Custom AccessDeniedHandler didn't work #28229
Comments
|
Can you please create a small example project that allows to reproduce your issue? |
|
Access denied handler is working in
On the error page it is also seen that first AccessDeniedException, then InsufficientAuthenticationException is thrown. |
|
Same problem, if I follow the doc (http://symfony.com/doc/current/security/access_denied_handler.html), |
|
@xabbuh Here a small example: https://github.com/nicoweb/symfony-issue_28229 |
|
@nicoweb reproduce my problem. I can't give more informations about this issue. |
|
Same problem for me when i use this following : https://symfony.com/doc/current/security/access_denied_handler.html |
|
Same problem here, I followed the @nicoweb, to delete the return and worked as expected. I found another way to have the same result here multiple_guard_authenticators |
|
Did you try to change app/config/services.yml? Mayby it is just documentation issue? I used AccessDeniedHandler in Symfony 2.8 and it works for me. I configured it according to https://symfony.com/doc/2.8/security/access_denied_handler.html. |
|
No the issue is real and #30423 is in itself the proper fix. Status: reviewed |
This PR was merged into the 3.4 branch. Discussion ---------- [Security] Rework firewall's access denied rule | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | ~~#30099~~, #28229 | License | MIT | Doc PR | Follow tickets provided above to reproduce bugs. (there are also some project examples) ~~In addition, I'm looking for someone who knows an answer to [this](#30099 (comment)) regarding rework in this PR.~~ Commits ------- 5790859 Rework firewall access denied rule
|
Patch reverted, reopening. |
|
when is this getting fixed ??? |
|
@GreenLeewayDesignCastle Would you like to create a pull request? |
I'll try to, keep you posted |
Why was it reverted? What was wrong with the patch provided by fabpot? |
|
Exactly the same situation - steps taken from doc: https://symfony.com/doc/current/security/access_denied_handler.html |
|
@chalasr Sorry to insist, but why the patch has been reverted? What was wrong with it and what can we do to help fix this really annoying issue? |
|
Hi everyone, I am also having an issue with Is this the expected behavior of symfony: redirect a logged user to the login page when an AccessDeniedException is thrown? I created an AccessDeniedHandler in my application that will display an error page if there is a user logged by following this documentation: https://symfony.com/doc/master/security/access_denied_handler.html. Btw, in the accessDeniedHandler, the call |
|
I've managed to mitigate the bug by creating a subscriber listening for thrown namespace App\EventSubscriber;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpKernel\Event\GetResponseForExceptionEvent;
use Symfony\Component\HttpKernel\KernelEvents;
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
use Symfony\Component\Security\Http\Firewall\AccessListener;
class AccessDeniedSubscriber implements EventSubscriberInterface
{
public function onKernelException(GetResponseForExceptionEvent $event): void
{
$exception = $event->getException();
if ($exception instanceof AccessDeniedException && !self::isThrownByFirewall($exception)) {
// Create your own response like in a custom access denied handler
$response = new Response('blablabla', 403);
$event->setResponse($response);
$event->stopPropagation();
}
}
public static function getSubscribedEvents()
{
return [
// Define the priority to execute our subscriber before the one from the security component
KernelEvents::EXCEPTION => ['onKernelException', 1],
];
}
/**
* Determines, by analyzing the stack trace, if an exception has been thrown by the firewall.
*/
private static function isThrownByFirewall(\Throwable $exception): bool
{
foreach ($exception->getTrace() as $stackItem) {
$class = $stackItem['class'] ?? null;
if ($class === AccessListener::class) {
return true;
}
}
return false;
}
}Once the bug is fixed by Symfony devs, you will have to use a real custom access denied handler and delete this subscriber (it could break easily with a future Symfony update). |
|
I have solved the problem by changing in the AccessDeniedHandler class |
Asking the same question again… If you want people to help, you have to explain why the patch created by @fabpot was reverted, otherwise we will never be able to make progress on this issue. |
|
see #31136 for the context of why the fix was reverted |
|
So, if I understand correctly, this patch brought BC issues to the 3.X and 4.X branches? I understand why it was reverted, but why the patch has not been merged in the (And thank you for the answer 🙂) |
|
Based on the workaroung of @nesk for Symfony 5 you can use this workaround until this issue is solved. As soon as it is solved it should be enough to simply delete the file EventSubscriber.php: <?php
namespace App\EventSubscriber;
use App\Security\AccessDeniedHandler;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\HttpKernel\Event\ExceptionEvent;
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
use Symfony\Component\Security\Http\Firewall\AccessListener;
/**
* This is a temporary workaround until https://github.com/symfony/symfony/issues/28229 is solved.
*
* @package App\EventSubscriber
*/
class AccessDeniedSubscriber implements EventSubscriberInterface
{
private $handler;
public function __construct(AccessDeniedHandler $handler)
{
$this->handler = $handler;
}
public function onKernelException(ExceptionEvent $event)
{
$exception = $event->getThrowable();
if ($exception instanceof AccessDeniedException && !self::isThrownByFirewall($exception)) {
$response = $this->handler->handle($event->getRequest(), $exception);
$event->setResponse($response);
$event->stopPropagation();
}
}
public static function getSubscribedEvents()
{
return [
'kernel.exception' => ['onKernelException', 1],
];
}
/**
* Determines, by analyzing the stack trace, if an exception has been thrown by the firewall.
*
* @param AccessDeniedException $exception
*
* @return bool
*/
private static function isThrownByFirewall(AccessDeniedException $exception): bool
{
foreach ($exception->getTrace() as $stackItem) {
$class = $stackItem['class'] ?? null;
if ($class === AccessListener::class) {
return true;
}
}
return false;
}
} |
|
I'have the same problem but i fixed it by throwing And not |
Thanks, it works! |
|
I'm using Symfony 4.4.10, and It works if I put statusCode=403 in e.g |
|
I've tested this in a real Symfony app and I think this issue is mostly due to confusion about the purpose of the AccessDeniedHandler. It's only meant to be called when a user is authenticated (thus not anonymous), but does not have enough permissions to access the resource. An authentication entry point is meant to catch the anonymous users trying to access a protected resource. Based on my experiments, I've created a PR to better document this: symfony/symfony-docs#14045 I think this issue can be closed, the access denied handler is working like expected in my tests. |
and others
Symfony version(s) affected: 4.1.3
Description
Symfony ignores the custom AccessDeniedHandler. It never will called.
How to reproduce
Read (http://symfony.com/doc/current/security/access_denied_handler.html) and build it in a clean Symfony project. Secure an URL an called it. You will see, this your handler will never called.
The text was updated successfully, but these errors were encountered: