odnanref/AccessControlListener.php

## AccessControlListener.php
<?php

namespace Far\UserBundle\EventListener;


use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\EventDispatcher\Event;
use Symfony\Component\HttpKernel\KernelEvents;
use Symfony\Component\HttpKernel\Event\GetResponseEvent;
use Symfony\Component\HttpKernel\HttpKernelInterface;
use Symfony\Component\HttpFoundation\RedirectResponse;

class AccessControl implements EventSubscriberInterface
{
    private $em;

    private $dispatcher;

    private $security;

    private $router;

    public function __construct($em, $dispatcher, $security, $router)
    {
        $this->em = $em;
        $this->dispatcher = $dispatcher;
        $this->security = $security;
        $this->router = $router;
    }

    public static function getSubscribedEvents()
    {
        return array(
            KernelEvents::REQUEST => ['onKernelRequest', 0],
        );
    }

    public function onKernelRequest($event)
        {
                if ($event->getRequestType() != HttpKernelInterface::MASTER_REQUEST) {
                        return null;
                }

                $user = $this->security->getToken()->getUser();
                $request = $event->getRequest();
                $requested_uri = $request->getRequestUri();
                $internal_route = $request->get('_route'); // this what is used to validate access

                if ($internal_route == 'fos_user_registration_register') {
                        return true;
                }

                if ($user == 'anon.') { // TODO security issue here must check if destination is allowed
                        $mainrequest = $event->getRequest();
                        // Matched route
                        $_route  = $mainrequest->attributes->get('_route');
                        // Matched controller
                        $_controller = $mainrequest->attributes->get('_controller');
                        // All route parameters including the `_controller`
                        $params      = $mainrequest->attributes->get('_route_params');

                        if ($_route != 'fos_user_security_login') {
                                $url = $this->router->generate('fos_user_security_login');
                                $response = new RedirectResponse($url);
                                $event->setResponse($response);
                        }

                        return;
                }

                if ($user->hasGroup("Admin")) {
                        return true;
                }

                $request = $event->getRequest();
                $requested_uri = $request->getRequestUri();
                $internal_route = $request->get('_route'); // this what is used to validate access

                if (mb_substr($internal_route, 0, mb_strlen("lab_")) == "lab_") {
                        if ($user->hasGroup("Laboratorio")) {
                                return true;
                        } else {
                                // monolog here
                                throw new \Exception("Unauthorized access. $internal_route");
                        }
                }

                if (mb_substr($internal_route, 0, mb_strlen("stock")) == "stock") {
                        if ($user->hasGroup("Stock")) {
                                return true;
                        } else {
                                // monolog here
                                throw new \Exception("Unauthorized access. $internal_route");
                        }
                }

                if (mb_substr($internal_route, 0, mb_strlen("user")) == "user") {
                        if ($user->hasGroup("Admin")) {
                                return true;
                        } else {
                                // monolog here
                                throw new \Exception("Unauthorized access. $internal_route");
                        }
                }
        }
}

## services.xml
<container>
    <services>
        <service id="far_user.eventlistener.stock" class="Far\UserBundle\EventListener\AccessControl">
            <tag name="kernel.event_subscriber" connection="default" />
            <argument type="service" id="doctrine.orm.entity_manager"/>
            <argument type="service" id="event_dispatcher"/>
            <argument type="service" id="security.context"/>
            <argument type="service" id="router"/>
        </service>
    </services>
</container>
	<?php

	namespace Far\UserBundle\EventListener;


	use Symfony\Component\EventDispatcher\EventSubscriberInterface;
	use Symfony\Component\EventDispatcher\Event;
	use Symfony\Component\HttpKernel\KernelEvents;
	use Symfony\Component\HttpKernel\Event\GetResponseEvent;
	use Symfony\Component\HttpKernel\HttpKernelInterface;
	use Symfony\Component\HttpFoundation\RedirectResponse;

	class AccessControl implements EventSubscriberInterface
	{
	private $em;

	private $dispatcher;

	private $security;

	private $router;

	public function __construct($em, $dispatcher, $security, $router)
	{
	$this->em = $em;
	$this->dispatcher = $dispatcher;
	$this->security = $security;
	$this->router = $router;
	}

	public static function getSubscribedEvents()
	{
	return array(
	KernelEvents::REQUEST => ['onKernelRequest', 0],
	);
	}

	public function onKernelRequest($event)
	{
	if ($event->getRequestType() != HttpKernelInterface::MASTER_REQUEST) {
	return null;
	}

	$user = $this->security->getToken()->getUser();
	$request = $event->getRequest();
	$requested_uri = $request->getRequestUri();
	$internal_route = $request->get('_route'); // this what is used to validate access

	if ($internal_route == 'fos_user_registration_register') {
	return true;
	}

	if ($user == 'anon.') { // TODO security issue here must check if destination is allowed
	$mainrequest = $event->getRequest();
	// Matched route
	$_route = $mainrequest->attributes->get('_route');
	// Matched controller
	$_controller = $mainrequest->attributes->get('_controller');
	// All route parameters including the `_controller`
	$params = $mainrequest->attributes->get('_route_params');

	if ($_route != 'fos_user_security_login') {
	$url = $this->router->generate('fos_user_security_login');
	$response = new RedirectResponse($url);
	$event->setResponse($response);
	}

	return;
	}

	if ($user->hasGroup("Admin")) {
	return true;
	}

	$request = $event->getRequest();
	$requested_uri = $request->getRequestUri();
	$internal_route = $request->get('_route'); // this what is used to validate access

	if (mb_substr($internal_route, 0, mb_strlen("lab_")) == "lab_") {
	if ($user->hasGroup("Laboratorio")) {
	return true;
	} else {
	// monolog here
	throw new \Exception("Unauthorized access. $internal_route");
	}
	}

	if (mb_substr($internal_route, 0, mb_strlen("stock")) == "stock") {
	if ($user->hasGroup("Stock")) {
	return true;
	} else {
	// monolog here
	throw new \Exception("Unauthorized access. $internal_route");
	}
	}

	if (mb_substr($internal_route, 0, mb_strlen("user")) == "user") {
	if ($user->hasGroup("Admin")) {
	return true;
	} else {
	// monolog here
	throw new \Exception("Unauthorized access. $internal_route");
	}
	}
	}
	}
	<container>
	<services>
	<service id="far_user.eventlistener.stock" class="Far\UserBundle\EventListener\AccessControl">
	<tag name="kernel.event_subscriber" connection="default" />
	<argument type="service" id="doctrine.orm.entity_manager"/>
	<argument type="service" id="event_dispatcher"/>
	<argument type="service" id="security.context"/>
	<argument type="service" id="router"/>
	</service>
	</services>
	</container>