Do not allow users in other scopes on /admin

Description

Background

On /admin (or any other configured URL for Integrated in the Symfony installation) only the Integrated scope is allowed. It is currently possible to go the admin after logging in on the website.

In INTEGRATED-1284, a solution with allow_if is implemented, but this is currently not supported.

A better solution is to inject a role for each scope, to allow blocking on something like ROLE_INTEGRATED in security.yml

Requirements

  • Inject role ROLE_INTEGRATED when a user is logged in on the Integrated scope

  • Block the /admin path for users without the ROLE_INTEGRATED role

Test scenarios

  • Log in Integrated with an Integrated-scope user: should work

  • Log in Integrated with a website-scope user: should not work

  • Log in into the website a website-scope user: should work

  • After that go to the integrated content navigator: should redirect to the login form

Deployment actions

Change:

  • { path: ^/admin, roles: IS_AUTHENTICATED_REMEMBERED }

To:

  • { path: ^/admin, roles: [IS_AUTHENTICATED_REMEMBERED, ROLE_SCOPE_INTEGRATED] }

Add:
firewalls:
default:
scope: ~

Technical tasks

None

Status

Assignee

Unassigned

Reporter

Marijn Otte

Product owner

Marijn Otte

OTM project ID

None

Client

Integrated Marijn

Plan date

None

Developer

Ger Jan van den Bosch

Code reviewer

Jeroen van Leeuwen

Max. hours

None

Error message

None

Follow up date

None

Switches

None

Refiner

None

Story Points

2

Time tracking

5h 15m

Epic Link

Sprint

None

Fix versions

Priority

Major