On 2/22/11 11:05 AM, Lukas Kahwe Smith wrote:
Hi,
So right now using a render twig tag oder a forward cuts through the firewall
like butter, aka there are no security checks for subrequests.
Now Johannes is hoping to look into that in March, though Fabien isn't so
hopeful this will work out.
We can probably make this works, but I doubt this is desirable. The
security is applied to the main request and sub-requests inherits the
current security context. That seems the most easy thing to implement,
understand, and probably what the developer wants.
Fabien
I just want to start a discussion on what we want to happen and how.
Status quo:
- forward/render tag do not trigger the security checks
- however switching to ESI, the render tag will suddenly do security checks
Now for what should happen during a subrequest when login checks do not match,
I see multiple use cases:
- no output, this however should be handled inside the given controller, aka
the controller should not be security via the firewall, but via custom code
inside the controller
- bubble out a redirect to the master request, this however i do not know how
to do this with ESI in a clean way (meta redirect?, javascript?)
Alternatively we can say that we will stick with the status quo of no security
checks for subrequests, then at least we must make it easy to reuse the ACL
rules from the security config somehow to make it possible to do this with
custom code, but I think this would be very unfortunate.
Sorry for this somewhat badly formulated email, but I want to get this
discussion going ASAP, but I am right inside the final week of a major launch
at work.
Gruss,
Lukas
--
If you want to report a vulnerability issue on symfony, please send it to
security at symfony-project.com
You received this message because you are subscribed to the Google
Groups "symfony developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/symfony-devs?hl=en
