Create handler for unauthorized requests

Signed-off-by: Tim Goudriaan <tim@codedmonkey.com>

Author: codedmonkey

config/packages/security.yaml

@@ -38,6 +38,9 @@ security:
                 auth_form_path: mfa_login
                 check_path: mfa_login_check
 
+            # Custom access denied handler
+            access_denied_handler: CodedMonkey\Dirigent\Security\AccessDeniedHandler
+
             # activate different ways to authenticate
             # https://symfony.com/doc/current/security.html#the-firewall
 

src/Controller/Dashboard/DashboardCredentialsController.php

@@ -10,8 +10,10 @@
 use EasyCorp\Bundle\EasyAdminBundle\Field\ChoiceField;
 use EasyCorp\Bundle\EasyAdminBundle\Field\TextareaField;
 use EasyCorp\Bundle\EasyAdminBundle\Field\TextField;
+use Symfony\Component\Security\Http\Attribute\IsGranted;
 
 #[AdminRoute(path: '/credentials', name: 'credentials')]
+#[IsGranted('ROLE_ADMIN')]
 class DashboardCredentialsController extends AbstractCrudController
 {
     public static function getEntityFqcn(): string

src/Controller/Dashboard/DashboardRegistryController.php

@@ -19,8 +19,10 @@
 use EasyCorp\Bundle\EasyAdminBundle\Field\TextField;
 use EasyCorp\Bundle\EasyAdminBundle\Router\AdminUrlGenerator;
 use Symfony\Component\HttpFoundation\RedirectResponse;
+use Symfony\Component\Security\Http\Attribute\IsGranted;
 
 #[AdminRoute(path: '/registries', name: 'registries')]
+#[IsGranted('ROLE_ADMIN')]
 class DashboardRegistryController extends AbstractCrudController
 {
     public static function getEntityFqcn(): string

src/Controller/Dashboard/DashboardUserController.php

@@ -15,8 +15,10 @@
 use EasyCorp\Bundle\EasyAdminBundle\Field\EmailField;
 use EasyCorp\Bundle\EasyAdminBundle\Field\TextField;
 use Symfony\Component\Form\Extension\Core\Type\PasswordType;
+use Symfony\Component\Security\Http\Attribute\IsGranted;
 
 #[AdminRoute(path: '/users', name: 'users')]
+#[IsGranted('ROLE_ADMIN')]
 class DashboardUserController extends AbstractCrudController
 {
     public static function getEntityFqcn(): string

src/Security/AccessDeniedHandler.php

@@ -0,0 +1,52 @@
+<?php
+
+declare(strict_types=1);
+
+namespace CodedMonkey\Dirigent\Security;
+
+use Symfony\Component\HttpFoundation\RedirectResponse;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
+use Symfony\Component\Security\Http\Authorization\AccessDeniedHandlerInterface;
+use Twig\Environment;
+
+readonly class AccessDeniedHandler implements AccessDeniedHandlerInterface
+{
+    public function __construct(
+        private Environment $twig,
+        private UrlGeneratorInterface $urlGenerator,
+    ) {
+    }
+
+    public function handle(Request $request, AccessDeniedException $accessDeniedException): ?Response
+    {
+        if ($request->isXmlHttpRequest()) {
+            return new Response(
+                json_encode([
+                    'error' => 'Access denied',
+                    'message' => 'You do not have permission to access this resource.',
+                ]),
+                Response::HTTP_FORBIDDEN,
+                ['Content-Type' => 'application/json'],
+            );
+        }
+
+        // If user is not authenticated, redirect to login
+        if (!$request->getSession()->has('_security_main')) {
+            return new RedirectResponse(
+                $this->urlGenerator->generate('dashboard_login', [
+                    '_target_path' => $request->getUri(),
+                ])
+            );
+        }
+
+        // Show access denied error page
+        $content = $this->twig->render('dashboard/errors/access_denied.html.twig', [
+            'exception' => $accessDeniedException,
+        ]);
+
+        return new Response($content, Response::HTTP_FORBIDDEN);
+    }
+}

templates/dashboard/errors/access_denied.html.twig

@@ -0,0 +1,7 @@
+{% extends '@EasyAdmin/page/content.html.twig' %}
+
+{% block page_title %}Access Denied{% endblock %}
+
+{% block page_content %}
+  <p class="text-muted">You do not have permission to access this page.</p>
+{% endblock %}

tests/FunctionalTests/Controller/Dashboard/DashboardCredentialsControllerTest.php

