minor #60425 [SecurityBundle] forbid to use hide_user_not_found and expose_security_errors at the same time (xabbuh)

chalasr · chalasr · commit d78481c44f85 · 2025-05-15T15:29:14.000+02:00
This PR was merged into the 7.3 branch. Discussion ---------- [SecurityBundle] forbid to use `hide_user_not_found` and `expose_security_errors` at the same time | Q | A | ------------- | --- | Branch? | 7.3 | Bug fix? | no | New feature? | no | Deprecations? | no | Issues | | License | MIT `hide_user_not_found` will not have any effect if `expose_security_errors` is set. Throwing an exception early will improve DX and avoid WTF moments where one might be wondering why the "hide_user_not_found" option doesn't change anything. Commits ------- f758e26 forbid to use "hide_user_not_found" and "expose_security_errors" at the same time
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php
@@ -59,6 +59,10 @@ public function getConfigTreeBuilder(): TreeBuilder
             ->beforeNormalization()
                 ->always()
                 ->then(function ($v) {
+                    if (isset($v['hide_user_not_found']) && isset($v['expose_security_errors'])) {
+                        throw new InvalidConfigurationException('You cannot use both "hide_user_not_found" and "expose_security_errors" at the same time.');
+                    }
+
                     if (isset($v['hide_user_not_found']) && !isset($v['expose_security_errors'])) {
                         $v['expose_security_errors'] = $v['hide_user_not_found'] ? ExposeSecurityLevel::None : ExposeSecurityLevel::All;
                     }
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/MainConfigurationTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/MainConfigurationTest.php
@@ -283,4 +283,18 @@ public static function provideHideUserNotFoundLegacyData(): iterable
         yield [['hide_user_not_found' => true], ExposeSecurityLevel::None, true];
         yield [['hide_user_not_found' => false], ExposeSecurityLevel::All, false];
     }
+
+    public function testCannotUseHideUserNotFoundAndExposeSecurityErrorsAtTheSameTime()
+    {
+        $processor = new Processor();
+        $configuration = new MainConfiguration([], []);
+
+        $this->expectException(InvalidConfigurationException::class);
+        $this->expectExceptionMessage('You cannot use both "hide_user_not_found" and "expose_security_errors" at the same time.');
+
+        $processor->processConfiguration($configuration, [static::$minimalConfig + [
+            'hide_user_not_found' => true,
+            'expose_security_errors' => ExposeSecurityLevel::None,
+        ]]);
+    }
 }
