Locking down _profiler route to require PIMCORE_ADMIN role to reduce …

…exposure of sensitive info
pimcore · Oct 17, 2024 · d7c0863 · d7c0863
1 parent 05029c0
commit d7c0863
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/config/packages/security.yaml b/config/packages/security.yaml
@@ -7,9 +7,14 @@ security:
 
     firewalls:
         dev:
-            pattern: ^/(_(profiler|wdt)|css|images|js)/
+            pattern: ^/(_wdt|css|images|js)/
             security: false
 
+        profiler:
+            pattern: ^/(_(profiler))/
+            provider: pimcore_admin
+            http_basic: ~
+
         # Pimcore WebDAV HTTP basic // DO NOT CHANGE!
         pimcore_webdav:
             pattern: ^/asset/webdav
@@ -29,6 +34,7 @@ security:
         - { path: ^/admin/login/(login|lostpassword|deeplink|csrf-token)$, roles: PUBLIC_ACCESS }
         - { path: ^/admin, roles: ROLE_PIMCORE_USER }
         - { path: ^/asset/webdav, roles: ROLE_PIMCORE_USER }
+        - { path: ^/_profiler, roles: ROLE_PIMCORE_ADMIN }
 
     role_hierarchy:
         # Pimcore admin  // DO NOT CHANGE!