I use symfony sfDoctrineGuardPlugin to manage authentication for both frontend users and backend users. It's fine, except that I don't want frontend users to be able to login to the backend app. I can setup credentials, but credentials are checked after a user gets authenticated. What I want is to have sigin in form to never validate for a user, that is not in a backend group. How can I do this?
I think I found a better solution. sfDoctrineGuard plugin has its own post validator that checks for an optional callable for user retrival.
//app.yml
all:
sf_guard_plugin:
retrieve_by_username_callable: sfGuardUser::getForBackend
//sfGuardUser.class.php
public static function getForBackend($username)
{
$query = Doctrine::getTable('sfGuardUser')->createQuery('u')
->leftJoin('u.Groups g')
->leftJoin('g.Permissions p')
->where('u.username = ? OR u.email_address = ?', array($username, $username))
->addWhere('u.is_active = ?', true)
->addWhere('p.name = ?', 'backend');
return $query->fetchOne();
}
Here's one idea: You could try creating a custom post-validator for the login form. Here's a Google result:
In this validator, you could check whether the user belongs to the group in question and then throw an error accordingly. The user would not get authenticated.
I think you just have to add:
storage:
class: sfSessionStorage
param:
session_name: sf_backend
at the end of your backend/config/factories.yml
By default, symfony shares session cookies, with this solution, symfony separate this cookies.
来源:https://stackoverflow.com/questions/4735422/symfony-sfdoctrineguardplugin-custom-login-query