Allow to customize deeper the AccessDeniedListener

Author: GuilhemN

EventListener/AccessDeniedListener.php

@@ -12,15 +12,14 @@
 namespace FOS\RestBundle\EventListener;
 
 use FOS\RestBundle\FOSRestBundle;
-use Psr\Log\LoggerInterface;
 use Symfony\Component\HttpKernel\Event\GetResponseForExceptionEvent;
-use Symfony\Component\HttpKernel\EventListener\ExceptionListener;
 use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
 use Symfony\Component\HttpKernel\Exception\HttpException;
 use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;
 use Symfony\Component\HttpKernel\KernelEvents;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
 
 /**
  * This listener handles ensures that for specific formats AccessDeniedExceptions
@@ -30,25 +29,22 @@
  *
  * @internal
  */
-class AccessDeniedListener extends ExceptionListener
+class AccessDeniedListener implements EventSubscriberInterface
 {
     private $formats;
     private $challenge;
 
     /**
      * Constructor.
      *
-     * @param array           $formats    An array with keys corresponding to request formats or content types
-     *                                    that must be processed by this listener
-     * @param string          $challenge
-     * @param string          $controller
-     * @param LoggerInterface $logger
+     * @param array  $formats   An array with keys corresponding to request formats or content types
+     *                          that must be processed by this listener
+     * @param string $challenge
      */
-    public function __construct($formats, $challenge, $controller, LoggerInterface $logger = null)
+    public function __construct($formats, $challenge)
     {
         $this->formats = $formats;
         $this->challenge = $challenge;
-        parent::__construct($controller, $logger);
     }
 
     public function onKernelException(GetResponseForExceptionEvent $event)
@@ -76,15 +72,13 @@ public function onKernelException(GetResponseForExceptionEvent $event)
         if ($exception instanceof AccessDeniedException) {
             $exception = new AccessDeniedHttpException('You do not have the necessary permissions', $exception);
             $event->setException($exception);
-            parent::onKernelException($event);
         } elseif ($exception instanceof AuthenticationException) {
             if ($this->challenge) {
                 $exception = new UnauthorizedHttpException($this->challenge, 'You are not authenticated', $exception);
             } else {
                 $exception = new HttpException(401, 'You are not authenticated', $exception);
             }
             $event->setException($exception);
-            parent::onKernelException($event);
         }
 
         $handling = false;

Resources/config/access_denied_listener.xml

@@ -11,8 +11,6 @@
             <tag name="monolog.logger" channel="request" />
             <argument type="collection" /> <!-- formats -->
             <argument /> <!-- unauthorized challenge -->
-            <argument>%twig.exception_listener.controller%</argument>
-            <argument type="service" id="logger" on-invalid="null" />
         </service>
 
     </services>

Resources/doc/3-listener-support.rst

@@ -193,7 +193,7 @@ You need to enable this listener as follows, as it is disabled by default:
             # all requests using the 'json' format will return a 403 on an access denied violation
             json: true
 
-It is also recommended to enable the exception controller described in the next chapter.
+Note: The access_denied_listener doesn't return a response itself and must be coupled with an exception listener returning a response (see the :doc:`FOSRestBundle exception controller <4-exception-controller-support>`. or the `twig exception controller`_).
 
 Zone Listener
 =============
@@ -238,3 +238,4 @@ That was it!
 .. _`ParamConverters`: http://symfony.com/doc/master/bundles/SensioFrameworkExtraBundle/annotations/converters.html
 .. _`mime type listener`: http://symfony.com/doc/current/cookbook/request/mime_type.html
 .. _`Test Cases for HTTP Test Cases for the HTTP WWW-Authenticate header field`: http://greenbytes.de/tech/tc/httpauth/
+.. _`twig exception controller`: https://symfony.com/doc/current/cookbook/controller/error_pages.html

UPGRADING.md

@@ -27,6 +27,7 @@ This document will be updated to list important BC breaks and behavioral changes
    * ``UNLOCK``
  * the ``RequestBodyParamConverter`` now has a priority of ``-50``
  * the ``RequestBodyParamConverter`` doesn't throw an exception anymore when a parameter is optional
+ * removed the ability of the ``AccessDeniedListener`` to render a response. Use the FOSRestBundle or the twig exception controller in complement.
 
 ### upgrading from 1.5.*