SensioFrameworkExtraBundle icon indicating copy to clipboard operation
SensioFrameworkExtraBundle copied to clipboard

Published 20 hours ago verified publisher icon sensiolabs

Combining @IsGranted with ParamConverter and invalid lookup generates a 404 instead of 403

Open blast007 opened this issue 4 years ago • 1 comments

I'm using @IsGranted("ROLE_ADMIN") annotation on a controller method that also implicitly uses ParamConverter to fetch a Doctrine entity record. This works as expected if the record lookup value for the ParamConverter is valid. But if the record cannot be found, ParamConverter triggers a 404 instead of a 403 whether or not the user is an admin, or even if the user isn't logged in. Is this the intended behavior? I couldn't find anything in the documentation that described how the two interact.

<?php

namespace App\Controller;

use Sensio\Bundle\FrameworkExtraBundle\Configuration\IsGranted;
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
use Symfony\Component\Routing\Annotation\Route;
use App\Entity\Example;

class ExampleController extends AbstractController
{
    /**
     * @Route("/example/{id}", name="example")
     * @IsGranted("ROLE_ADMIN")
     */
    public function example(Example $example)
    {
        return $this->render('example/index.html.twig', [
            'example' => $example,
        ]);
    }
}

blast007 avatar Jun 07 '20 23:06 blast007

Isgranted should be checked first, and then the object should be retrieved from the database. Can something be done about this topic?

axzx avatar Oct 04 '21 20:10 axzx