Description
| Q | A |
|---|---|
| Bug report? | maybe |
| Feature request? | no |
| BC Break report? | no |
| RFC? | yes |
| Symfony version | 2.8.17 |
Let's say you have an admin page that lists users.
On the controller you have @Security("has_role('ROLE_ADMIN')") and you load the page while logged in as admin user with the role, all nice.
Behind the scenes, remove the association of ROLE_ADMIN to the user (many-to-many table) in the database and in order to force roles to be reloaded let's say change the username from i.e. admin (or whatever you logged in with) to admin1 (or whatever property in order to trigger the hasUserChanged detection and as a result trigger role reload)
Reload the page, roles will get reloaded and it will still let you access the page (!) even though you don't have ROLE_ADMIN anymore. Refresh the page again and it will only now become effective. So you have to refresh twice hence giving you this "last shot" at access (this could be both GET/POST requests).
Now, when you use @Security("is_granted('ROLE_ADMIN')") or control via security.yml the change is effective immediately and access is denied - without this "one last shot" as has_role offers.
Any ideas?