summary

Do not allow users in other scopes on /admin

Description

Background

On /admin (or any other configured URL for Integrated in the Symfony installation) only the Integrated scope is allowed. It is currently possible to go the admin after logging in on the website.

Requirements

When a user is in the admin path (exluding the Integrated login page), check the scope. When the scope is not "Integrated" (a non-admin scope) redirect the user to the Integrated login page

Test scenarios

Log in Integrated with an Integrated-scope user: should work
Log in Integrated with a website-scope user: should not work
Log in into the website a website-scope user: should work
After that go to the integrated content navigator: should redirect to the login form

Deployment actions

Update security.yml with:

{ path: ^/admin, roles: IS_AUTHENTICATED_REMEMBERED, allow_if: 'integrated_scope().isAdmin() == true' }

Technical tasks

None

Status

Assignee

Unassigned

Reporter

Marijn Otte

Labels

delivery-notification-sent

time-estimate-accepted

time-estimate-sent

Product owner

Maartje Wessels-Wouda

OTM project ID

None

Client

Integrated Marijn

Plan date

None

Developer

Ger Jan van den Bosch

Code reviewer

None

Max. hours

None

Error message

None

Follow up date

None

Switches

None

Refiner

None

Story Points

Time tracking

7h 15m

Epic Link

Website login

Sprint

None

Priority

Major

Configure