Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is the best way to notify a user after an access_control rule redirects?

Tags:

From Symfony 2.3 Security docs:

If access is denied, the system will try to authenticate the user if not already (e.g. redirect the user to the login page). If the user is already logged in, the 403 "access denied" error page will be shown. See How to customize Error Pages for more information.

I am currently using an access_control rule for a few routes. I would like to notify an anonymous user if they're redirected to the login route with a message like "You must login to access that page." I have read through the Security docs a few times and haven't found anything relevant to this. Am I overlooking something?

If not, what would be the best way to notify the user when they're stopped by an access_control rule only if they're redirected to login (ie not if they're just in an unauthorized role)?

EDIT: For clarification, I am specifically asking how to check if a redirect was caused by an access_control rule (preferably in twig if possible).

like image 721
Carrie Kendall Avatar asked Jul 02 '13 15:07

Carrie Kendall


People also ask

What is redirecting the user?

On a Web site, redirection is a technique for moving visitors to a different Web page than the one they request, usually because the page requested is unavailable. Web users often encounter redirection when they visit the Web site of a company whose name has been changed or which has been acquired by another company.

Can you redirect a post request?

in response to a POST request. Rather, the RFC simply states that the browser should alert the user and present an option to proceed or to cancel without reposting data to the new location. Unless you write complex server code, you can't force POST redirection and preserve posted data.

How does redirect work in HTTP?

In HTTP, redirection is triggered by a server sending a special redirect response to a request. Redirect responses have status codes that start with 3 , and a Location header holding the URL to redirect to. When browsers receive a redirect, they immediately load the new URL provided in the Location header.


1 Answers

So after quite a bit of research, I found the right way to do this. You'll need to use an Entry Point service and define it in your firewall configuration.

This method will not mess with your default page settings specified in your firewall config for logging in.


The Code

security.yml:

firewalls:     main:         entry_point: entry_point.user_login #or whatever you name your service         pattern: ^/         form_login:         # ... 

src/Acme/UserBundle/config/services.yml

services:     entry_point.user_login:         class: Acme\UserBundle\Service\LoginEntryPoint         arguments: [ @router ] #I am going to use this for URL generation since I will be redirecting in my service 

src/Acme/UserBundle/Service/LoginEntryPoint.php:

namespace Acme\UserBundle\Service;  use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface,     Symfony\Component\Security\Core\Exception\AuthenticationException,     Symfony\Component\HttpFoundation\Request,     Symfony\Component\HttpFoundation\RedirectResponse;  /**  * When the user is not authenticated at all (i.e. when the security context has no token yet),   * the firewall's entry point will be called to start() the authentication process.   */ class LoginEntryPoint implements AuthenticationEntryPointInterface {     protected $router;      public function __construct($router)     {         $this->router = $router;     }      /*      * This method receives the current Request object and the exception by which the exception       * listener was triggered.       *       * The method should return a Response object      */     public function start(Request $request, AuthenticationException $authException = null)     {         $session = $request->getSession();          // I am choosing to set a FlashBag message with my own custom message.         // Alternatively, you could use AuthenticationException's generic message          // by calling $authException->getMessage()         $session->getFlashBag()->add('warning', 'You must be logged in to access that page');          return new RedirectResponse($this->router->generate('login'));     } } 

login.html.twig:

{# bootstrap ready for your convenience ;] #} {% if app.session.flashbag.has('warning') %}     {% for flashMessage in app.session.flashbag.get('warning') %}         <div class="alert alert-warning">             <button type="button" class="close" data-dismiss="alert">&times;</button>             {{ flashMessage }}         </div>     {% endfor %} {% endif %} 

Resources:

  • AuthenticationEntryPointInterface API
  • Entry Points Documentation
  • Security Configuration Reference
  • How to Customize your Form Login
  • Why access_denied_handle doesn't work - thanks to cheesemacfly for tip
like image 120
Carrie Kendall Avatar answered Sep 22 '22 15:09

Carrie Kendall