Giters

aimeos / aimeos-symfony

Symfony e-commerce bundle for professional, ultra fast online shops, complex B2B applications and #gigacommerce

Home Page:https://aimeos.org/Symfony

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[Insight] Symfony applications should not throw AccessDeniedHttpException - in Controller/AdminController.php, line 94

aimeos opened this issue · comments

commented

Using suggested AccessDeniedException results in a fatal error because this exception doesn't exist.

in Controller/AdminController.php, line 94

The AccessDeniedHttpException bypasses the Symfony Security component and always results in a 403 response. You should throw AccessDeniedException (without Http) instead, so that the Security Component displays a login form.

    public function doAction( Request $request )
    {
        $csrfProvider = $this->get('form.csrf_provider');

        if( $csrfProvider->isCsrfTokenValid( 'aimeos_admin_token', $request->query->get( '_token' ) ) !== true ) {
            throw new \Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException( 'CSRF token is invalid' );
        }

        $cntlPaths = $this->get( 'aimeos' )->get()->getCustomPaths( 'controller/extjs' );
        $context = $this->get( 'aimeos_context' )->get( false );
        $context = $this->setLocale( $context );

Posted from SensioLabsInsight