Skip to content

[Security/Http] Throw AccessDeniedException in UserValueResolver when user is required but not authenticated #46447

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

[Security/Http] Throw AccessDeniedException in UserValueResolver when user is required but not authenticated #46447

wants to merge 1 commit into from

Conversation

ruudk
Copy link
Contributor

@ruudk ruudk commented May 24, 2022

Q A
Branch? 4.4
Bug fix? yes
New feature? no
Deprecations? no
License MIT
Doc PR

When you add #[CurrentUser] UserInterface $user to a controller and the user is not authenticated, the following error is produced:

Cannot autowire argument $user of "App\Controller::myAction()": it references class "App\User" but no such service exists.

This error doesn't help with resolving the problem.

The UserValueResolver should check and see if the argument is non-optional and immediately stop execution by throwing an AccessDeniedException. This can help redirect the user to a login page.

@ruudk ruudk requested review from wouterj and chalasr as code owners May 24, 2022 14:03
@carsonbot carsonbot added this to the 4.4 milestone May 24, 2022
@ruudk ruudk changed the title [Security/Http] Throw AccessDeniedException in UserValueResolver when required but not authenticated [Security/Http] Throw AccessDeniedException in UserValueResolver when user is required but not authenticated May 24, 2022
@ruudk ruudk force-pushed the user-value-resolver-throw-access-denied-exception branch from a5af2cc to 4801129 Compare May 24, 2022 14:03
@ruudk
[Security/Http] Throw AccessDeniedException in UserValueResolver
3d638ab 
…when user is required but not authenticated

When you add `#[CurrentUser] UserInterface $user` to a controller and the user is
not authenticated, the following error is produced:

```
Cannot autowire argument $user of "App\Controller::myAction()": it references class "App\User" but no such service exists.
```

This error doesn't help with resolving the problem.

The `UserValueResolver` should check and see if the argument is non-optional and immediately
stop execution by throwing an `AccessDeniedException`. This can help redirect the user to a
login page.
@ruudk ruudk force-pushed the user-value-resolver-throw-access-denied-exception branch from 4801129 to 3d638ab Compare May 24, 2022 14:04
@chalasr
Copy link
Member

chalasr commented May 24, 2022

Already done as a feature on 6.1 thanks to #45761. I don't think we want change this on 4.4.

@ruudk
Copy link
Contributor Author

ruudk commented May 24, 2022

Great then I'll just upgrade to 6.1 soon 🤩

@ruudk ruudk closed this May 24, 2022
@ruudk ruudk deleted the user-value-resolver-throw-access-denied-exception branch May 24, 2022 16:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wouterj wouterj Awaiting requested review from wouterj wouterj is a code owner

@chalasr chalasr Awaiting requested review from chalasr chalasr is a code owner

Assignees
No one assigned
Labels
Bug Status: Needs Review
Projects
None yet
Milestone
4.4
Development

Successfully merging this pull request may close these issues.
3 participants
@ruudk @chalasr @carsonbot