Do not allow users in other scopes on /admin

Description

Background

On /admin (or any other configured URL for Integrated in the Symfony installation) only the Integrated scope is allowed. It is currently possible to go the admin after logging in on the website.

Requirements

  • When a user is in the admin path (exluding the Integrated login page), check the scope. When the scope is not "Integrated" (a non-admin scope) redirect the user to the Integrated login page

Test scenarios

  • Log in Integrated with an Integrated-scope user: should work

  • Log in Integrated with a website-scope user: should not work

  • Log in into the website a website-scope user: should work

  • After that go to the integrated content navigator: should redirect to the login form

Technical tasks

None

Deployment actions

Update security.yml with:

  • { path: ^/admin, roles: IS_AUTHENTICATED_REMEMBERED, allow_if: 'integrated_scope().isAdmin() == true' }

Activity

Show:
Marijn Otte
January 4, 2018, 9:30 AM

I reopened this issue because the Symfony issue is updated. Please don't close this issue next time, when it has not been finished, because it has now been added to the Integrated 0.7 changelog and deployment actions incorrectly.

Ger Jan van den Bosch
January 5, 2018, 8:37 AM

I think this issue is done. You can upgrade symfony (with #24309 included), then it should work.

Marijn Otte
January 30, 2018, 1:48 PM

can we do this with an extra role like ROLE_INTEGRATED? In that case we don't need the allow_if

Ger Jan van den Bosch
February 1, 2018, 8:20 AM

I think so, what do you think?

Jeroen van Leeuwen
February 14, 2018, 11:41 AM

yep, ROLE_* sounds good to me instead of using the allow_if.

Assignee

Unassigned

Client

Integrated Marijn

Epic Link

Sprint

None
Configure