0

I don't understand,

throw new AccessDeniedException('message') always redirect to the login page.

PS: I use FOSUserBundle and here the security.yml contents:

security:
    encoders:
        ANDRY\UserBundle\Entity\User: sha512

    role_hierarchy:
        # Un admin hérite des droits d'auteur et de modérateur
        # ROLE_ADMIN: [ROLE_AUTEUR, ROLE_MODERATEUR]
        # On garde ce rôle superadmin, il nous resservira par la suite
        # ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
        # ROLE_EMPLOYER: ROLE_SEEKER
        ROLE_ADMIN: [ROLE_EMPLOYER, ROLE_SEEKER, ROLE_ALLOWED_TO_SWITCH]

    providers:
        main:
            id: fos_user.user_provider.username

    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false

        # main_login:
        #     pattern: ^/%locale%/login$
        #     anonymous: true

        main:
            pattern: ^/
            anonymous: true
            provider: main
            form_login:
                login_path: fos_user_security_login
                check_path: fos_user_security_check
                default_target_path: /%locale%
            logout:
                path: fos_user_security_logout
                target: /%locale%
            remember_me:
                secret: %secret%

    access_control:
        #     - { path: ^/admin, roles: [ROLE_ADMIN, ROLE_SUPER_ADMIN] }
j0k
  • 22,600
  • 28
  • 79
  • 90
Andry
  • 67
  • 2
  • 9
  • The problem is not clear - do you want to be redirected somwhere else after login failure or login failure occurs every time, even if the credentials seem to be right? – Jan Rydrych Mar 13 '17 at 17:10
  • When I put 'throw new AccessDeniedException('message')' in my code, it redirect me to the login page, but I want that it throw a 403 message – Andry Mar 13 '17 at 17:21

2 Answers2

3

Symfony's default behaviour is to redirect unauthenticated request to login route from firewall config. To change this you have to make your own access denied handler which implements AccessDeniedHandlerInterface and configure the firewall to use it.

class AccessDeniedHandler implements AccessDeniedHandlerInterface
{
    public function handle(Request $request, AccessDeniedException $accessDeniedException)
    {
        // ...

        return new Response($content, 403);
    }
}

Configure it as a service and modify the firewall config in security.yml

firewalls:
    default:
        ...
        access_denied_handler: you_access_denied_handler_service
Jan Rydrych
  • 2,188
  • 2
  • 13
  • 18
  • 1
    **Note**. The handler will not be called when checking if a user is fully authenticated with `@Security("is_granted('IS_AUTHENTICATED_FULLY')")`. For that, you need to follow [this solution](https://stackoverflow.com/questions/17428987/what-is-the-best-way-to-notify-a-user-after-an-access-control-rule-redirects/17432089#answer-17432089). – Mateusz Nov 17 '17 at 00:03
0

Just throw AccessDeniedHttpException instead of AccessDeniedException when user logged in and you just need show them access denied error page instead of being redirected to login form.

This is what my code looks like:

if (!$this->isGranted('IS_AUTHENTICATED_REMEMBERED')) {
    throw $this->createAccessDeniedException();
} else {
    throw new \Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException('Access denied');
}

Symfony issue link: https://github.com/symfony/symfony/issues/16026

striker
  • 1,253
  • 3
  • 15
  • 25