symfony
diff --git a/‎src/Symfony/Bundle/SecurityBundle/CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions b/‎src/Symfony/Bundle/SecurityBundle/CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/DataCollector/SecurityDataCollector.php‎
Lines changed: 1 addition & 0 deletions b/‎src/Symfony/Bundle/SecurityBundle/DataCollector/SecurityDataCollector.php‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php‎
Lines changed: 9 additions & 0 deletions b/‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php‎
Lines changed: 6 additions & 0 deletions b/‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Resources/config/security.php‎
Lines changed: 4 additions & 0 deletions b/‎src/Symfony/Bundle/SecurityBundle/Resources/config/security.php‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Resources/config/security_listeners.php‎
Lines changed: 1 addition & 0 deletions b/‎src/Symfony/Bundle/SecurityBundle/Resources/config/security_listeners.php‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Resources/views/Collector/security.html.twig‎
Lines changed: 4 additions & 0 deletions b/‎src/Symfony/Bundle/SecurityBundle/Resources/views/Collector/security.html.twig‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Security/FirewallConfig.php‎
Lines changed: 6 additions & 0 deletions b/‎src/Symfony/Bundle/SecurityBundle/Security/FirewallConfig.php‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTestCase.php‎
Lines changed: 4 additions & 0 deletions b/‎src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTestCase.php‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎src/Symfony/Component/Security/Http/Authorization/NotFullFledgedHandlerInterface.php‎
Lines changed: 34 additions & 0 deletions b/‎src/Symfony/Component/Security/Http/Authorization/NotFullFledgedHandlerInterface.php‎
Lines changed: 34 additions & 0 deletions
@@ -5,6 +5,7 @@ CHANGELOG
 ---
 
  * Allow configuring the secret used to sign login links
+ * Add `security.firewalls.not_full_fledged_handler` option to configure behavior where user is not full fledged
 
 7.1
 ---
 
@@ -175,6 +175,7 @@ public function collect(Request $request, Response $response, ?\Throwable $excep
                     'access_denied_url' => $firewallConfig->getAccessDeniedUrl(),
                     'user_checker' => $firewallConfig->getUserChecker(),
                     'authenticators' => $firewallConfig->getAuthenticators(),
+                    'not_full_fledged_handler' => $firewallConfig->getNotFullFledgedHandler(),
                 ];
 
                 // generate exit impersonation path from current request
 
@@ -19,6 +19,7 @@
 use Symfony\Component\Config\Definition\Exception\InvalidConfigurationException;
 use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
 use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategy;
+use Symfony\Component\Security\Http\Authorization\SameAsNotFullFledgedHandle;
 
 /**
  * SecurityExtension configuration structure.
@@ -214,6 +215,14 @@ private function addFirewallsSection(ArrayNodeDefinition $rootNode, array $facto
             ->booleanNode('stateless')->defaultFalse()->end()
             ->booleanNode('lazy')->defaultFalse()->end()
             ->scalarNode('context')->cannotBeEmpty()->end()
+            ->scalarNode('not_full_fledged_handler')
+                ->beforeNormalization()
+                    ->ifTrue(fn ($v): bool => $v == 'original')
+                        ->then(fn ($v) => null)
+                    ->ifTrue(fn ($v): bool => $v == 'same')
+                        ->then(fn ($v) => SameAsNotFullFledgedHandle::class)
+                    ->end()
+                ->end()
             ->arrayNode('logout')
                 ->treatTrueLike([])
                 ->canBeUnset()
 
@@ -578,6 +578,7 @@ private function createFirewall(ContainerBuilder $container, string $id, array $
 
         $config->replaceArgument(10, $listenerKeys);
         $config->replaceArgument(11, $firewall['switch_user'] ?? null);
+        $config->replaceArgument(13, $firewall['not_full_fledged_handler'] ?? null);
 
         return [$matcher, $listeners, $exceptionListener, null !== $logoutListenerId ? new Reference($logoutListenerId) : null, $firewallAuthenticationProviders];
     }
@@ -875,6 +876,11 @@ private function createExceptionListener(ContainerBuilder $container, array $con
             $listener->replaceArgument(5, $config['access_denied_url']);
         }
 
+        // not full fledged handler setup
+        if (isset($config['not_full_fledged_handler'])) {
+            $listener->replaceArgument(9, new Reference($config['not_full_fledged_handler']));
+        }
+
         return $exceptionListenerId;
     }
 
 
@@ -42,6 +42,7 @@
 use Symfony\Component\Security\Core\User\MissingUserProvider;
 use Symfony\Component\Security\Core\Validator\Constraints\UserPasswordValidator;
 use Symfony\Component\Security\Http\Authentication\AuthenticationUtils;
+use Symfony\Component\Security\Http\Authorization\SameAsNotFullFledgedHandle;
 use Symfony\Component\Security\Http\Controller\SecurityTokenValueResolver;
 use Symfony\Component\Security\Http\Controller\UserValueReso
A3E2
lver;
 use Symfony\Component\Security\Http\EventListener\IsGrantedAttributeListener;
@@ -218,6 +219,7 @@
                 [], // listeners
                 null, // switch_user
                 null, // logout
+                null, //not_full_fledged_handler
             ])
 
