Removed the comments about the is_granted() issues in non-secure pages

symfony · Nov 17, 2015 · 1361715 · 1361715
1 parent 0061abe
commit 1361715
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 28 deletions.
diff --git a/book/security.rst b/book/security.rst
@@ -884,7 +884,7 @@ Access Control in Templates
 ...........................
 
 If you want to check if the current user has a role inside a template, use
-the built-in helper function:
+the built-in ``is_granted()`` helper function:
 
 .. configuration-block::
 
@@ -900,20 +900,18 @@ the built-in helper function:
             <a href="...">Delete</a>
         <?php endif ?>
 
-If you use this function and you are *not* behind a firewall, an exception will
-be thrown. Again, it's almost always a good idea to have a main firewall that
-covers all URLs (as shown before in this chapter).
-
-.. caution::
+.. note::
 
-    Be careful with this in your base layout or on your error pages! Because of
-    some internal Symfony details, to avoid broken error pages in the ``prod``
-    environment, wrap calls in these templates with a check for ``app.user``:
+    In Symfony versions previous to 2.8, using the ``is_granted()`` function
+    in a page that wasn't behind a firewall resulted in an exception. That's why
+    you also needed to check first for the existence of the user:
 
     .. code-block:: html+twig
 
         {% if app.user and is_granted('ROLE_ADMIN') %}
 
+    Starting from Symfony 2.8, the ``app.user and ...`` check is no longer needed.
+
 Securing other Services
 .......................
 

diff --git a/cookbook/controller/error_pages.rst b/cookbook/controller/error_pages.rst
@@ -96,7 +96,7 @@ To override the 404 error template for HTML pages, create a new
         <h1>Page not found</h1>
 
         {# example security usage, see below #}
-        {% if app.user and is_granted('IS_AUTHENTICATED_FULLY') %}
+        {% if is_granted('IS_AUTHENTICATED_FULLY') %}
             {# ... #}
         {% endif %}
 
@@ -124,24 +124,6 @@ store the HTTP status code and message respectively.
     for the standard HTML exception page or ``exception.json.twig`` for the JSON
     exception page.
 
-Avoiding Exceptions when Using Security Functions in Error Templates
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-One of the common pitfalls when designing custom error pages is to use the
-``is_granted()`` function in the error template (or in any parent template
-inherited by the error template). If you do that, you'll see an exception thrown
-by Symfony.
-
-The cause of this problem is that routing is done before security. If a 404 error
-occurs, the security layer isn't loaded and thus, the ``is_granted()`` function
-is undefined. The solution is to add the following check before using this function:
-
-.. code-block:: twig
-
-    {% if app.user and is_granted('...') %}
-        {# ... #}
-    {% endif %}
-
 .. _testing-error-pages:
 
 Testing Error Pages during Development