I agrre with Chris. And I have the same issue. And I think this is not the intended behavior.
I faced with this when created custom event "kernel.exception" listener. I use it to customize "403 HTTP Access Denied" error page. And I was surprised when my handler wasn't executed because of user not IS_AUTHENTICATED_FULLY. User still logged in (through the 'remember me' cookie) and still have unappropriate role. So I expected see the customized 403 error page! I think that checking whehter user have IS_AUTHENTICATED_REMEMBERED or IS_AUTHENTICATED_FULLY role is the deal of developer itself. I looked at vendor/symfony/src/Symfony/Component/Security/Http/Firewall/ExceptionListener.php and clarified that the reason is realization of isFullFledged() method. I think the good solution is to add option, defining the result of isFullFledged(). Something like: 'full_fledged_role: IS_AUTHENTICATED_FULLY' (by default) and 'full_fledged_role: IS_AUTHENTICATED_REMEMBERED' for my and Chris issue. Any case, this behavior have be noticed in docs. Thanks. Sorry for my english. On Friday, April 27, 2012 10:36:12 PM UTC+4, weaverryan wrote: > > > I see your point, but I believe this is the intended behavior. I think > (and will be corrected if I'm wrong!) that unless you're > IS_AUTHENTICATED_FULLY, the firewall will give you a change to authenticate > if you're denied access. Since there's no difference between being denied > access for checking IS_AUTHENTICATED_FULLY versus some traditional role, > each has that same behavior. > > So, I don't know if there is a more appropriate way to work around this, > but I believe it's the "intended" behavior. > > Thanks! > > Ryan Weaver > US Office Head & Trainer - KnpLabs - Nashville, TN > http://www.knplabs.com <http://www.knplabs.com/en> > http://knpuniversity.com > Twitter: @weaverryan > > > On Fri, Apr 27, 2012 at 3:30 AM, Chris Sedlmayr <[email protected]>wrote: > >> Hi all, >> >> I have a bit of an oddity with the remember me implementation. >> >> I've configured it based on the cookbook entry; >> http://symfony.com/doc/current/cookbook/security/remember_me.html >> And I have the cookie lifetime set to 20 days. >> >> On login the cookie is set correctly, and if I let my session expire, >> then proceed to a secure page the remember me process runs (I can trace >> that through the framework, the listener, factory, service, the user >> provider etc). >> If the page I access returns a successful response, i.e. the user does >> have access, then it appears to work fine. >> However, if the page I access does not grant access then the login page >> is presented, rather than the access denied page. >> >> I would expect that once remember me has been processed, and the user is >> authenticated, that if the page they access is denied, they are still >> logged in, but just have access to that page denied. >> I'm not making any checks on this page regarding fully authenticated, >> just a simple role check, and if not present (which it isn't) then I throw >> new AccessDeniedException('You do not have permission to edit this Item'); >> >> If I am logged in normally and access that page, I see the page (in dev) >> that you would expect containing the stack trace with that exception and >> message. >> >> Think this may be an issue rather than with implementation, can anyone >> confirm this? >> >> >> Many thanks, >> >> Chris >> >> -- >> If you want to report a vulnerability issue on symfony, please send it to >> security at symfony-project.com >> >> You received this message because you are subscribed to the Google >> Groups "symfony developers" group. >> To post to this group, send email to [email protected] >> To unsubscribe from this group, send email to >> [email protected] >> For more options, visit this group at >> http://groups.google.com/group/symfony-devs?hl=en >> > > -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
