EnforcePasswordChangeListener priority
JarekW opened this issue · comments
EnforcePasswordChangeListener
redirects user to password change page, but it is invoked after symfony's Firewall
listener which has higher priority. When the user clicks on link to page which they don't have permission, access denied exception will be thrown before EnforcePasswordChangeListener
run.
Simply changing priority is not enough. Before firewall starts we cannot use $authorizationChecker->isGranted()
and we have no token. Maybe we can also listen for kernel.exception
?
I think we can add checks in the SecuredManager
class after it gets merged, that will assert user does not need to change his password. If he does, access to all elements would be restricted.