Closed
Description
Symfony version(s) affected: 4.3.2
Description
When you try to access to a route that requires higher Roles than a user has, then symfony return a 500 Internal Error instead of a 403 Unauthorized Access.
This is because of :
request.ERROR: Uncaught PHP Exception Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException: "Access Denied." at pathToProject/vendor/symfony/security-http/Firewall/ExceptionListener.php line 120
How to reproduce
Here is my firewall:
security:
encoders:
App\Entity\User:
algorithm: sodium
# https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
providers:
# used to reload user from session & other features (e.g. switch_user)
app_user_provider:
entity:
class: App\Entity\User
property: email
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
api_login:
pattern: ^/api/login$
anonymous: false
stateless: true
json_login:
check_path: api_login
username_path: "%login_username_path%"
password_path: "%login_password_path%"
api:
pattern: ^/api
anonymous: true
stateless: true
guard:
authenticators:
- App\Security\Authenticator
main:
anonymous: ~
# activate different ways to authenticate
# https://symfony.com/doc/current/security.html#firewalls-authentication
# https://symfony.com/doc/current/security/impersonating_user.html
# switch_user: true
# Easy way to control access for large sections of your site
# Note: Only the *first* access control that matches will be used
access_control:
# - { path: ^/admin, roles: ROLE_ADMIN }
- { path: ^/profile, roles: ROLE_USER }
- { path: ^/api, roles: ROLE_USER }
I added all required information in this issue on ApiPlatform: https://github.com/api-platform/api-platform/issues/1213
Possible Solution
The same kind of problem (but for HTTP 401) has been solved in this PR: #28801
Additional context