@@ -22,10 +22,10 @@ for each ``access_control`` entry, which determines whether or not a given
2222access control should be used on this request. The following ``access_control ``
2323options are used for matching:
2424
25- * ``path ``
25+ * ``path `` # a regular expression (without delimiters)
2626* ``ip `` or ``ips `` (netmasks are also supported)
27- * ``host ``
28- * ``methods ``
27+ * ``host `` # a regular expression
28+ * ``methods `` # one or many methods
2929
3030Take the following ``access_control `` entries as an example:
3131
@@ -37,10 +37,10 @@ Take the following ``access_control`` entries as an example:
3737 security :
3838 # ...
3939 access_control :
40- - { path: ^/admin, roles: ROLE_USER_IP, ip: 127.0.0.1 }
41- - { path: ^/admin, roles: ROLE_USER_HOST, host: symfony\.com$ }
42- - { path: ^/admin, roles: ROLE_USER_METHOD, methods: [POST, PUT] }
43- - { path: ^/admin, roles: ROLE_USER }
40+ - { path: ' ^/admin' , roles: ROLE_USER_IP, ip: 127.0.0.1 }
41+ - { path: ' ^/admin' , roles: ROLE_USER_HOST, host: symfony\.com$ }
42+ - { path: ' ^/admin' , roles: ROLE_USER_METHOD, methods: [POST, PUT] }
43+ - { path: ' ^/admin' , roles: [ROLE_MANAGER, ROLE_ADMIN] }
4444
4545code-block :: xml
4646
@@ -57,7 +57,12 @@ Take the following ``access_control`` entries as an example:
5757 <rule path =" ^/admin" role =" ROLE_USER_IP" ip =" 127.0.0.1"
5858 <rule path =" ^/admin" role =" ROLE_USER_HOST" host =" symfony\.com$"
5959 <rule path =" ^/admin" role =" ROLE_USER_METHOD" methods =" POST, PUT"
60- <rule path =" ^/admin" role =" ROLE_USER"
60+ <rule path =" ^/admin" roles =" ROLE_ADMIN, ROLE_MANAGER"
61+ <!-- same as: -->
62+ <rule path =" ^/admin"
63+ <role >ROLE_MANAGER</role >
64+ <role >ROLE_ADMIN</role >
65+ </rule >
6166 </config >
6267 </srv : container >
6368
@@ -69,31 +74,33 @@ Take the following ``access_control`` entries as an example:
6974 'access_control' => [
7075 [
7176 'path' => '^/admin',
72- 'role ' => 'ROLE_USER_IP',
73- 'ip ' => '127.0.0.1',
77+ 'roles ' => 'ROLE_USER_IP',
78+ 'ips ' => '127.0.0.1',
7479 ],
7580 [
7681 'path' => '^/admin',
77- 'role ' => 'ROLE_USER_HOST',
82+ 'roles ' => 'ROLE_USER_HOST',
7883 'host' => 'symfony\.com$',
7984 ],
8085 [
8186 'path' => '^/admin',
82- 'role ' => 'ROLE_USER_METHOD',
87+ 'roles ' => 'ROLE_USER_METHOD',
8388 'methods' => 'POST, PUT',
8489 ],
8590 [
8691 'path' => '^/admin',
87- 'role' => 'ROLE_USER',
92+ 'roles' => 'ROLE_MANAGER, ROLE_ADMIN',
93+ // same as
94+ // 'roles' => ['ROLE_MANAGER', 'ROLE_ADMIN'],
8895 ],
8996 ],
9097 ]);
9198
9299access_control ``
93100to use based on the URI, the client's IP address, the incoming host name,
94101and the request method. Remember, the first rule that matches is used, and
95- if ``ip ``, ``host `` or ``method `` are not specified for an entry, that `` access_control ``
96- will match any ``ip ``, ``host `` or ``method ``:
102+ if ``ips ``, ``host `` or ``methods `` are not specified for an entry, that
103+ `` access_control `` will match any ``ips ``, ``host `` or ``methods ``:
97104
98105+-----------------+-------------+-------------+------------+--------------------------------+-------------------------------------------------------------+
99106| URI | IP | HOST | METHOD | ``access_control `` | Why? |
@@ -114,9 +121,9 @@ will match any ``ip``, ``host`` or ``method``:
114121| ``/admin/user `` | 168.0.0.1 | example.com | POST | rule #3 (``ROLE_USER_METHOD ``) | The ``ip `` and ``host `` don't match the first two entries, |
115122| | | | | | but the third - ``ROLE_USER_METHOD `` - matches and is used. |
116123+-----------------+-------------+-------------+------------+--------------------------------+-------------------------------------------------------------+
117- | ``/admin/user `` | 168.0.0.1 | example.com | GET | rule #4 (``ROLE_USER ``) | The ``ip ``, ``host `` and ``method `` prevent the first |
124+ | ``/admin/user `` | 168.0.0.1 | example.com | GET | rule #4 (``ROLE_MANAGER ``) | The ``ip ``, ``host `` and ``method `` prevent the first |
118125| | | | | | three entries from matching. But since the URI matches the |
119- | | | | | | ``path `` pattern of the ``ROLE_USER `` entry, it is used. |
126+ | | | | | | ``path `` pattern, then the ``ROLE_USER `` entry is used. |
120127+-----------------+-------------+-------------+------------+--------------------------------+-------------------------------------------------------------+
121128| ``/foo `` | 127.0.0.1 | symfony.com | POST | matches no entries | This doesn't match any ``access_control `` rules, since its |
122129| | | | | | URI doesn't match any of the ``path `` values. |
@@ -144,6 +151,14 @@ options:
144151 does not match this value (e.g. ``https ``), the user will be redirected
145152 (e.g. redirected from ``http `` to ``https ``, or vice versa).
