Home/ Questions/Q 6840475
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T23:50:56+00:00

Yes, I know there’s Voter tutorial in cookbook . But I’m looking for something

  • 0

Yes, I know there’s Voter tutorial in cookbook. But I’m looking for something slightly different. I need two different layers of blacklisting:

  1. deny certain IP to access whole site
  2. deny certain IP to log in

I wrote Voter that checks if user’s IP is in database. For first scenario, I wrote a kernel listener that checks every request and throws 403 in case it encounters banned user:

if (VoterInterface::ACCESS_DENIED === $this->voter->vote($token, $this, array())) {
    throw new AccessDeniedHttpException('Blacklisted, punk!');
}

First problem lies in VoterInterface itself, which forces me to use TokenInterface $token, which I don’t really need in this case. But that doesn’t matter that much I guess. Next thing is that I actually had to use AccessDeniedHttpException as AccessDeniedException always tries to redirect me to login page and causes endless redirect loop in this case. I’d live with it as it works just fine in dev environment, but when I switch to prod I keep getting 503 with following in prod log:

[2011-11-21 20:54:04] security.INFO: Populated SecurityContext with an
anonymous Token [] []

[2011-11-21 20:54:04] request.ERROR:
Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException:
Blacklisted, punk! (uncaught exception) at xxx line 28 [] []

[2011-11-21 20:54:04] request.ERROR: Exception thrown when handling an
exception
(Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException:
Blacklisted, punk!) [] []

From what I’ve read, it might be problem with xdebug, but it happens even when I turn it off. I also tried vanilla \Exception and it does the same thing. Anyone have any idea why it happens? Or maybe some other solution for such blacklisting case.

Also, I’ve no idea how to solve second case as I don’t know how to stop user before he gets token assigned. My current solution is dealing with InteractiveLoginEvent, checking if user is blacklisted and if so, removing his token. It doesn’t seem to be a safe one and I’m not really comfortable with it. So, any idea how to solve this one? I guess I’m just missing some obvious “pre login event”.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    To deny access to the entire website, you can adapt the whitelist code used to secure the dev environment. Stick something like this in app.php:

    if (in_array(@$_SERVER['REMOTE_ADDR'], array('127.0.0.1', '1.2.3.4',))) {
    header('HTTP/1.0 403 Forbidden');
    exit('You are not allowed to access this site.');
}
    • 0