From da8362f38e286d7c7ecd5ac91b6daf9f67282c46 Mon Sep 17 00:00:00 2001 From: BooleanType Date: Sun, 10 Jan 2021 22:29:29 +0100 Subject: [PATCH] [Security] Update access_control.rst --- security/access_control.rst | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/security/access_control.rst b/security/access_control.rst index efae1e628d1..53d216c8ce2 100644 --- a/security/access_control.rst +++ b/security/access_control.rst @@ -40,8 +40,8 @@ Take the following ``access_control`` entries as an example: security: # ... access_control: - - { path: '^/admin', roles: ROLE_USER_IP, ip: 127.0.0.1 } - { path: '^/admin', roles: ROLE_USER_PORT, ip: 127.0.0.1, port: 8080 } + - { path: '^/admin', roles: ROLE_USER_IP, ip: 127.0.0.1 } - { path: '^/admin', roles: ROLE_USER_HOST, host: symfony\.com$ } - { path: '^/admin', roles: ROLE_USER_METHOD, methods: [POST, PUT] } # when defining multiple roles, users must have at least one of them (it's like an OR condition) @@ -59,8 +59,8 @@ Take the following ``access_control`` entries as an example: - + @@ -74,17 +74,17 @@ Take the following ``access_control`` entries as an example: $container->loadFromExtension('security', [ // ... 'access_control' => [ - [ - 'path' => '^/admin', - 'roles' => 'ROLE_USER_IP', - 'ips' => '127.0.0.1', - ], [ 'path' => '^/admin', 'roles' => 'ROLE_USER_PORT', 'ip' => '127.0.0.1', 'port' => '8080', ], + [ + 'path' => '^/admin', + 'roles' => 'ROLE_USER_IP', + 'ips' => '127.0.0.1', + ], [ 'path' => '^/admin', 'roles' => 'ROLE_USER_HOST', @@ -112,13 +112,13 @@ if ``ip``, ``port``, ``host`` or ``method`` are not specified for an entry, that +-----------------+-------------+-------------+-------------+------------+--------------------------------+-------------------------------------------------------------+ | URI | IP | PORT | HOST | METHOD | ``access_control`` | Why? | +=================+=============+=============+=============+============+================================+=============================================================+ -| ``/admin/user`` | 127.0.0.1 | 80 | example.com | GET | rule #1 (``ROLE_USER_IP``) | The URI matches ``path`` and the IP matches ``ip``. | +| ``/admin/user`` | 127.0.0.1 | 80 | example.com | GET | rule #2 (``ROLE_USER_IP``) | The URI matches ``path`` and the IP matches ``ip``. | +-----------------+-------------+-------------+-------------+------------+--------------------------------+-------------------------------------------------------------+ -| ``/admin/user`` | 127.0.0.1 | 80 | symfony.com | GET | rule #1 (``ROLE_USER_IP``) | The ``path`` and ``ip`` still match. This would also match | +| ``/admin/user`` | 127.0.0.1 | 80 | symfony.com | GET | rule #2 (``ROLE_USER_IP``) | The ``path`` and ``ip`` still match. This would also match | | | | | | | | the ``ROLE_USER_HOST`` entry, but *only* the **first** | | | | | | | | ``access_control`` match is used. | +-----------------+-------------+-------------+-------------+------------+--------------------------------+-------------------------------------------------------------+ -| ``/admin/user`` | 127.0.0.1 | 8080 | symfony.com | GET | rule #2 (``ROLE_USER_PORT``) | The ``path``, ``ip`` and ``port`` match. | +| ``/admin/user`` | 127.0.0.1 | 8080 | symfony.com | GET | rule #1 (``ROLE_USER_PORT``) | The ``path``, ``ip`` and ``port`` match. | +-----------------+-------------+-------------+-------------+------------+--------------------------------+-------------------------------------------------------------+ | ``/admin/user`` | 168.0.0.1 | 80 | symfony.com | GET | rule #3 (``ROLE_USER_HOST``) | The ``ip`` doesn't match the first rule, so the second | | | | | | | | rule (which matches) is used. |