90f7ff50c8
This PR was merged into the 3.2-dev branch.
Discussion
----------
[Security] Expose the required roles in AccessDeniedException
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| License | MIT
Nowadays it is more and more common to protect some sensitive actions and part of a website using 2FA or some re-authentication mechanism (per example, on Github you have to enter your password again when you add an ssh key). But currently, in Symfony, it is really hard to implement without having to duplicate the logic, provide an explicit list of URLs to protect or hack into the security component.
A good way to achieve that would be to add a special role (like IS_AUTHENTICATED_FULLY) and use it in the access map. But it requires us to be able to have a custom logic in an ExceptionListener depending on the roles behind an AccessDeniedException.
With this patch we could write an ExceptionListener of this kind (a similar logic could also be used in an AccessDeniedHandler):
```php
public function onKernelException(GetResponseForExceptionEvent $event)
{
$exception = $event->getException();
do {
if ($exception instanceof AccessDeniedException) {
foreach ($exception->getAttributes() as $role) {
if ($role === 'IS_AUTHENTICATED_2FA' && !$this->accessDecisionManager->decide($this->tokenStorage->getToken(), $role, $exception->getObject())) {
// Start 2FA
}
}
}
} while (null !== $exception = $exception->getPrevious());
}
```
Replaces #18661
Commits
-------
|
||
---|---|---|
.. | ||
CacheWarmer | ||
Command | ||
Console | ||
Controller | ||
DataCollector | ||
DependencyInjection | ||
EventListener | ||
HttpCache | ||
Kernel | ||
Resources | ||
Routing | ||
Templating | ||
Test | ||
Tests | ||
Translation | ||
Validator | ||
.gitignore | ||
CHANGELOG.md | ||
Client.php | ||
composer.json | ||
FrameworkBundle.php | ||
LICENSE | ||
phpunit.xml.dist | ||
README.md |