implement security in every controller methods
some routes do not check if user is locked while it is needed
use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
// ...
public function hello($name, AuthorizationCheckerInterface $authChecker)
{
if (false === $authChecker->isGranted('ROLE_ADMIN')) {
throw new AccessDeniedException('Unable to access this page!');
}
// ...
}
or
// inside a controller
$this->denyAccessUnlessGranted('ROLE_USER', null, 'message if needed');
Edited by Anne Garcia-Fernandez