Symfony冒充-独立的防火墙和独立的用户提供者[英] Symfony impersonation - separate firewalls and separate user providers

本文是小编为大家收集整理的关于Symfony冒充-独立的防火墙和独立的用户提供者的处理/解决方法,可以参考本文帮助大家快速定位并解决问题,中文翻译不准确的可切换到English标签页查看源文。

问题描述

我有一个带有两个防火墙的Symfony应用程序,一个用于管理员,一个用于普通用户.

admin:
    provider: admin
    # etc

main_site:
    form_login:
        provider: fos_userbundle
        csrf_provider: form.csrf_provider

我希望管理用户能够模仿正常用户.考虑到他们使用单独的防火墙和单独的用户提供商,我该怎么办?

推荐答案

我必须做几件事才能使它工作.

上下文键:如所述.没有这个,当试图切换用户时,管理员被带到登录页面.

配置两个防火墙:我必须将基本switch_user配置密钥添加到两个 firewalls:

switch_user:
    role: ROLE_ADMIN

如果我只是将配置放在main_site防火墙上,则当退出模仿并转到管理页面时,Admins会获得访问拒绝的消息. (例如,路由/admin/dashboard?_switch_user=_exit将给出403).

提供商键 main_site的配置:

main_site:
    switch_user:
        role: ROLE_ADMIN
        provider: fos_userbundle

没有此功能,我发现错误"开关用户失败-ususe@example.com找不到".挖掘代码,事实证明正在使用admin用户提供商,当然,当使用该提供商时找不到普通用户.

(provider switch_user switch_user config讨论在这里)

.

另外,我可以将其添加为防火墙本身的提供商密钥:

main_site:
    switch_user:
        role: ROLE_ADMIN
    provider: fos_userbundle

您会从我的问题中从配置中看到fos_userbundle仅指定为form_login的提供商,而不是整体上main_site,这就是为什么直到我添加它之前才使用它.将其添加到任何位置(模仿配置或整个防火墙)都可以解决问题.

这是一组相关配置:

admin:
    provider: admin
    # Have to put basic switch_user config on both firewalls
    switch_user:
        role: ROLE_ADMIN
    # Both the admin and main_site firewalls have the same context, to allow
    # cross-firewall impersonation
    # https://stackoverflow.com/a/17991481/328817
    context: boardworks

main_site:
    form_login:
        provider: fos_userbundle
        csrf_provider: form.csrf_provider
    switch_user:
        role: ROLE_ADMIN
        # Have to explicitly set the provider, otherwise the site will use the admin
        # user provider when looking up the users whom admins are trying to impersonate
        provider: fos_userbundle
    # Rather than adding the provider above, I could have added it here:
    #provider: fos_userbundle

本文地址:https://www.itbaoku.cn/post/2090775.html

问题描述

I have a Symfony application with two firewalls, one for admins and one for normal users.

admin:
    provider: admin
    # etc

main_site:
    form_login:
        provider: fos_userbundle
        csrf_provider: form.csrf_provider

I'd like admin users to be able to impersonate normal users. How can I do this, given that they're using separate firewalls and separate user providers?

推荐答案

There were several things I had to do to get this to work.

Context key: As described here, I had to give both firewalls the same context. Without this, admins were taken to the login page when trying to switch users.

Config on both firewalls: I had to add the basic switch_user configuration keys to both firewalls:

switch_user:
    role: ROLE_ADMIN

If I just put the config on the main_site firewall, admins got an access denied message when exiting impersonation and going to an admin page. (For example, the route /admin/dashboard?_switch_user=_exit would give a 403).

Provider key on the main_site's config:

main_site:
    switch_user:
        role: ROLE_ADMIN
        provider: fos_userbundle

Without this, I got the error "Switch User failed - user@example.com not found". Digging into the code, it turned out that the admin user provider was being used, and of course the normal users couldn't be found when using that provider.

(provider key for switch_user config discussed here.)

Alternatively, I could have added this as a provider key for the firewall itself:

main_site:
    switch_user:
        role: ROLE_ADMIN
    provider: fos_userbundle

You'll see from the config in my question that fos_userbundle was only specified as a provider for form_login, not for main_site as a whole, which is why it wasn't being used until I added it. Adding it in either place (impersonation config or whole firewall) would do the trick.

Here's the full set of relevant config:

admin:
    provider: admin
    # Have to put basic switch_user config on both firewalls
    switch_user:
        role: ROLE_ADMIN
    # Both the admin and main_site firewalls have the same context, to allow
    # cross-firewall impersonation
    # https://stackoverflow.com/a/17991481/328817
    context: boardworks

main_site:
    form_login:
        provider: fos_userbundle
        csrf_provider: form.csrf_provider
    switch_user:
        role: ROLE_ADMIN
        # Have to explicitly set the provider, otherwise the site will use the admin
        # user provider when looking up the users whom admins are trying to impersonate
        provider: fos_userbundle
    # Rather than adding the provider above, I could have added it here:
    #provider: fos_userbundle