symfony\\ Component\\ Security\\ Core\\ Authorization\\ Voter\\ ExpressionVoter `
321+ as like it was part of the attributes defined in the ``roles `` option.
322+ By default, access is granted if one of the attribute is granted. In other
323+ words, it means ``allow_if `` can grant access even if the
324+ :class: `Symfony\\ Component\\ Security\\ Core\\ Authorization\\ Voter\\ RoleVoter ` or
325+ any other voter denied it.
326+ To change this behavior, you may need to learn more about
327+ :ref: `access decision strategy <security-voters-change-strategy >`.
298328
299329Inside the expression, you have access to a number of different variables
300330and functions including ``request ``, which is the Symfony
@@ -345,7 +375,7 @@ the user will be redirected to ``https``:
345375 'access_control' => [
346376 [
347377 'path' => '^/cart/checkout',
348- 'role ' => 'IS_AUTHENTICATED_ANONYMOUSLY',
378+ 'roles ' => 'IS_AUTHENTICATED_ANONYMOUSLY',
349379 'requires_channel' => 'https',
350380 ],
351381 ],
0 commit comments