Security Flashcards
https://symfonycasts.com/screencast/symfony-security/passport (19 cards)
Which UserProviders does Symfony offer?
Entity User Provider
LDAP User Provider
Memory User Provider
Chain User Provider
Which Role does the ROLE_SUPERADMIN have when the following configuration is given?
security:
# ...
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH
How can routes be made accessible only for users with specific roles?
security:
access_control:
- { path: '^/admin', roles: ROLE_ADMIN }How can you deny access from inside a controller?
$this->denyAccessUnlessGranted('ROLE_ADMIN');How can you use access control inside templates?
{% if is_granted('ROLE_ADMIN') %}
<a href="...">Delete</a>
{% endif %}
or for certain users
{% if is_granted_for_user(user, 'ROLE_ADMIN') %}
<a href="...">Delete</a>
{% endif %}
How can you give routes public access for none logged in users?
security:
access_control:
- { path: ^/admin/login, roles: PUBLIC_ACCESS }Which role does a user get, if hes logged in through the remember me cookie?
IS_REMEMBERED
Which role does a user get in impersonation mode?
IS_IMPERSONATOR
What does csrf mean?
Cross site request forgery
How does csrf_protection work?
- Symonfy adds a hidden token on the form that it generated on server side.
- When a form is being submitted, symfony checks if it has a valid token
This will make sure the origin of the submitted form is symfony and therefore the user session is not being abused by another page that perfoms its own request (attack).
How can you override the method symfony uses to load a user?
Add the UserLoaderInterface to the UserRepository and implement the method loadUserByIdentifier
How can you make symfony decide which firewall to use?
The first match will apply. Matching can be:
- url-pattern
- host
- http-methods
- a custom request matcher that the dev can implement (RequestMatcherInterface)
How can you improve performance even tho many voters are being used?
Use a CacheableVoterInterface
How can you configure the voters to grant access in case all voters abstain?
In security-config:
'access_decision_manager' => [
'allow_if_all_abstain' => true,
],
How can you configure the voters to grant access in case at least one voter grants access?
In security-config:
'access_decision_manager' => [
'strategy' => 'affirmative',
],
How can you configure the voters to grant access in case there are more voters that grant access than voters that dont?
In security-config:
'access_decision_manager' => [
'strategy' => 'consensus',
],
How can you configure the voters to grant access only if there is not a single voter not granting access?
In security-config:
'access_decision_manager' => [
'strategy' => 'unanimous',
],
How can you configure the voters to grant access if the first voter that is being asked grants access? (abstain does not count here)
In security-config:
'access_decision_manager' => [
'strategy' => 'priority',
],
How can you change the http status that is being returned in case the access is not granted?
The method “isGranted” provides an argument for that.
