From 136171596e169838e92b04ea7bd1cd90b414f491 Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Tue, 17 Nov 2015 09:48:51 +0100 Subject: [PATCH] Removed the comments about the is_granted() issues in non-secure pages --- book/security.rst | 16 +++++++--------- cookbook/controller/error_pages.rst | 20 +------------------- 2 files changed, 8 insertions(+), 28 deletions(-) diff --git a/book/security.rst b/book/security.rst index 5953e702654..094bb487bfe 100644 --- a/book/security.rst +++ b/book/security.rst @@ -884,7 +884,7 @@ Access Control in Templates ........................... If you want to check if the current user has a role inside a template, use -the built-in helper function: +the built-in ``is_granted()`` helper function: .. configuration-block:: @@ -900,20 +900,18 @@ the built-in helper function: Delete -If you use this function and you are *not* behind a firewall, an exception will -be thrown. Again, it's almost always a good idea to have a main firewall that -covers all URLs (as shown before in this chapter). - -.. caution:: +.. note:: - Be careful with this in your base layout or on your error pages! Because of - some internal Symfony details, to avoid broken error pages in the ``prod`` - environment, wrap calls in these templates with a check for ``app.user``: + In Symfony versions previous to 2.8, using the ``is_granted()`` function + in a page that wasn't behind a firewall resulted in an exception. That's why + you also needed to check first for the existence of the user: .. code-block:: html+twig {% if app.user and is_granted('ROLE_ADMIN') %} + Starting from Symfony 2.8, the ``app.user and ...`` check is no longer needed. + Securing other Services ....................... diff --git a/cookbook/controller/error_pages.rst b/cookbook/controller/error_pages.rst index f169aa64cfb..e516976128a 100644 --- a/cookbook/controller/error_pages.rst +++ b/cookbook/controller/error_pages.rst @@ -96,7 +96,7 @@ To override the 404 error template for HTML pages, create a new

Page not found

{# example security usage, see below #} - {% if app.user and is_granted('IS_AUTHENTICATED_FULLY') %} + {% if is_granted('IS_AUTHENTICATED_FULLY') %} {# ... #} {% endif %} @@ -124,24 +124,6 @@ store the HTTP status code and message respectively. for the standard HTML exception page or ``exception.json.twig`` for the JSON exception page. -Avoiding Exceptions when Using Security Functions in Error Templates -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -One of the common pitfalls when designing custom error pages is to use the -``is_granted()`` function in the error template (or in any parent template -inherited by the error template). If you do that, you'll see an exception thrown -by Symfony. - -The cause of this problem is that routing is done before security. If a 404 error -occurs, the security layer isn't loaded and thus, the ``is_granted()`` function -is undefined. The solution is to add the following check before using this function: - -.. code-block:: twig - - {% if app.user and is_granted('...') %} - {# ... #} - {% endif %} - .. _testing-error-pages: Testing Error Pages during Development pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.

Alternative Proxies: