On Sep 17, 2012, at 17:54 , Christophe COEVOET <[email protected]> wrote:
> Le 17/09/2012 16:17, Thomas Rabaix a écrit : >> I pretty like simplification when thing must be done the right way. However, >> the security is the starting point of any important logic. And the routing >> is one of them. >> >> What I have done here : >> https://github.com/sonata-project/SonataPageBundle/compare/master...cmf-routing-chain#L4R91 >> is pretty bad and defeats the firewall logic. >> >> The same goes for handling 404 page. We are providing a way of creating a >> page on non existent url for editor only, as the security component is not >> loaded the same issue occurs. >> >> I might missing a point about redirection with the Security Component. But >> the configuration definition does not used any information from the router. >> So the router should not be used for generating redirected urls. >> > The issue is that the firewall need to be able to use the routing, as route > names are allowed for the check path and the login path. Triggering the > firewall before the router in 2.0 was leading to some nasty bugs (and the > router logic was splitted in 2 so that part of it was still done before the > firewall). > And the router is used in the service definitions: > https://github.com/symfony/symfony/blob/master/src/Symfony/Bundle/SecurityBundle/Resources/config/security.xml#L129-132 be that as it may .. how do we address the issue of wanting to be able to match different routes for different users? f.e. i want to be able to have a publish/unpublish flag for pages .. or a publish date. of course this would not apply to admins, who also need to be abel to view unpublished pages. this is where i would naturally want to add some logic to the routing to determine if the user has access to the page or not. as things are now, i would need to handle this inside the controller i guess. which means that incase the user does not have rights, i throw a 404. however this diminishes the flexibility. what if in case the user does not have access rights to view the page i want them to then to load some alternative page, rather than some generic 404 page? then my controller needs to have logic to dispatch to the correct route, which is quite a mess imho. so it seems we do not offer anything for this use case or the use case Thomas mentioned? i really think that with uses cases like CMS, shops, CRM etc dynamic routing will become a critical topic to address and so i think we need to be wiling to invest time to make such use cases work, rather than "simplifying" by making them impossible in a clean way. regards, Lukas Kahwe Smith [email protected] -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