         ->set('security.logout_url_generator', LogoutUrlGenerator::class)
@@ -310,5 +312,7 @@
         ->set('cache.security_is_csrf_token_valid_attribute_expression_language')
             ->parent('cache.system')
             ->tag('cache.pool')
+
+        ->set('security.same_as_not_full_fledged_handle', SameAsNotFullFledgedHandle::class)
     ;
 };
@@ -139,6 +139,7 @@
                 service('security.access.denied_handler')->nullOnInvalid(),
                 service('logger')->nullOnInvalid(),
                 false, // Stateless
+                service('security.not.full.fledged_handler')->nullOnInvalid(),
             ])
             ->tag('monolog.logger', ['channel' => 'security'])
 
 
@@ -282,6 +282,10 @@
                                         <th>authenticators</th>
                                         <td>{{ collector.firewall.authenticators is empty ? '(none)' : profiler_dump(collector.firewall.authenticators, maxDepth=1) }}</td>
                                     </tr>
+                                    <tr>
+                                        <th>not_full_fledged_handler</th>
+                                        <td>{{ collector.firewall.not_full_fledged_handler ?: '(none)' }}</td>
+                                    </tr>
                                 </tbody>
                             </table>
                         {% endif %}
 
@@ -30,6 +30,7 @@ public function __construct(
         private readonly array $authenticators = [],
         private readonly ?array $switchUser = null,
         private readonly ?array $logout = null,
+        private readonly ?string $notFullFledgedHandler = null,
     ) {
     }
 
@@ -104,4 +105,9 @@ public function getLogout(): ?array
     {
         return $this->logout;
     }
+
+    public function getNotFullFledgedHandler(): ?string
+    {
+        return $this->notFullFledgedHandler;
+    }
 }
@@ -149,6 +149,7 @@ public function testFirewalls()
                 [],
                 null,
                 null,
+                null,
             ],
             [
                 'secure',
@@ -184,6 +185,7 @@ public function testFirewalls()
                     'enable_csrf' => null,
                     'clear_site_data' => [],
                 ],
+                null,
             ],
             [
                 'host',
@@ -201,6 +203,7 @@ public function testFirewalls()
                 ],
                 null,
                 null,
+                null,
             ],
             [
                 'with_user_checker',
@@ -218,6 +221,7 @@ public function testFirewalls()
                 ],
                 null,
                 null,
+                null,
             ],
         ], $configs);
 
 
@@ -0,0 +1,34 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\Authorization;
+
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
+
+/**
+ * This is used by the ExceptionListener to translate an AccessDeniedException
+ * to a Response object.
+ *
+ * @author Roman JOLY <eltharin18@outlook.fr>
+ */
+interface NotFullFledgedHandlerInterface
+{
+    /**
+     * Handles a not full fledged case for acces denied failure.
+     * @return bool|Response : bool|Response
+     *      true    : user have to be fully authenticated, continu to startAuthentication
+     *      false   : user have'nt to be fully authenticated, throw original AcessDeniedException
+     *      Response: you can return your own response, AccesDeniedException wil be ignored
+     */
+    public function handle(Request $request, AccessDeniedException $accessDeniedException): bool|Response;
+}
Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,7 @@ CHANGELOG`
`5`	`5`	`---`
`6`
`7`	`7`	`* Allow configuring the secret used to sign login links`
	`8`	+ * Add `security.firewalls.not_full_fledged_handler` option to configure behavior where user is not full fledged
`8`	`9`
`9`	`10`	`7.1`
`10`	`11`	`---`
Original file line number	Diff line number	Diff line change
`@@ -578,6 +578,7 @@ private function createFirewall(ContainerBuilder $container, string $id, array $`
`578`	`578`
`579`	`579`	`$config->replaceArgument(10, $listenerKeys);`
`580`	`580`	`$config->replaceArgument(11, $firewall['switch_user'] ?? null);`
	`581`	`+ $config->replaceArgument(13, $firewall['not_full_fledged_handler'] ?? null);`
`581`	`582`
`582`	`583`	`return [$matcher, $listeners, $exceptionListener, null !== $logoutListenerId ? new Reference($logoutListenerId) : null, $firewallAuthenticationProviders];`
`583`	`584`	`}`
`@@ -875,6 +876,11 @@ private function createExceptionListener(ContainerBuilder $container, array $con`
`875`	`876`	`$listener->replaceArgument(5, $config['access_denied_url']);`
`876`	`877`	`}`
`877`	`878`
	`879`	`+ // not full fledged handler setup`
	`880`	`+ if (isset($config['not_full_fledged_handler'])) {`
	`881`	`+ $listener->replaceArgument(9, new Reference($config['not_full_fledged_handler']));`
	`882`	`+ }`
	`883`	`+`
`878`	`884`	`return $exceptionListenerId;`
`879`	`885`	`}`
`880`	`886`
Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,7 @@ public function __construct(`
`30`	`30`	`private readonly array $authenticators = [],`
`31`	`31`	`private readonly ?array $switchUser = null,`
`32`	`32`	`private readonly ?array $logout = null,`
	`33`	`+ private readonly ?string $notFullFledgedHandler = null,`
`33`	`34`	`) {`
`34`	`35`	`}`
`35`	`36`
`@@ -104,4 +105,9 @@ public function getLogout(): ?array`
`104`	`105`	`{`
`105`	`106`	`return $this->logout;`
`106`	`107`	`}`
	`108`	`+`
	`109`	`+ public function getNotFullFledgedHandler(): ?string`
	`110`	`+ {`
	`111`	`+ return $this->notFullFledgedHandler;`
	`112`	`+ }`
`107`	`113`	`}`