Hi, So right now using a render twig tag oder a forward cuts through the firewall like butter, aka there are no security checks for subrequests. Now Johannes is hoping to look into that in March, though Fabien isn't so hopeful this will work out.
I just want to start a discussion on what we want to happen and how. Status quo: - forward/render tag do not trigger the security checks - however switching to ESI, the render tag will suddenly do security checks Now for what should happen during a subrequest when login checks do not match, I see multiple use cases: - no output, this however should be handled inside the given controller, aka the controller should not be security via the firewall, but via custom code inside the controller - bubble out a redirect to the master request, this however i do not know how to do this with ESI in a clean way (meta redirect?, javascript?) Alternatively we can say that we will stick with the status quo of no security checks for subrequests, then at least we must make it easy to reuse the ACL rules from the security config somehow to make it possible to do this with custom code, but I think this would be very unfortunate. Sorry for this somewhat badly formulated email, but I want to get this discussion going ASAP, but I am right inside the final week of a major launch at work. Gruss, Lukas -- Liip AG // T +41 43 500 39 84 // M +41 77 42 61 811 Feldstrasse 133 // CH-8004 Zürich // GPG0x34DF44F7 Lukas Kahwe Smith [email protected] -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
