Generate different routes based on authorization of logged in user

[ComaVN]

trafficstars

Since the file containing the routes is served publicly (through `/js/routing'), without authentication or authorization, an attacker without a valid login might learn more about the restricted part of a website than strictly necessary.

We can prevent this by placing that route behind the symfony firewall, but then we wouldn't be able to use publicly accessible routes in pages that don't require a logged in user.

Is it possible, or is it even desirable, to generate a different list of routes, based on the user's authorization?

I realize this is a minor concern, and ideally, knowledge of routes should never be a security risk. However, whatever we can do to make the work of a would-be-attacker harder is a plus in my opinion.

[tobias-93]

Hi @ComaVN,

Of course, nothing is impossible 😉 However, this creates a lot of complications (these are the first crossing my mind):

• Generate a file for each authorization, either cumulative or delta;
• Dynamically insert the routing file in each template;
• Inserting a rule into the Symfony firewall for each file with according authorizations.

I certainly think it is doable, but I'm wondering whether it is worth the effort. You are, of course, welcome to submit a PR and I'll certainly have a look at it.