Just a few additional notes in case it wasn't clear for everyone.. On 22.02.2011 11:05, Lukas Kahwe Smith wrote: > - however switching to ESI, the render tag will suddenly do security checks
Not true afaik, because it uses the _internal route for ESI, which most likely will be forgotten by people implementing ACLs/firewalls (unless they firewall /.*) > - no output, this however should be handled inside the given controller, aka the controller should not be security via the firewall, but via custom code inside the controller Just to be clear, it should be firewalled but allow anonymous users and have no ACL requirements, so that you always call the controller, and in the action you check for user rights and act appropriately. > - bubble out a redirect to the master request, this however i do not know how to do this with ESI in a clean way (meta redirect?, javascript?) That's acceptable for cases where the firewall does not allow anonymous users I guess, and probably the cleanest way although it's hackish is meta redirects. Cheers -- Jordi Boggiano @seldaek :: http://seld.be/ -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
