Do not allow users in other scopes on /admin

Description

Background

On /admin (or any other configured URL for Integrated in the Symfony installation) only the Integrated scope is allowed. It is currently possible to go the admin after logging in on the website.

In INTEGRATED-1284, a solution with allow_if is implemented, but this is currently not supported.

A better solution is to inject a role for each scope, to allow blocking on something like ROLE_INTEGRATED in security.yml

Requirements

  • Inject role ROLE_INTEGRATED when a user is logged in on the Integrated scope

  • Block the /admin path for users without the ROLE_INTEGRATED role

Test scenarios

  • Log in Integrated with an Integrated-scope user: should work

  • Log in Integrated with a website-scope user: should not work

  • Log in into the website a website-scope user: should work

  • After that go to the integrated content navigator: should redirect to the login form

Technical tasks

None

Deployment actions

Change:

  • { path: ^/admin, roles: IS_AUTHENTICATED_REMEMBERED }

To:

  • { path: ^/admin, roles: [IS_AUTHENTICATED_REMEMBERED, ROLE_SCOPE_INTEGRATED] }

Add:
firewalls:
default:
scope: ~

Activity

Show:
Marijn Otte
February 14, 2018, 1:37 PM

  • Should we inject a role for each scope or only the Integrated scope? I think only the Integrated scope (at least for now), because when other scope roles are used in code we create a new dynamic vs static problem

  • Is ROLE_INTEGRATED OK? (I like that most, but when we define a role for each scope ROLE_SCOPE_INTEGRATED might be better to avoid conflicts with custom made roles)

Maartje Wessels-Wouda
February 15, 2018, 11:48 AM

Wil je deze goedkeuren? Komt in de sprint van A

API
February 15, 2018, 12:27 PM

.Schatting van 5.25 uur is geaccepteerd door Integrated Marijn (in opdracht ingevoerd door ).

Michael Jongman
February 21, 2018, 12:44 PM

, is there a working puphpet box for integrated?

Jeroen van Leeuwen
March 28, 2018, 10:12 AM
Edited

can you review the updated PR and the new PR? I have approved both.

Assignee

Unassigned

Client

Integrated Marijn

Epic Link

Sprint

None

Fix versions

Configure