@@ -0,0 +1,32 @@
+<?php
+
+namespace CodedMonkey\Dirigent\Tests\FunctionalTests\Controller\Dashboard;
+
+use CodedMonkey\Dirigent\Tests\Helper\WebTestCaseTrait;
+use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
+use Symfony\Component\HttpFoundation\Response;
+
+class DashboardCredentialsControllerTest extends WebTestCase
+{
+    use WebTestCaseTrait;
+
+    public function testUserDoesNotHaveAccess(): void
+    {
+        $client = static::createClient();
+        $this->loginUser();
+
+        $client->request('GET', '/credentials');
+
+        $this->assertResponseStatusCodeSame(Response::HTTP_UNAUTHORIZED);
+    }
+
+    public function testAdministratorHasAccess(): void
+    {
+        $client = static::createClient();
+        $this->loginUser('admin');
+
+        $client->request('GET', '/credentials');
+
+        $this->assertResponseStatusCodeSame(Response::HTTP_OK);
+    }
+}

tests/FunctionalTests/Controller/Dashboard/DashboardRegistryControllerTest.php

@@ -0,0 +1,32 @@
+<?php
+
+namespace CodedMonkey\Dirigent\Tests\FunctionalTests\Controller\Dashboard;
+
+use CodedMonkey\Dirigent\Tests\Helper\WebTestCaseTrait;
+use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
+use Symfony\Component\HttpFoundation\Response;
+
+class DashboardRegistryControllerTest extends WebTestCase
+{
+    use WebTestCaseTrait;
+
+    public function testUserDoesNotHaveAccess(): void
+    {
+        $client = static::createClient();
+        $this->loginUser();
+
+        $client->request('GET', '/registries');
+
+        $this->assertResponseStatusCodeSame(Response::HTTP_UNAUTHORIZED);
+    }
+
+    public function testAdministratorHasAccess(): void
+    {
+        $client = static::createClient();
+        $this->loginUser('admin');
+
+        $client->request('GET', '/registries');
+
+        $this->assertResponseStatusCodeSame(Response::HTTP_OK);
+    }
+}

tests/FunctionalTests/Controller/Dashboard/DashboardRootControllerPermissionsTest.php

@@ -0,0 +1,36 @@
+<?php
+
+namespace CodedMonkey\Dirigent\Tests\FunctionalTests\Controller\Dashboard;
+
+use CodedMonkey\Dirigent\Tests\Helper\WebTestCaseTrait;
+use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
+use Symfony\Component\HttpFoundation\Response;
+
+class DashboardRootControllerPermissionsTest extends WebTestCase
+{
+    use WebTestCaseTrait;
+
+    public function testAdministratorHasAdminMenu(): void
+    {
+        $client = static::createClient();
+        $this->loginUser('admin');
+
+        $client->request('GET', '/');
+
+        $this->assertResponseStatusCodeSame(Response::HTTP_OK);
+
+        $this->assertAnySelectorTextSame('.menu-item-label', 'Administration');
+    }
+
+    public function testUserDoesNotHaveAdminMenu(): void
+    {
+        $client = static::createClient();
+        $this->loginUser();
+
+        $client->request('GET', '/');
+
+        $this->assertResponseStatusCodeSame(Response::HTTP_OK);
+
+        $this->assertAnySelectorTextNotContains('.menu-item-label', 'Administration');
+    }
+}

tests/FunctionalTests/Controller/Dashboard/DashboardUserControllerTest.php

@@ -0,0 +1,32 @@
+<?php
+
+namespace CodedMonkey\Dirigent\Tests\FunctionalTests\Controller\Dashboard;
+
+use CodedMonkey\Dirigent\Tests\Helper\WebTestCaseTrait;
+use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
+use Symfony\Component\HttpFoundation\Response;
+
+class DashboardUserControllerTest extends WebTestCase
+{
+    use WebTestCaseTrait;
+
+    public function testUserDoesNotHaveAccess(): void
+    {
+        $client = static::createClient();
+        $this->loginUser();
+
+        $client->request('GET', '/users');
+
+        $this->assertResponseStatusCodeSame(Response::HTTP_UNAUTHORIZED);
+    }
+
+    public function testAdministratorHasAccess(): void
+    {
+        $client = static::createClient();
+        $this->loginUser('admin');
+
+        $client->request('GET', '/users');
+
+        $this->assertResponseStatusCodeSame(Response::HTTP_OK);
+    }
+}