How to create a Forbidden Response in Symfony2?

Question

I just discovered SensioLabsInsight and found very interesting tips on how to write good code. It would be great if there was some explanation on why (or why not) something should be used - even for basic stuff like exit and die. It would help me to explain things to people I work with.

So my question is specifically for AccessDeniedHttpException - it says:

Symfony applications should not throw AccessDeniedHttpException

So how do I return 403 Forbidden from the application controller or EventListener?
What is the best practice?

To be honest I thought it would be

throw new AccessDeniedHttpException()

Since for 404 you have

throw $this->createNotFoundException()

But it looks like I was wrong.

Answer 1

I think it means that you must throw AccessDeniedException instead of directly throwing AccessDeniedHttpException.

Main reason is that AccessDeniedException is catched by the event listener in Symfony\Component\Security\Http\Firewall\ExceptionListener and then you can make some stuff with it. Check onKernelException function.

Answer 2

That sentence has to be considered with the whole architecture of Symfony in mind.

In the Symfony framework there is a whole subsystem devoted to security applying the 2 step Authentication + Authorization process. That said in the architecture of Symfony the Controllers, that are what basically the framework leaves to you to develop and so they are "the application", will be called only if the Authentication + Authorization has been passed.

So that sentence say that you should not need to throw that Exception becouse that is the work for the Security component. Doing that it is not forbidden or even made impossible but it is not the way which the framework has been normally thinked to work.

This can happen in two situations:

1. Your application is particular and you need to do that way
2. You are doing the security work out of the framework way of doing. It is your choice, just evaluate cost/benefits of not using the framework features and write your own ones.

Answer 3

Here is Controller::createNotFoundException() implementation:

public function createNotFoundException($message = 'Not Found', \Exception $previous = null)
{
    return new NotFoundHttpException($message, $previous);
}

It throws a bit different exception.

I don't know the reason for this tip. Maybe its because in controller or event listener You can directly return the Response, without throwing exception and thus triggering other event listeners.

Symfony uses event listeners to handle exceptions. You can create your own listeners and manage the response. Might be useful for API. For example I have used it to return pretty json responses in dev environment (with stack trace and additional debugging info).

Answer 4

Looking here http://symfony.com/doc/current/cookbook/security/custom_authentication_provider.html it seems like you might be able to throw an AuthenticationException which returns a 403 Response (?)