SyliusCon 2025 in Lyon
Join Us!
🛣️ Roadmap💻 Sylius Demo💬 Community Slack

Customizing Checkout

How to disable guest checkout?

In some projects, you may want to require customers to log in or register before proceeding to checkout.

This guide explains how to disable guest checkout in both the Shop UI and the API in Sylius 2.0.

Disabling Guest Checkout (Shop UI)

To prevent guests from accessing the checkout process via the standard web interface:

1. Update security.yaml

Edit the config/packages/security.yaml file and add an access control rule to restrict access to the checkout URL:

# config/packages/security.yaml

security:
    access_control:
        - { path: "%sylius.security.shop_regex%/checkout", role: ROLE_USER }

💡 This means that only logged-in users (with at least ROLE_USER) can access /checkout.

2. Result

If a guest user tries to start the checkout process, they will be redirected to the login or registration page. After successful authentication, they are automatically taken back to the checkout addressing step.

Disabling Guest Checkout (Shop API)

By default, Sylius 2.0's API allows anonymous users to complete checkout. To restrict this and require login for checkout-related API routes, follow the steps below.

1. Allow anonymous users limited access

Update your security.yaml to allow public access only for the following actions:

  • Creating and removing a cart (POST, /api/v2/shop/orders)

  • Viewing and updating the cart by token (GET, POST, DELETE /api/v2/shop/orders/{tokenValue} and /api/v2/shop/orders/{tokenValue}/items)

Add this to your security.yaml:

# config/packages/security.yaml

security:
    access_control:
-       - { path: "%sylius.security.api_shop_regex%/.*", role: PUBLIC_ACCESS }       
+       - { path: "%sylius.security.api_shop_regex%/orders", methods: [POST, GET, DELETE], role: PUBLIC_ACCESS }
+       - { path: "%sylius.security.api_shop_regex%/orders/.*/items", methods: [POST, GET, DELETE], role: PUBLIC_ACCESS }
+       - { path: "%sylius.security.api_shop_regex%/.*", role: ROLE_USER }

Learn more about Symfony access control here!

⚠️ Important

The last rule (%sylius.security.api_shop_regex%/.*) must be at the bottom of your access control list to avoid prematurely matching other routes.

2. Result

What This Configuration Allows:

  • ✅ Anonymous users can:

    • Create a cart (POST /api/v2/shop/orders)

    • View and update cart contents (GET, POST, DELETE /api/v2/shop/orders/{tokenValue}/items)

  • ❌ Anonymous users cannot:

    • Set addresses PUT /api/v2/shop/orders/{tokenValue}

    • Choose shipping methods PATCH /api/v2/shop/orders/{tokenValue}/shipments/{shipmentId}

    • Add payments PATCH /api/v2/shop/orders/{tokenValue}/payments/{paymentId}

    • Place orders PATCH /api/v2/shop/orders/{tokenValue}/complete

If they try, they will receive a 401 Unauthorized error.

{
  "code": 401,
  "message": "JWT Token not found"
}

To proceed, the client must authenticate using JWT (typically via /api/v2/shop/customers/token).

PreviousHow to integrate a Payment Gateway as a Plugin?NextMedia

Last updated

Was this helpful?