Skip to content

AccessDeniedException returns 500 instead of 403 when no firewall is defined. #34148

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
theredled opened this issue Oct 27, 2019 · 7 comments
Closed

AccessDeniedException returns 500 instead of 403 when no firewall is defined. #34148

theredled opened this issue Oct 27, 2019 · 7 comments
Labels
Security

Comments

@theredled
Copy link

theredled commented Oct 27, 2019
edited
Loading

Symfony version(s) affected: 3.4.32

Description
When you throw a AccessDeniedException in a controller and no firewall is defined, a 500 error code is given instead of the expected 403.

How to reproduce

  • make a new project (symfony new app)
  • in a new controller/action, write throw new AccessDeniedException(); or throw $this->createAccessDeniedException();
  • call page
  • a 500 error is raised.

Expected
A 403 error should be raised.

Notes
I know there are similar issues but they all are closed without having been fixed - for what I've seen.
(#15236 #11663 #19906 #8467 #20233)
@javiereguiluz
Copy link
Member

If I'm right, this is considered a "feature", not a "bug". But I'd like this behavior to be reconsidered. My reasoning is:

  • If you throw AccessDeniedException, you clearly mean "you don't have access to this" ... so 403 seems the most reasonable response.
  • If your application has problems (security is not installed, firewall is not properly configured, etc.) that's "your problem" and shouldn't "leak" to end-users as a 500 HTTP error.

The only caveat is: if you throw 403 ... how can you know in dev environment that there's a config problem in your app? With a 500 error this is easy to spot.

@jvasseur
Copy link
Contributor

jvasseur commented Oct 28, 2019
edited
Loading

If your application has problems (security is not installed, firewall is not properly configured, etc.) that's "your problem" and shouldn't "leak" to end-users as a 500 HTTP error.

I disagree here, a problem in your application is exactly what a 500 is for.

@javiereguiluz
Copy link
Member

@jvasseur yes ... but at the same time ... the application is working perfectly and the controller is being executed perfectly ... and you put the "you don't have access" exception perfectly ... so it may be debatable that a 403 should be returned.

@nicolas-grekas
Copy link
Member

nicolas-grekas commented Oct 28, 2019
edited
Loading

Some exceptions do have semantics related to HTTP codes. But any other exceptions don't have meaning. They're 500. Why would this specific exception be known by HttpKernel when it's in a foreign component? There are no reasons to me. A firewall is the bridge between both worlds. If there is no bridge, a 500 is legit.

@javiereguiluz
Copy link
Member

Then, let's close this as "won't fix/won't change". Thanks.

@theredled
Copy link
Author

There's still something illogical to me:

  • either it's an Access Denied error and it has to be code 403.
  • or, as you say, it's a problem with configuration, then it shouldn't display "Access Denied", but some explicit error message like "No Firewall defined".

Here, everything looks like a 403, except the real return code 500 that is hidden in some network toolbar. There's something wrong.

@nicolas-grekas nicolas-grekas mentioned this issue Feb 2, 2023
Merged
@nicolas-grekas
Copy link
Member

Thanks to new code infrastructure, we might be able to improve this. See #49193

chalasr added a commit that referenced this issue Feb 7, 2023
@chalasr
feature #49193 [Security] Return 403 instead of 500 when no firewall …
01864ed 
…is defined (nicolas-grekas)

This PR was merged into the 6.3 branch.

Discussion
----------

[Security] Return 403 instead of 500 when no firewall is defined

| Q             | A
| ------------- | ---
| Branch?       | 6.3
| Bug fix?      | no
| New feature?  | yes
| Deprecations? | no
| Tickets       | #34148
| License       | MIT
| Doc PR        | -

Looks like ranting on Twitter may pay of sometimes ;)

https://twitter.com/zodman/status/1620954291187097600

The changes on ErrorListener make `#[WithHttpStatus]` and `#[WithLogLevel]` propagate to child classes.

Best reviewed [ignoring white spaces](https://github.com/symfony/symfony/pull/49193/files?w=1).

Commits
-------

c021ce7 [Security] Return 403 instead of 500 when no firewall is defined
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@javiereguiluz @nicolas-grekas @jvasseur @theredled
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy