Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork9.7k
[SecurityBundle] Allow for custom logout request matcher#22572
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
| * Sets a request matcher. | ||
| * | ||
| * @param RequestMatcherInterface $requestMatcher | ||
| */ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Cannot it be passed as a new optional constructor argument rather than by using a method call?
I'm not sure someone is supposed to replace the abstract service definition, so it shouldn't be an issue.
This PR was squashed before being merged into the 2.7 branch (closes#22574).Discussion----------[Security] Fix phpdoc logout listener| Q | A| ------------- | ---| Branch? | 2.7| Bug fix? | yes| New feature? | no| BC breaks? | no| Deprecations? | no| Tests pass? | yes| Fixed tickets | #... <!-- #-prefixed issue number(s), if any -->| License | MIT| Doc PR | symfony/symfony-docs#... <!--highly recommended for new features-->Separated from#22572Commits-------e843924 [Security] Fix phpdoc logout listener
ro0NL commentedApr 29, 2017
Looking at thefirewall configuration, which allows either Status: needs work |
ro0NL commentedApr 29, 2017
Then again.. the logout path is needed for url generation and enables using routes (also for matching). So tend to keep it as is :) Status: needs review |
… path (ro0NL)This PR was merged into the 2.7 branch.Discussion----------[Security] Avoid unnecessary route lookup for empty logout path| Q | A| ------------- | ---| Branch? | 2.7| Bug fix? | yes| New feature? | no| BC breaks? | no-ish| Deprecations? | no| Tests pass? | yes/no| Fixed tickets | #... <!-- #-prefixed issue number(s), if any -->| License | MIT| Doc PR | symfony/symfony-docs#... <!--highly recommended for new features-->i first included this with#22572 where having `logout: { path: ~ }` makes more sense for disabling logout path matching/generation. But currently it's already allowed and causes an unneeded route lookup and url generation.Commits-------2967807 [Security] Avoid unnecessary route lookup for empty logout path
nicolas-grekas commentedSep 26, 2017
rebase needed |
| return$this->httpUtils->checkRequestPath($request,$this->options['logout_path']); | ||
| if (!isset($this->options['logout_path']) &&null ===$this->requestMatcher) { | ||
| returnfalse; | ||
| } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Should this condition be allowed at all? This seems invalid: you should pass one or the other. We could catch this with validation inMainConfiguration (and an exception here). We should probably also not allowboth to be set.
nicolas-grekas commentedOct 8, 2017
Moving to 4.1. Rebase on master might be needed, where PHP 7.1 features can be used btw. |
Uh oh!
There was an error while loading.Please reload this page.
So you can do something like
and bypass path-matching, or combine it with a custom check afterwards.
Should go after#22574 and#22584