AccessDeniedException is converted to HTTP 302 even when request format is JSON #30099
Comments
|
I think a small example project would indeed be very helpful for anyone wanting to look into it. |
|
Here is a simple project where you have two end points for ajax. Both throw exception but AccessDeniedException does not trigger HTTP error.
|
|
@Jontsa would you be able to debug why? |
|
@nicolas-grekas, @xabbuh Do you guys aware of this Btw, I think we can safely remove it. |
|
@Jontsa Btw, you can just make |
|
I reviewed this and I don't think there's an actual issue here. The XHR request itself contains no usable indication that the redirect response is not valid, so Symfony is correct in following up with the redirect based on its configuration. And as @dimabory said you can/should just change that config line which fixes your issue correctly. The Status: reviewed |
This PR was merged into the 3.4 branch. Discussion ---------- [Security] Rework firewall's access denied rule | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | ~~#30099~~, #28229 | License | MIT | Doc PR | Follow tickets provided above to reproduce bugs. (there are also some project examples) ~~In addition, I'm looking for someone who knows an answer to [this](#30099 (comment)) regarding rework in this PR.~~ Commits ------- 5790859 Rework firewall access denied rule
This PR was merged into the 3.4 branch. Discussion ---------- [Security] Rework firewall's access denied rule | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | ~~#30099~~, #28229 | License | MIT | Doc PR | Follow tickets provided above to reproduce bugs. (there are also some project examples) ~~In addition, I'm looking for someone who knows an answer to [this](symfony/symfony#30099 (comment)) regarding rework in this PR.~~ Commits ------- 5790859275 Rework firewall access denied rule
This PR was merged into the 3.4 branch. Discussion ---------- [Security] Rework firewall's access denied rule | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | ~~#30099~~, #28229 | License | MIT | Doc PR | Follow tickets provided above to reproduce bugs. (there are also some project examples) ~~In addition, I'm looking for someone who knows an answer to [this](symfony/symfony#30099 (comment)) regarding rework in this PR.~~ Commits ------- 5790859275 Rework firewall access denied rule
Description
When accessing a secured area using AJAX + JSON while not logged in, the ExceptionListener in Symfony Security component may convert AccessDeniedException to a HTTP 302 redirect to login page. The javascript can not really do anything with this since it is expecting JSON or HTTP error code.
Any other exception would be converted to JSON and passed back to browser with correct HTTP status code. But in this case, you need to create your own event listener to convert this exception in to JSON. This is the same issue as reported here: https://stackoverflow.com/questions/33240554/symfony2-security-annotation-turn-off-redirect-when-not-logged-in
See: Symfony\Component\Security\Http\Firewall\ExceptionListener::handleAccessDeniedException()
How to reproduce
If needed, I can provide an example project in Github.
The text was updated successfully, but these errors were encountered: