On 9 Jan 2011, at 21:04, Tom Boutell wrote: > I've been reading up on Symfony 2 routes and Symfony 2 security. > […] > So in general, it is no longer safe to edit the routing table without > also editing controller and firewall code and settings. Unlike Symfony > 1.x, in Symfony 2.x routes, actions and the firewall are all tightly > coupled to the way the URL is written and all must usually be updated > if you want to change a URL.
I think it's an acceptable tradeoff. It means that planning your URLs involves a little more care, but everyone benefits from more thoughtful URL design. IIRC if you're using the FrameworkExtra bundle, the routing and controller config are stored together. I don't see how you could put firewall config in there too, though. Still, 2 out of 3 ain't bad. :) Would it be worth creating a task that audits firewall URL coverage and tells you if a rule isn't covering any routes at all? That's the sort of thing that would happen if you changed 'admin' URLs to 'backend', as well as other issues too (like typos). You could also list routes that aren't covered by any firewall rule and check the other way. Handy for testing. Finally, defensive coding would suggest that your controller should be able to require that _a_ firewall check be passed without caring about the details. It's common for permission requirements to shift around, but it's much rarer for something to go from requiring some level of authorisation to being completely open. If you could mark your controller as being secured, then you could throw an exception if no firewall checks were made, without having to split your configuration apart. -- Matt -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
