Closed mmuruev closed 10 years ago
Can you show a piece of code that explain your problem ?
Closing as there is no feedback. Feel free to reopen with more information.
'security.access_rules' => array(
array('^/onlyget', Constants::ROLE_USER, 'method' => 'GET'),
)
this is not the job of the security system to handle it IMO (doing a POST request on an URL accepting only GET should result in a 406, not in a 403). Allowing or forbidding HTTP methods is the job of the router
Well in symfony this works according to doc, why shouldn't for Silex?
In Symfony, it is not about forbidding POST requests, but about applying the access rule only for the GET requests (meaning that POST requests will contrinue looking for a match)
Yes, but they should be forbiden in firewall. Otherwise mention method pointless.
@mmuruev the firewall is not about forbidding methods on some URLs. The routing layer should be responsible of it, so that you get a proper 406, not a 403. And Silex already supports defining the method requirement on routes
Router actually hardcoded path... but if I want it dynamically dependent on rules? For example GET allowed for ALL but POST only for ADMIN role? This sound much more like firewall rule for me then routing. And in that case 403 exactly right error
@mmuruev define all your public routes with $app->get()
and it will put the method requirement automatically.
and no, using the wrong method to call an URL is not something which should return a 403. 406 Method not Allowed
is the appropriate status code.
I can't set in 'security.acces_rules' only POST or GET. Silex still use GET and POST. I've checked it with invalid PUT request and get that (Allow: GET, POST). Why? Silex 1.0.x