New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Accessing routes protected with role ROLE_ADMIN return a 500 Internal Error whereas in prod.log i have a DeniedAccessException #3111
Comments
temporary fix:
But to my mind it should be native to Symfony to catch this Exception and transform it to 403 instead keeping it to 500. I opened this issue on Symfony: symfony/symfony#33044 |
Hmm... Do you have the I'm not fully sure, but I suspect |
to check i've just done: It doesn't remove anything and i still can see the folder With
So it seems impossible to remove |
Oh, okay. So please ignore what I've said. Haha... I'm not sure what's going on. |
Hey, I noticed this in tests checking security on a resource.
I came up with exception_to_status but it just works in prod I think? |
I think the error is because the security exception goes through https://github.com/api-platform/core/blob/master/src/Action/ExceptionAction.php#L53 but it is a
$exceptionClass = method_exists($exception, 'getClass') ? $exception->getClass() : get_class($exception); |
This should be fixed by symfony/symfony#34411 discussed in #3246. Update ApiPlatform if you want symfony's error handler to work properly. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Hi,
I opned an issue here api-platform/admin#193 but i think that it's also linked to core package so i prefer to add it here.
I have an API with different routes. Some of them require ROLE_USER, and others require ROLE_ADMIN.
When i login with a user that have ROLE_ADMIN, everything works well.
When i login with a user that have ROLE_USER and try to access to route protected with a higher ROLE, then i have a 500 error instead of a 403.
For example if i use api-platform/admin to login then i can see this in devtools:
those routes are ok:
All others routes just fail with a 500 Access Denied in dev or prod mode
Here are some informations about an Entity with ROLE_ADMIN:
Here is the security part:
Here is the symfony log:
I have even tried to add this Exception into config/packages/api_platform.yaml: (which i expect to be managed natively)
You can test the app here:
https://petkennel.myalerts.org/admin
user admin: admin@localhost / pwd
user standard: userOne@localhost / pwd
Or you can also use POSTMAN:
POST uri: https://petkennel.myalerts.org/api/login
BODY : {"username":"admin@localhost","password":"pwd"}
Then you can call api routes with Basic HTTP authentication (no need of JWT on this project): just do a base_64 encode on email:the_token_you_receieved_on_login and add it to Header Authorization: Basic ...
Thanks for help
The text was updated successfully, but these errors were encountered: