I am developping a SF2 web-app which is fully behind a firewall: nobody shouldn't be able to see or modify anything before behing logged (except login form, of course).
So here is the firewall part of my security.yml file:
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main_login:
pattern: ^/login$
anonymous: true
main:
pattern: ^/
anonymous: false
form_login:
login_path: fos_user_security_login
check_path: fos_user_security_check
logout:
path: fos_user_security_logout
target: /
This works fine: if I type the url http://mywebsite.com/app.php/article/show/1 while unlogged, I am forwarded to the login page.
My problem is that I have some documents and media files located in Symfony's web directory (e.g. myapp/web/document/myTextFile.txt). They are accessible via my app for logged users, but also for non-logged users!
Anybody who types http://mywebsite.com/app.php/document/myTextFile.txt can download the file...
Why doesn't the pattern: ^/ line prevent this? Is the web folder excluded by default because it contains app.php and js/and css/ folder?
How do I protect my documents?
Update: Display protected images
I tried the solution suggested by Gerry, it works fine to protect the download of my documents.
However, I also have pictures in my document folder and I would like to display these pictures, directly included in the relevant pages.
For example, in http://mywebsite.com/app.php/article/show/1 there will be some text and the picture myapp/app/Resources/document/AAA.jpg, and in http://mywebsite.com/app.php/article/show/2 there will be some text and the picture myapp/app/Resources/document/BBB.jpg, etc.
I tried to do it with Assetic but it seems that it is done for "static" images (like top logo, or images which are not object-dependent).
A solution I see is to convert the image in Base64 and include it like this : <img alt="" src="data:image/png;base64(...)" />, but it seems really ugly...
