[Security]IsGranted - Denied message 6.2 #48789
Labels
Comments
|
Isn't this displayed only in dev mode? |
https://github.com/nicolas-grekas/symfony/blob/6.2/src/Symfony/Component/Security/Http/EventListener/IsGrantedAttributeListener.php#L63 |
|
Exception rendering is not done by the listener. AFAIK, we don't display any messages unless the app runs in debug mode. |
|
Closing for now as it seems there is no issue, please comment if you think otherwise so we can consider to reopen. Thanks |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
With the current changes and migration of
#[IsGranted]from FrameworkExtraBundle in #44705 and with security in mind, having "bad/invalid credentials" message asAccess Denied by #[IsGranted(%s)] on controlleris all against any security policy. With this message, you're exposing your roles to the potential attacker that are required to access on specific route.Because of that, I'm proposing/suggesting to change this default message as it was before (in FrameworkExtraBundle - which is generic one),
Access Denied.Example
No response
The text was updated successfully, but these errors were encountered: