Symfony2 - Secure specific HTTP methods for URL
I know it is late, but if someone stumbles on this questions here is how to secure per a request per HTTP method (see the Symfony security documentation):
# app/config/security.ymlsecurity: # ... access_control: - { path: ^/api/v1/users.json, roles: ROLE_ADMIN, methods: [POST, PUT] } - { path: /api/v1/users.json, roles: ROLE_ADMIN }
Be careful the order in which you set the rules matters.
According to the security reference book, you can't secure a URL by method.
Not the best way but you can do like that, in the action:
public function listAction(Request $request){ if ($request->getMethod() == 'GET' && !$this->get('security.context')->isGranted('ROLE_ADMINISTRATOR')) { throw $this->createNotFoundException("This page doesn't exist."); // forward a 404, or a message in a json... } return new Response('Cubilon\\SocialPortal\\APIBundle\\Controller\\UserController', 200);}
Or you can create a new kernel event listener that will check the method and the user ROLE like my previous example, but extend to all the actions ! ^^
Watch out, there are 2 things:
- firewall (authentication)
- access control (authorization)
The accepted answer shows how to restrict an access control rule to an HTTP method, but here is how to restrict a firewall rule to an HTTP method:
security: firewalls: secured_area: methods: [POST, PUT]
Note that this feature was added in Symfony 2.5.
As shown in the other answer, here is how to restrict an access control rule to an HTTP method:
security: # ... access_control: - { path: ^/api/v1/users.json, roles: ROLE_ADMIN, methods: [POST, PUT] }