As mentioned by andypost on #1938390-62: Convert contact_site_page and contact_person_page to a new-style Controller, there is no access to _account on 403 pages.
The reason for that is, that ExceptionListener creates a new request without the previous _account attribute. This though causes a problem as on our 403/404 pages, we render links blocks, so we need to check access.
Proposed solution
Replace the symfony event listener with one taking care about _account and potentially other internal values.
Comment | File | Size | Author |
---|---|---|---|
#15 | routing-2057607-15.patch | 8.43 KB | yanniboi |
#15 | interdiff-11-15.txt | 614 bytes | yanniboi |
#11 | routing-2057607-11.patch | 8.11 KB | dawehner |
#7 | drupal-2057607-7.patch | 4.45 KB | dawehner |
#5 | 2057607.patch | 3.08 KB | dawehner |
Comments
Comment #1
andypostSuppose both changes are needed but no idea about tests
Comment #3
dawehnerAs everything with an underscore is kind of special (_account, _system_path) i am wondering whether we should copy all of them.
Comment #4
andypostproper patch, previous was on top of #1938390-67: Convert contact_site_page and contact_person_page to a new-style Controller + debug
do we really need to patch all sub|request creation places to properly pass the account or need same clone method?
Comment #5
dawehnerJust a rough patch so other people can work on it.
Comment #7
dawehnerLet's combine them.
Comment #8
andypostnew it needs tests, no idea about unit tests
Comment #9
dawehnerAdding tag. I will work on some tests
Comment #10
dawehnerOpened a pull request to make it easier to add additonal parameters, see https://github.com/symfony/symfony/pull/8716
Comment #11
dawehnerHere is a test.
For some odd reason I had to hack the error log in order to not fail due to a thrown exception.
Comment #12
danylevskyiI think the patch #2061907: Remove calls to deprecated global $user in shortcut module depends on this issue.
Comment #13
dawehnerSee #2062151: Create a current user service to ensure that current account is always available
Comment #15
yanniboi CreditAttribution: yanniboi commented'Symfony\Component\HttpKernel\Exception\FlattenException' is a deprecated class, so I replaced it with 'Symfony\Component\Debug\Exception\FlattenException' to get rid of most of the test fails.
Comment #16
disasm CreditAttribution: disasm commented#15: routing-2057607-15.patch queued for re-testing.
Comment #17
dawehnerThe approach used here can't work anymore, as we should rather rely on the current_user service.
Comment #18
h3rj4n CreditAttribution: h3rj4n commentedThis issue is out of scope. The parent issue is already (#1938390) continued without the fix in this issue. The part that's addressed here is already fixed.
I also tested it and I don't get a exception on 403 pages. I enabled the contact module. Create a new user with no rights for the contact form and try to access the contact form as this user. I got a clean 403 page, without any errors or exceptions.
I set it to 'needs review' because I'm not confident enough to close it.
Comment #19
dawehnerThe current_user service should totally solve the problem described in the issue, so we can close this now.
Thanks for bringing that issue up again.