Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Symfony2 is_granted('IS_AUTHENTICATED_FULLY') during 404 error page display, causing ResourceNotFoundException

I have setup custom error pages to display for certain HTTP errors in the folder:

app/Resources/TwigBundle/views/Exception/

The 403 page (error403.html.twig) works and displays as expected.

The 500 page (error500.html.twig) works and displays as expected.

The 404 page (error404.html.twig) throws a 500 server error:

PHP Fatal error: Uncaught exception 'Symfony\Component\Routing\Exception\ResourceNotFoundException'

The error is being thrown by doing an auth check to display certain menu items for users that are or aren't authenticated:

{% if is_granted('IS_AUTHENTICATED_FULLY') %}

If I remove that check and just allow all menu items to display, the page loads the error page as expected. Again, the 403 page displays as it should and utilizes the auth checks without a problem.

I'm stuck on this one. The pages are EXACTLY the same, apart from the filename.

like image 342
Nick Avatar asked Aug 08 '12 17:08

Nick


3 Answers

If symfony < 2.8 :

{% if app.user is not null and is_granted('ROLE_ADMIN') %}

See : https://github.com/symfony/symfony-docs/issues/2078

Edit from Dec 17 '15:

This is no longer needed since 2.8,

{% if is_granted('ROLE_ADMIN') %}

works fine now.

source: http://symfony.com/blog/new-in-symfony-2-8-dx-improvements#allow-to-check-for-security-even-in-pages-not-covered-by-firewalls

like image 88
Tseho Avatar answered Nov 02 '22 11:11

Tseho


You can't use the is_granted in a 404 page since 2.1:

It's mentioned in the upgrade file

The Firewall listener is now registered after the Router listener. This means that specific Firewall URLs (like /login_check and /logout) must now have proper routes defined in your routing configuration. Also, if you have a custom 404 error page, make sure that you do not use any security related features such as is_granted on it.

See: https://github.com/symfony/symfony/blob/master/UPGRADE-2.1.md#security

like image 12
Jeroen Avatar answered Nov 02 '22 12:11

Jeroen


I would suggest checking for app.security.token to be more strict and evaluate to true even when user is anonymous.

If you check for app.user it will evaluate false in Exception templates, but even when the firewall is present (= regular templates) but the user is not logged. This will prevent - for example - the display of a login button.

See: https://github.com/symfony/symfony-docs/pull/2359

like image 2
bozma88 Avatar answered Nov 02 '22 12:11

bozma88