8000 forbid to use "hide_user_not_found" and "expose_security_errors" at t… · symfony/symfony@f758e26 · GitHub
[go: up one dir, main page]
Skip to content

Commit f758e26

Browse files
xabbuhxabbuh
committed
forbid to use "hide_user_not_found" and "expose_security_errors" at the same time
"hide_user_not_found" will not have any effect if "expose_security_errors" is set. Throwing an exception early will improve DX and avoid WTF moments where one might be wondering why the "hide_user_not_found" option doesn't change anything.
1 parent 170b631 commit f758e26

File tree

2 files changed

+18
-0
lines changed

2 files changed

+18
-0
lines changed

src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -59,6 +59,10 @@ public function getConfigTreeBuilder(): TreeBuilder
5959
->beforeNormalization()
6060
->always()
6161
->then(function ($v) {
62+
if (isset($v['hide_user_not_found']) && isset($v['expose_security_errors'])) {
63+
throw new InvalidConfigurationException('You cannot use both "hide_user_not_found" and "expose_security_errors" at the same time.');
64+
}
65+
6266
if (isset($v['hide_user_not_found']) && !isset($v['expose_security_errors'])) {
6367
$v['expose_security_errors'] = $v['hide_user_not_found'] ? ExposeSecurityLevel::None : ExposeSecurityLevel::All;
6468
}

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/MainConfigurationTest.php

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -283,4 +283,18 @@ public static function provideHideUserNotFoundLegacyData(): iterable
283283
yield [['hide_user_not_found' => true], ExposeSecurityLevel::None, true];
284284
yield [['hide_user_not_found' => false], ExposeSecurityLevel::All, false];
285285
}
286+
287+
public function testCannotUseHideUserNotFoundAndExposeSecurityErrorsAtTheSameTime()
288+
{
289+
$processor = new Processor();
290+
$configuration = new MainConfiguration([], []);
291+
292+
$this->expectException(InvalidConfigurationException::class);
293+
$this->expectExceptionMessage('You cannot use both "hide_user_not_found" and "expose_security_errors" at the same time.');
294+
295+
$processor->processConfiguration($configuration, [static::$minimalConfig + [
296+
'hide_user_not_found' => true,
297+
'expose_security_errors' => ExposeSecurityLevel::None,
298+
]]);
299+
}
286300
}

0 commit comments

Comments
 (0)
0