Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork5.3k
[Security] Explain lazy anonymous mode#13171
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
78a5271 to7914566CompareUh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
security.rst Outdated
| Nope, thanks to the ``anonymous`` key, this firewall *is* accessible anonymously. | ||
| It is useful to let users be authenticated as anonymous. It means any request | ||
| can have an anonymous token to access some resource, while some actions can require | ||
| some privileges. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
I'm unsure if this is better than the original sentence. "tokens" is something that the reader at this point doesn't understand and the read flow looks better when starting with "No, ...".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
I don't agree on this one.API token is used a few line above, and guards are the main entry point now. Indeed, the flow is broken but I propose to change it all together. The anonymous concept has always been confusing and deserves to be clear as soon as we can since it is the first setting to start with, the sentence itself is clear enough IMO.
Furthermore, before the next line we encourage to see the WDT showing an authenticated anonymous user with an anonymous token, currently we're saying that Symfony is tricking us, instead of being explicit without explaining all the internals. Enough words :), what do you think of my new change?
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
7914566 to8989172Compare8989172 to481f0e2Comparebc1dbdd to414f820Compare414f820 to42e6ad7Comparewouterj commentedApr 11, 2020 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
Hi Jules! After a re-read this PR, I like the changes. I'm not sure if I wrongly read it the first time or you did lots of improvements afterwards, but I decided to merge this PR :) I've done a little rewording inb64dd02 after the merge (looks more major due to line breaking changes). Let me know if you think some of them are invalid. |
* 4.4: [#13171] Some small rewordings [Security] Explain lazy anonymous mode
* 5.0: [#13171] Some small rewordings [Security] Explain lazy anonymous mode
HeahDude commentedApr 11, 2020
Nice :), thanks@wouterj 👍 |
Fixes#12390.
I'm not sure about documenting the abstract listener, since we try here to simplify all the docs in the component. I guess this is a very advance use case to create a custom firewall (never document for now AFAIK) so this should be another issue/PR, or even a blog post.