Skip to content

[Security] Explain lazy anonymous mode #13171

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 11, 2020
Merged

[Security] Explain lazy anonymous mode #13171

merged 1 commit into from
Apr 11, 2020

Conversation

HeahDude
Copy link
Contributor

Fixes #12390.

I'm not sure about documenting the abstract listener, since we try here to simplify all the docs in the component. I guess this is a very advance use case to create a custom firewall (never document for now AFAIK) so this should be another issue/PR, or even a blog post.

@HeahDude HeahDude mentioned this pull request Feb 17, 2020
Closed
@HeahDude HeahDude linked an issue Feb 17, 2020 that may be closed by this pull request
[Security] add "anonymous: lazy" mode to firewalls #12390
Closed
@HeahDude HeahDude added this to the 4.4 milestone Feb 17, 2020
OskarStark
OskarStark reviewed Feb 18, 2020
View reviewed changes
OskarStark
OskarStark reviewed Feb 18, 2020
View reviewed changes
OskarStark
OskarStark reviewed Feb 18, 2020
View reviewed changes
wouterj
wouterj requested changes Feb 18, 2020
View reviewed changes
security.rst Outdated
Nope, thanks to the ``anonymous`` key, this firewall *is* accessible anonymously.
It is useful to let users be authenticated as anonymous. It means any request
can have an anonymous token to access some resource, while some actions can require
some privileges.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm unsure if this is better than the original sentence. "tokens" is something that the reader at this point doesn't understand and the read flow looks better when starting with "No, ...".

Copy link
Contributor Author

@HeahDude HeahDude Feb 18, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't agree on this one. API token is used a few line above, and guards are the main entry point now. Indeed, the flow is broken but I propose to change it all together. The anonymous concept has always been confusing and deserves to be clear as soon as we can since it is the first setting to start with, the sentence itself is clear enough IMO.
Furthermore, before the next line we encourage to see the WDT showing an authenticated anonymous user with an anonymous token, currently we're saying that Symfony is tricking us, instead of being explicit without explaining all the internals. Enough words :), what do you think of my new change?

@HeahDude HeahDude requested a review from weaverryan February 18, 2020 18:10
@HeahDude HeahDude force-pushed the security/anonymous branch 2 times, most recently from bc1dbdd to 414f820 Compare February 18, 2020 18:16
@HeahDude HeahDude requested a review from wouterj February 18, 2020 18:17
wouterj added a commit that referenced this pull request Apr 11, 2020
@wouterj
[#13171] Some small rewordings
b64dd02
@wouterj wouterj merged commit b129252 into symfony:4.4 Apr 11, 2020
@wouterj
Copy link
Member

wouterj commented Apr 11, 2020
edited
Loading

Hi Jules! After a re-read this PR, I like the changes. I'm not sure if I wrongly read it the first time or you did lots of improvements afterwards, but I decided to merge this PR :)

I've done a little rewording in b64dd02 after the merge (looks more major due to line breaking changes). Let me know if you think some of them are invalid.

wouterj added a commit that referenced this pull request Apr 11, 2020
@wouterj
Merge branch '4.4' into 5.0
203a258 
* 4.4:
  [#13171] Some small rewordings
  [Security] Explain lazy anonymous mode
wouterj added a commit that referenced this pull request Apr 11, 2020
@wouterj
Merge branch '5.0'
5aebc6a 
* 5.0:
  [#13171] Some small rewordings
  [Security] Explain lazy anonymous mode
@HeahDude
Copy link
Contributor Author

Nice :), thanks @wouterj 👍

@HeahDude HeahDude deleted the security/anonymous branch April 11, 2020 20:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@OskarStark OskarStark OskarStark left review comments

@chalasr chalasr chalasr approved these changes

@weaverryan weaverryan Awaiting requested review from weaverryan

@wouterj wouterj Awaiting requested review from wouterj

Assignees
No one assigned
Labels
Security Status: Needs Review
Projects
None yet
Milestone
4.4
Development

Successfully merging this pull request may close these issues.

[Security] add "anonymous: lazy" mode to firewalls
5 participants
@HeahDude @wouterj @OskarStark @chalasr @carsonbot