8000 AccessDeniedHttpException in FramentListener leads to status 500 instead of 403 · Issue #11663 · symfony/symfony · GitHub
[go: up one dir, main page]
Skip to content

AccessDeniedHttpException in FramentListener leads to status 500 instead of 403 #11663

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
dbu opened this issue Aug 13, 2014 · 18 comments
Closed

AccessDeniedHttpException in FramentListener leads to status 500 instead of 403 #11663

dbu opened this issue Aug 13, 2014 · 18 comments
Labels
Bug HttpKernel Status: Needs Review

Comments

@dbu
Copy link
Contributor
dbu commented Aug 13, 2014

when the AccessDeniedHttpException is thrown in FragmentListener i get a status 500 page, instead of a 403 page.
@fmeynard
Copy link

I don't think that FragmentListener or AccessDeniedHttpException are responsible. Can you provide a full stack trace ? or a fork of SE with this beahvior ?

@stof
Copy link
Member
stof commented Aug 19, 2014

@fmeynard I think there is a bug with the handling of exceptions when they are thrown in the listeners in some cases

@dbu
Copy link
Contributor Author
dbu commented Aug 19, 2014

exactly. throwing AccessDeniedHttpException is correct, but this should
lead to a 403 response.

@fabpot fabpot added the Hackday label Sep 5, 2014
@fgueguen
Copy link
fgueguen commented Sep 5, 2014

I can't reproduce: I managed to throw an AccessDeniedHttpException in FragmentListener by faking a call to a fragment with an unsafe method, I got a 403 status as required.

@jeremyFreeAgent
Copy link
Contributor

I don't know if it is linked...
When calling createAccessDeniedException() in FrameworkBundle Controller a Symfony\Component\Security\Core\Exception\AccessDeniedException is thrown but in HttpKernel a status code 500 is setted if the Exception is not a HTTP one.

@stof
Copy link
Member
stof commented Sep 5, 2014

@jeremyFreeAgent but AccessDeniedException is handled by the exception controller of the Security component when you are behind a configured firewall.

@jeremyFreeAgent
Copy link
Contributor

@stof so it is a bad practice to throw a AccessDeniedException in a controller outside the pattern of a configured firewall?

@fgueguen
Copy link
fgueguen commented Sep 5, 2014

@jeremyFreeAgent careful, the exception dbu was referring to is an AccessDeniedHttpException not an AccessDeniedException. AccessDeniedHttpException extends HttpException which implements HttpExceptionInterface so the handleException function is supposed to take its status (403) and not send a 500...

@jeremyFreeAgent
Copy link
Contributor

@fgueguen True, that why I said:

I don't know if it is linked...

@stof
Copy link
Member
stof commented Sep 5, 2014

so it is a bad practice to throw a AccessDeniedException in a controller outside the pattern of a configured firewall?

yes. The AccessDeniedException is related to the Security component, asking it to check whether you could have a chance to authenticate with a higher level before giving you a 403 (if you are an anonymous or remembered user, it will ask you to authenticate instead).
If the Security system is not active on your URL, it makes no sense to trigger an exception of the Security system

@adlpz
Copy link
Contributor
adlpz commented Nov 29, 2014

I'm having a look at this during the Hackday at Madrid.

adlpz added a commit to adlpz/symfony that referenced this issue Nov 29, 2014
@adlpz
Added tests trying to reproduce bug symfony#11663, throwing AccessDen…
f3d49f7 
…iedHttpException in kernel request listener
adlpz added a commit to adlpz/symfony that referenced this issue Nov 29, 2014
@adlpz
Added tests trying to reproduce bug symfony#11663, throwing AccessDen…
571ee0d 
…iedHttpException in kernel request listener
@adlpz adlpz mentioned this issue Nov 29, 2014
Closed
@adlpz
Copy link
Contributor
adlpz commented Nov 29, 2014

After poking around for a while, I cannot reproduce this bug. At least not as a generic bug with how the system handles HttpExceptions thrown inside event listeners. Wrote a couple of tests, implemented a listener to throw around some exceptions and, and all seems to work as intended.

I PR'd the tests, maybe someone else can figure out if there is some specific scenario where this bug happens.

@dbu
Copy link
Contributor Author
dbu commented Dec 22, 2014

played around with this again. i use a stock symfony 2.5 kernel and generated a fragment url, then curl that with the esi capability. i have security configured so that _fragment is not in the paths allowed by my user.

in prod (!) environment, i get this stack trace as response:

`

( ! ) Fatal error: Uncaught exception 'Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException' in /vagrant/vendor/symfony/symfony/src/Symfony/Component/HttpKernel/EventListener/FragmentListener.php on line 87
( ! ) Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException: in /vagrant/vendor/symfony/symfony/src/Symfony/Component/HttpKernel/EventListener/FragmentListener.php on line 87
Call Stack
#TimeMemoryFunctionLocation
10.0002230256{main}( )../app.php:0
20.02301158816Symfony\Component\HttpKernel\Kernel->handle( )../app.php:22
30.04833648680Symfony\Component\HttpKernel\DependencyInjection\ContainerAwareHttpKernel->handle( )../Kernel.php:185
 `

@fabpot fabpot removed the Hackday label Feb 12, 2015
@cameronjacobson
Copy link

The only thing that looks suspect to me is handleException method in src/Symfony/Component/HttpKernel/HttpKernel.php. Except it's a 403 error, which would prevent the else clause from setting statusCode to 500. Unless something else is changing status code in-between I don't see anything that raises flags that this may be caused by the symfony package directly.

@jakzal
Copy link
Contributor
jakzal commented May 14, 2015

@dbu I just tried to reproduce this issue and I'm not experiencing the same behaviour (Symfony 2.6). Since I'm second person who can't reproduce it, please re-create your issue on a fork of Symfony SE and provide instructions how to trigger the error.

@dbu
Copy link
Contributor Author
dbu commented May 15, 2015

Sorry for not following up on this. i now tried this again. the problem is in symfony 2.3. can you try these steps?

composer.phar create-project symfony/framework-standard-edition fragment_issue 2.3
# say no to demo bundle, no need for a database
cd fragment_issue
app/console server:run

Then try to send a request with a non-safe method: curl -XPUT -v http://127.0.0.1:8000/app.php/_fragment?_path=_format%3Dhtml%26_locale%3Den%26_controller%3DAcme%253ADemoBundle%253ADemo%253Aindex

The problem also exists with symfony 2.5 but that is already past its support period.

@jakzal
Copy link
Contributor
jakzal commented May 15, 2015

@dbu yept, that did the job. Thanks, I'll be looking into this! The problem doesn't exist in >=2.6 anymore.

@jakzal jakzal mentioned this issue Oct 18, 2016
Closed
@xabbuh
Copy link
Member
xabbuh commented Oct 18, 2016

Closing as this issue isn't present in any maintained release.

@xabbuh xabbuh closed this as completed Oct 18, 2016
@theredled theredled mentioned this issue Oct 27, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug HttpKernel Status: Needs Review
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0