New in Symfony 2.5 Create the Correct Denied HTTP Exception

February 5, 2014 • Published by Avatar of Fabien Potencier\ \ \ '" class="ui-avatar d-inline-block ui-avatar-with-border me-2"> Fabien Potencier

Klaus Silveira

Contributed by Klaus Silveira in #9405

Do you know the difference between Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException and Symfony\Component\Security\Core\Exception\AccessDeniedException?

Their names look very similar and both deal with resources for which the user does not have access. But which one should you use in a controller? This is probably counter-intuitive, but you should use Symfony\Component\Security\Core\Exception\AccessDeniedException. And when using an IDE, you might import the wrong exception pretty easily. As this is a frequent mistake, we even added a rule about this on SensioLabsInsight (and this violation is triggered quite often).

As of 2.5, you can now rely on a helper method that does the right thing (if you are using the Symfony\Bundle\FrameworkBundle\Controller\Controller base class):

throw $this->createAccessDeniedException('You cannot access this page!');

By the way, Symfony\Component\Security\Core\Exception\AccessDeniedException is the exception class you want to use because it is automatically caught by the Symfony Security Firewall, which generates the correct response for the user.

add a reaction ❤️ 👍 🚀

Published in #Living on the edge

Help the Symfony project!

As with any Open-Source project, contributing code or documentation is the most common way to help, but we also have a wide range of sponsoring opportunities.

Comments

Avatar of Frederic VIALLET\ \ \ '" class="ui-avatar d-inline-block ui-avatar-with-border">

Frederic VIALLET said on Feb 5, 2014 at 15:32

So when to use such a "Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException" ?

Avatar of Piotr Gołębiewski\ \ \ '" class="ui-avatar d-inline-block ui-avatar-with-border">

Piotr Gołębiewski said on Feb 5, 2014 at 22:16

@FredVelcro it's used internally and thrown by Symfony/Component/HttpKernel/EventListener/FragmentListener when the request is invalid or it comes from an untrusted ip

Avatar of Piotr Gołębiewski\ \ \ '" class="ui-avatar d-inline-block ui-avatar-with-border">

Piotr Gołębiewski said on Feb 5, 2014 at 22:20

Judgeing by use cases, I'd say the AccessDeniedHttpException is used when the request itself is rejected, and AccessDeniedException is used when user has not enough credentials to access the resource.

Avatar of Gleb Sidora\ \ \ '" class="ui-avatar d-inline-block ui-avatar-with-border">

Gleb Sidora said on Feb 6, 2014 at 08:27

@Piotr Gołębiewski If the exception is specific to Fragments sub-framework it's namespace should explicitly reference fragments

Avatar of kor3k kor3k\ \ \ '" class="ui-avatar d-inline-block ui-avatar-with-border">

kor3k kor3k said on Feb 9, 2014 at 14:20

@FredVelcro or where you intentionally do not want to trigger the firewall handler

Avatar of Michal Mojzesz\ \ \ '" class="ui-avatar d-inline-block ui-avatar-with-border">

Michal Mojzesz said on Feb 11, 2014 at 10:57

Thank you! I was writing about that two years ago. Not because of mistakes using wrong exception, but rather because I think 403 is also very often used exception in controllers.

https://github.com/symfony/symfony/issues/4297

Avatar of JeanBar\ \ \ '" class="ui-avatar d-inline-block ui-avatar-with-border">

JeanBar said on Mar 28, 2014 at 13:45

You seems to perfectly now that the name you've choosen sucks. Instead of correcting it, you keep in the same path and add a useless method.

Why the don't you deprecate something you failed in design ?

Comments are closed.

To ensure that comments stay relevant, they are closed for old posts.