[INTEGRATED-1179] Do not allow users in other scopes on /admin - e-Active JIRA-OTM

Details

Type: Story
Status: Closed
Priority: Major
Resolution: Canceled
Affects Version/s: None
Fix Version/s: None
Component/s: None
Labels:

Epic Link:
Website login
Story Points:
3
Deployment actions:
Hide

Update security.yml with:

{ path: ^/admin, roles: IS_AUTHENTICATED_REMEMBERED, allow_if: 'integrated_scope().isAdmin() == true' }
Show
Update security.yml with: { path: ^/admin, roles: IS_AUTHENTICATED_REMEMBERED, allow_if: 'integrated_scope().isAdmin() == true' }
Team:
Team A
Sprint:
Team A Sprint 41, Team A Sprint 42

Description

Background

On /admin (or any other configured URL for Integrated in the Symfony installation) only the Integrated scope is allowed. It is currently possible to go the admin after logging in on the website.

Requirements

When a user is in the admin path (exluding the Integrated login page), check the scope. When the scope is not "Integrated" (a non-admin scope) redirect the user to the Integrated login page

Test scenarios

Log in Integrated with an Integrated-scope user: should work
Log in Integrated with a website-scope user: should not work
Log in into the website a website-scope user: should work
After that go to the integrated content navigator: should redirect to the login form

Attachments

Issue links

is blocked by

INTEGRATED-1305 Spike: does INTEGRATED-1179 work in Symfony 3.4?

Closed

is cloned by

INTEGRATED-1309 Do not allow users in other scopes on /admin

Closed

Activity

People

Assignee:

Unassigned

Reporter:

Marijn Otte

Product owner:

Maartje Wessels-Wouda

Client:

Integrated Marijn

Developer:

Ger Jan van den Bosch (Inactive)

Votes:

0 Vote for this issue

Watchers:

0 Start watching this issue

Dates

Created:

27/Jun/17 8:37 AM

Updated:

15/Feb/18 12:51 PM

Resolved:

14/Feb/18 2:40 PM