Nov 22, 2015 · Nov 17, 2015
diff --git a/book/security.rst b/book/security.rst
 ...........................

 If you want to check if the current user has a role inside a template, use
 the built-in helper function:
 the built-in``is_granted()``helper function:

 .. configuration-block::

            <a href="...">Delete</a>
        <?php endif ?>

 If you use this function and you are *not* behind a firewall, an exception will
 be thrown. Again, it's almost always a good idea to have a main firewall that
 covers all URLs (as shown before in this chapter).

 .. caution::
 .. note::

 Be careful with this in your base layout or on your error pages! Because of
 some internal Symfony details, to avoid broken error pages inthe ``prod``
 environment, wrap calls in these templates with a check for ``app.user``:
 In Symfony versions previous to 2.8, using the ``is_granted()`` function
 in a page that wasn't behind a firewall resulted inan exception. That's why
 you also needed to check first for the existence of theuser:

    .. code-block:: html+twig

        {% if app.user and is_granted('ROLE_ADMIN') %}

    Starting from Symfony 2.8, the ``app.user and ...`` check is no longer needed.

 Securing other Services
 .......................

diff --git a/cookbook/controller/error_pages.rst b/cookbook/controller/error_pages.rst
        <h1>Page not found</h1>

        {# example security usage, see below #}
        {% ifapp.user andis_granted('IS_AUTHENTICATED_FULLY') %}
        {% if is_granted('IS_AUTHENTICATED_FULLY') %}
            {# ... #}
        {% endif %}

    for the standard HTML exception page or ``exception.json.twig`` for the JSON
    exception page.

 Avoiding Exceptions when Using Security Functions in Error Templates
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 One of the common pitfalls when designing custom error pages is to use the
 ``is_granted()`` function in the error template (or in any parent template
 inherited by the error template). If you do that, you'll see an exception thrown
 by Symfony.

 The cause of this problem is that routing is done before security. If a 404 error
 occurs, the security layer isn't loaded and thus, the ``is_granted()`` function
 is undefined. The solution is to add the following check before using this function:

 .. code-block:: twig

    {% if app.user and is_granted('...') %}
        {# ... #}
    {% endif %}

 .. _testing-error-pages:

 Testing Error Pages during Development
Original file line number	Diff line number	Diff line change
Expand Up		@@ -884,7 +884,7 @@ Access Control in Templates
		...........................

		If you want to check if the current user has a role inside a template, use
		the built-in helper function:
		the built-in``is_granted()``helper function:

		.. configuration-block::

Expand All		@@ -900,20 +900,18 @@ the built-in helper function:
		<a href="...">Delete</a>
		<?php endif ?>

		If you use this function and you are not behind a firewall, an exception will
		be thrown. Again, it's almost always a good idea to have a main firewall that
		covers all URLs (as shown before in this chapter).

		.. caution::
		.. note::

		Be careful with this in your base layout or on your error pages! Because of
		some internal Symfony details, to avoid broken error pages inthe ``prod``
		environment, wrap calls in these templates with a check for ``app.user``:
		In Symfony versions previous to 2.8, using the ``is_granted()`` function
		in a page that wasn't behind a firewall resulted inan exception. That's why
		you also needed to check first for the existence of theuser:

		.. code-block:: html+twig

		{% if app.user and is_granted('ROLE_ADMIN') %}

		Starting from Symfony 2.8, the ``app.user and ...`` check is no longer needed.

		Securing other Services
		.......................

Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -96,7 +96,7 @@ To override the 404 error template for HTML pages, create a new
		<h1>Page not found</h1>

		{# example security usage, see below #}
		{% ifapp.user andis_granted('IS_AUTHENTICATED_FULLY') %}
		{% if is_granted('IS_AUTHENTICATED_FULLY') %}
		{# ... #}
		{% endif %}

Expand DownExpand Up		@@ -124,24 +124,6 @@ store the HTTP status code and message respectively.
		for the standard HTML exception page or ``exception.json.twig`` for the JSON
		exception page.

		Avoiding Exceptions when Using Security Functions in Error Templates
		~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

		One of the common pitfalls when designing custom error pages is to use the
		``is_granted()`` function in the error template (or in any parent template
		inherited by the error template). If you do that, you'll see an exception thrown
		by Symfony.

		The cause of this problem is that routing is done before security. If a 404 error
		occurs, the security layer isn't loaded and thus, the ``is_granted()`` function
		is undefined. The solution is to add the following check before using this function:

		.. code-block:: twig

		{% if app.user and is_granted('...') %}
		{# ... #}
		{% endif %}

		.. _testing-error-pages:

		Testing Error Pages during Development
Expand Down