So how exactly does the safety access_control work? (symfony docs)
For every incoming request, Symfony will choose which access_control
to make use of in line with the URI, the client’s Ip, the incoming host name,
and also the request method. Remember, the very first rule that suits can be used, and
if ip, port, host or method aren’t specified to have an entry, that
access_control will match any ip, port, host or method:
| URI | IP | PORT | HOST | METHOD | access_control | Why? |
|---|---|---|---|---|---|---|
| /admin/user | 127…1 | 80 | example.com | GET | rule #1 (ROLE_USER_IP) | The URI matches path and also the IP matches ip. |
| /admin/user | 127…1 | 80 | symfony.com | GET | rule #1 (ROLE_USER_IP) | The road and ip still match. This could also match
the function_USER_HOST entry, only the first access_control match can be used. |
| /admin/user | 127…1 | 8080 | symfony.com | GET | rule #2 (ROLE_USER_PORT) | The road, ip and port match. |
| /admin/user | 168…1 | 80 | symfony.com | GET | rule #3 (ROLE_USER_HOST) | The ip does not match the very first rule, therefore the second
rule (which fits) can be used. |
| /admin/user | 168…1 | 80 | symfony.com | Publish | rule #3 (ROLE_USER_HOST) | The 2nd rule still matches. This could also match the
third rule (ROLE_USER_METHOD), only the first matched access_control can be used. |
| /admin/user | 168…1 | 80 | example.com | Publish | rule #4 (ROLE_USER_METHOD) | The ip and host don’t match the very first two records,
however the third – ROLE_USER_METHOD – matches and it is used. |
| /admin/user | 168…1 | 80 | example.com | GET | rule #4 (ROLE_MANAGER) | The ip, host and method avoid the first
three records from matching. Consider the URI matches the path pattern, then your ROLE_MANAGER (or even the ROLE_ADMIN) can be used. |
| /foo | 127…1 | 80 | symfony.com | Publish | matches no records | This does not match any access_control rules, since its
URI does not match the path values. |
Resourse: https://symfony.com/doc/current/security/
