FOSUserBundle access control for admin section allows anonymous users

Question

I'm trying to make the admin section only accessible for admin users using FOSUserBundle.

However if I go to the admin url (www.foo.local/app_dev.php/admin) without authentication, it allows me access.

In the Symfony debug toolbar it shows Logged in as anon.

I have configured the FOSUserBundle following the official documentation

Here is the security.yml config:

security:
    encoders:
        FOS\UserBundle\Model\UserInterface: sha512

    role_hierarchy:
        ROLE_ADMIN:       ROLE_USER
        ROLE_SUPER_ADMIN: ROLE_ADMIN

    providers:
        fos_userbundle:
            id: fos_user.user_provider.username

    firewalls:
        main:
            pattern: ^/
            form_login:
                provider: fos_userbundle
                csrf_provider: form.csrf_provider
            logout:       true
            anonymous:    true 

    access_control:
        - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/admin/, role: ROLE_ADMIN }

I don't know why it doesn't ask for the ROLE_ADMIN in order to allow access to the admin section, any ideas?

Answer 1

I guess that's because your rule says

- { path: ^/admin/, role: ROLE_ADMIN }

which means

www.foo.local/app_dev.php/admin/one
www.foo.local/app_dev.php/admin/two

Notice the '/' after admin

where

www.foo.local/app_dev.php/admin

won't satisfy the rule because it's missing the '/' at the end

try to change the rule to be

- { path: ^/admin, role: ROLE_ADMIN }