Open ComaVN opened 7 years ago
Hi @ComaVN,
Of course, nothing is impossible 😉 However, this creates a lot of complications (these are the first crossing my mind):
I certainly think it is doable, but I'm wondering whether it is worth the effort. You are, of course, welcome to submit a PR and I'll certainly have a look at it.
Since the file containing the routes is served publicly (through `/js/routing'), without authentication or authorization, an attacker without a valid login might learn more about the restricted part of a website than strictly necessary.
We can prevent this by placing that route behind the symfony firewall, but then we wouldn't be able to use publicly accessible routes in pages that don't require a logged in user.
Is it possible, or is it even desirable, to generate a different list of routes, based on the user's authorization?
I realize this is a minor concern, and ideally, knowledge of routes should never be a security risk. However, whatever we can do to make the work of a would-be-attacker harder is a plus in my opinion.