Symfony2 is_granted('IS_AUTHENTICATED_FULLY') during 404 error page display, causing ResourceNotFoundException

Question

I have setup custom error pages to display for certain HTTP errors in the folder:

app/Resources/TwigBundle/views/Exception/

The 403 page (<

Answer 1

You can't use the is_granted in a 404 page since 2.1:

It's mentioned in the upgrade file

The Firewall listener is now registered after the Router listener. This means that specific Firewall URLs (like /login_check and /logout) must now have proper routes defined in your routing configuration. Also, if you have a custom 404 error page, make sure that you do not use any security related features such as is_granted on it.

See: https://github.com/symfony/symfony/blob/master/UPGRADE-2.1.md#security

Answer 2

If symfony < 2.8 :

{% if app.user is not null and is_granted('ROLE_ADMIN') %}

See : https://github.com/symfony/symfony-docs/issues/2078

Edit from Dec 17 '15:

This is no longer needed since 2.8,

{% if is_granted('ROLE_ADMIN') %}

works fine now.

source: http://symfony.com/blog/new-in-symfony-2-8-dx-improvements#allow-to-check-for-security-even-in-pages-not-covered-by-firewalls

Answer 3

I would suggest checking for app.security.token to be more strict and evaluate to true even when user is anonymous.

If you check for app.user it will evaluate false in Exception templates, but even when the firewall is present (= regular templates) but the user is not logged. This will prevent - for example - the display of a login button.

See: https://github.com/symfony/symfony-docs/pull/2359