afup/app/config/security.yml

# To get started with security, check out the documentation:
# http://symfony.com/doc/current/book/security.html
security:

    # http://symfony.com/doc/current/book/security.html#where-do-users-come-from-user-providers
    providers:
        github_user:
            id: 'AppBundle\Event\Model\Repository\GithubUserRepository'
        legacy_user:
            id: 'AppBundle\Association\Model\Repository\UserRepository'
        in_memory:
            memory: ~

    firewalls:
        # disables authentication for assets and the profiler, adapt it according to your needs
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false

        legacy_secured_area:
            anonymous: ~
            pattern: ^(/admin/|/event/\w+/tickets|/association/techletter|/member)
            provider: legacy_user
            logout_on_user_change: true
            logout:
                path:   /admin/logout
                target: /
            guard:
                authenticators:
                    - 'AppBundle\Security\LegacyAuthenticator'
                    - 'AppBundle\Security\LegacyHashAuthenticator'
                entry_point: 'AppBundle\Security\LegacyAuthenticator'
            context: share_context

        github_secured_area:
            pattern: ^(/event/.*/(vote|cfp|speaker-infos)|/connect/github/check|/event/speaker-infos)
            provider: github_user
            logout_on_user_change: true
            guard:
                authenticators:
                    - 'AppBundle\Security\MyGithubAuthenticator'
                entry_point: 'AppBundle\Security\MyGithubAuthenticator'

        main:
            anonymous: ~
            context: share_context
            logout_on_user_change: true

    access_control:
        - { path: ^/event/vote/, roles: ROLE_GITHUB }
        - { path: ^/admin/(login|register|password), roles: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/admin/techletter/members, roles: ROLE_ADMIN }
        - { path: ^/admin/techletter, roles: ROLE_VEILLE }
        - { path: ^/admin/company, roles: ROLE_COMPANY_MANAGER }
        - { path: ^/admin/members/badges, roles: ROLE_ADMIN }
        - { path: ^/admin/event/speakers-management, roles: ROLE_FORUM }
        - { path: ^/admin/(members/reporting|association/relances|talk|slackmembers/check), roles: ROLE_ADMIN}
        - { path: ^/member, roles: [ROLE_USER, ROLE_MEMBER_EXPIRED]}
        - { path: ^/admin/(members/reporting|association/relances|talk|slackmembers/check), roles: ROLE_NO_ACCESS}
        - { path: ^/admin/, roles: ROLE_MEMBER_EXPIRED }
        - { path: ^/blog, allow_if: "request.getClientIp() in ['217.70.189.71', '127.0.0.1', '192.168.42.1'] or request.server.get('ALLOW_BLOG_FROM_ALL') == 1" }
        - { path: ^/blog, roles: ROLE_NO_ACCESS }
        - { path: ^/(event/\w+/tickets|association)paybox-callback, roles: IS_AUTHENTICATED_ANONYMOUSLY, ips: "%paybox_ips%" }
        - { path: ^/(event/\w+/tickets|association)paybox-callback, roles: ROLE_SUPER_ADMIN }
        - { path: ^/(event/\w+/tickets|association)paybox-callback, roles: ROLE_NO_ACCESS }

    role_hierarchy:
        ROLE_USER: [ROLE_MEMBER_EXPIRED]
        ROLE_COMPANY_MANAGER: [ROLE_USER]
        ROLE_ADMIN:       [ROLE_USER, ROLE_DEPLOY, ROLE_APERO, ROLE_ANNUAIRE, ROLE_FORUM, ROLE_SITE, ROLE_VEILLE]
        ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]