initial commit

2022-07-11 19:27:00 +02:00
commit fc1690fb7d
122 changed files with 29578 additions and 0 deletions
--- a/config/packages/security.yaml
+++ b/config/packages/security.yaml
@@ -0,0 +1,66 @@
+security:
+
+    access_decision_manager:
+        strategy: unanimous
+        allow_if_all_abstain: false
+
+    # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
+    providers:
+
+        chain_provider:
+            chain :
+                providers: [in_memory, users]
+        in_memory:
+            memory:
+                users:
+                    admin: { password: '%env(resolve:ADMIN_PASSWORD)%', roles: ['ROLE_ADMIN', 'ROLE_ALLOWED_TO_SWITCH', 'ROLE_USER'] }
+        users:
+            id: chill.main.user_provider
+
+    encoders:
+
+        Chill\MainBundle\Entity\User:
+            algorithm: bcrypt
+        Symfony\Component\Security\Core\User\User: plaintext
+
+    firewalls:
+
+        dev:
+            pattern: ^/(_(profiler|wdt)|css|images|js)/
+            security: false
+
+        default:
+            anonymous: ~
+            provider: chain_provider
+            form_login:
+                csrf_parameter: _csrf_token
+                csrf_token_id: authenticate
+                #csrf_provider: security.csrf.token_manager
+            logout_on_user_change: true
+            logout:
+                path: /saml/logout
+
+            # uncomment to enable impersonate mode in Chill
+            # https://symfony.com/doc/current/security/impersonating_user.html
+            switch_user: true
+
+            # activate different ways to authenticate
+            # https://symfony.com/doc/current/security.html#firewalls-authentication
+
+    # Easy way to control access for large sections of your site
+    # Note: Only the *first* access control that matches will be used
+    access_control:
+        - { path: ^/saml/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
+        - { path: ^/saml/metadata, roles: IS_AUTHENTICATED_ANONYMOUSLY }
+        - { path: ^/(login|logout), roles: IS_AUTHENTICATED_ANONYMOUSLY }
+        - { path: ^/public, roles: IS_AUTHENTICATED_ANONYMOUSLY }
+        - { path: ^/wopi, roles: IS_AUTHENTICATED_ANONYMOUSLY }
+        # access for homepage, the homepage redirect admin to admin section
+        - { path: ^/$, roles: [ IS_AUTHENTICATED_REMEMBERED ] }
+        - { path: ^/homepage$, roles: [ IS_AUTHENTICATED_REMEMBERED ] }
+        # idem
+        - { path: ^/([a-z]+/)?homepage, roles: [ IS_AUTHENTICATED_REMEMBERED ] }
+        # admin section, only for admin
+        - { path: ^/([a-z]+/)?admin, roles: ROLE_ADMIN }
+        # other pages, only for regular user (no admin)
+        - { path: ^/, roles: ROLE_USER }