[SOLVED] Anonymous users can access restricted URLs on Sulu CMF

Anonymous users can access restricted URLs on Sulu CMF

I'm trying to create a password-protected area of a webpage using Sulu CMF and have problems making it work properly.

I followed this guide: https://docs.sulu.io/en/2.5/cookbook/user-context-caching.html

As a consequence, when activating permissions for a subpage in the admin, the page is not displayed in the navigation anymore, which is good. But I am still able to display the page using the corresponding URL in the browser, instead of being redirected to the login page.

What am I missing?

I have the impression that the symfony firewall does not take effect. Here is the configuration from security.yaml.

# ...
website:
    pattern: ^/
    lazy: true
    provider: sulu
    form_login:
        login_path: login
        check_path: login
    logout:
        path: logout
        target: /
    remember_me:
        secret:   "%kernel.secret%"
        lifetime: 604800 # 1 week in seconds
        path:     /
# ...

And I found this in the logs:

[2024-01-11T11:15:00.095350+00:00] security.DEBUG: Checking for authenticator support. {"firewall_name":"website","authenticators":2} []
[2024-01-11T11:15:00.095425+00:00] security.DEBUG: Checking support on authenticator. {"firewall_name":"website","authenticator":"Symfony\\Component\\Security\\Http\\Authenticator\\FormLoginAuthenticator"} []
[2024-01-11T11:15:00.095448+00:00] security.DEBUG: Authenticator does not support the request. {"firewall_name":"website","authenticator":"Symfony\\Component\\Security\\Http\\Authenticator\\FormLoginAuthenticator"} []
[2024-01-11T11:15:00.095461+00:00] security.DEBUG: Checking support on authenticator. {"firewall_name":"website","authenticator":"Symfony\\Component\\Security\\Http\\Authenticator\\RememberMeAuthenticator"} []
[2024-01-11T11:15:00.095480+00:00] security.DEBUG: Authenticator does not support the request. {"firewall_name":"website","authenticator":"Symfony\\Component\\Security\\Http\\Authenticator\\RememberMeAuthenticator"} []

Solution

I got it working.. In security.yaml I needed to add

access_control:
# ...
    - { path: ^/en/protected-area, roles: ROLE_USER }
# ...

To me, that is a bit unstatisfying, as permissions for restricted pages need to be set in the Sulu backend. I did't expect that it is necessary to additionally define the paths here in security.yaml. It's somehow redundant.