146153
154+ .. tip ::
155+
156+ Behind the scene, the array value of ``roles `` is passed as ``$attributes ``
157+ argument to each voter in the application with the
158+ :class: `Symfony\\ Component\\ HttpFoundation\\ Request ` as ``$subject ``. You
159+ can learn how to use your custom attributes by reading
160+ :ref: `security/custom-voter `.
161+
147162.. tip ::
148163
149164 If access is denied, the system will try to authenticate the user if not
@@ -180,8 +195,8 @@ pattern so that it is only accessible by requests from the local server itself:
180195 access_control :
181196 #
182197 # the 'ips' option supports IP addresses and subnet masks
183- - { path: ^/internal, roles: IS_AUTHENTICATED_ANONYMOUSLY, ips: [127.0.0.1, ::1, 192.168.0.1/24] }
184- - { path: ^/internal, roles: ROLE_NO_ACCESS }
198+ - { path: ' ^/internal' , roles: IS_AUTHENTICATED_ANONYMOUSLY, ips: [127.0.0.1, ::1, 192.168.0.1/24] }
199+ - { path: ' ^/internal' , roles: ROLE_NO_ACCESS }
185200
186201code-block :: xml
187202
@@ -214,13 +229,13 @@ pattern so that it is only accessible by requests from the local server itself:
214229 'access_control' => [
215230 [
216231 'path' => '^/internal',
217- 'role ' => 'IS_AUTHENTICATED_ANONYMOUSLY',
232+ 'roles ' => 'IS_AUTHENTICATED_ANONYMOUSLY',
218233 // the 'ips' option supports IP addresses and subnet masks
219234 'ips' => ['127.0.0.1', '::1'],
220235 ],
221236 [
222237 'path' => '^/internal',
223- 'role ' => 'ROLE_NO_ACCESS',
238+ 'roles ' => 'ROLE_NO_ACCESS',
224239 ],
225240 ],
226241 ]);
265280 access_control :
266281 -
267282 path : ^/_internal/secure
268- allow_if : " '127.0.0.1' == request.getClientIp() or has_role('ROLE_ADMIN')"
283+ roles : ' ROLE_ADMIN'
284+ allow_if : " '127.0.0.1' == request.getClientIp() or request.header.has('X-Secure-Access')"
269285
270286code-block :: xml
271287
279295
280296 <config >
281297 <rule path =" ^/_internal/secure"
282- allow-if =" '127.0.0.1' == request.getClientIp() or has_role('ROLE_ADMIN')"
298+ role =" ROLE_ADMIN"
299+ allow-if =" '127.0.0.1' == request.getClientIp() or request.header.has('X-Secure-Access')"
283300 </config >
284301 </srv : container >
285302
@@ -288,13 +305,26 @@ key:
288305 'access_control' => [
289306 [
290307 'path' => '^/_internal/secure',
291- 'allow_if' => '"127.0.0.1" == request.getClientIp() or has_role("ROLE_ADMIN")',
308+ 'roles' => 'ROLE_ADMIN',
309+ 'allow_if' => '"127.0.0.1" == request.getClientIp() or request.header.has('X-Secure-Access')',
292310 ],
293311 ],
294312
295- /_internal/secure ``,
296- they will only be granted access if the IP address is ``127.0.0.1 `` or if
297- the user has the ``ROLE_ADMIN `` role.
313+
314+ ``/_internal/secure ``, they will only be granted access if the IP address is
315+ ``127.0.0.1 `` or a secure header, or if the user has the ``ROLE_ADMIN `` role.
316+
317+ .. note ::
318+
319+ Internally ``allow_if `` enforce calling the built-in
320+ :class: `Symfony\\ Component\\ Security\\ Core\\ Authorization\\ Voter\\ ExpressionVoter `
321+ as like it was part of the attributes defined in the ``roles `` option.
322+ By default, access is granted if one of the attribute is granted. In other
323+ words, it means ``allow_if `` can grant access even if the
324+ :class: `Symfony\\ Component\\ Security\\ Core\\ Authorization\\ Voter\\ RoleVoter ` or
325+ any other voter denied it.
326+ To change this behavior, you may need to learn more about
327+ :ref: `access decision strategy <security-voters-change-strategy >`.
298328
299329Inside the expression, you have access to a number of different variables
300330and functions including ``request ``, which is the Symfony
@@ -345,7 +375,7 @@ the user will be redirected to ``https``:
345375 'access_control' => [
346376 [
347377 'path' => '^/cart/checkout',
348- 'role ' => 'IS_AUTHENTICATED_ANONYMOUSLY',
378+ 'roles ' => 'IS_AUTHENTICATED_ANONYMOUSLY',
349379 'requires_channel' => 'https',
350380 ],
351381 ],
0 commit comments