What is Symfony?
Get started
Documentation
Community
Services
News

Latest News

The Symfony Core Team is back

by Javier Eguiluz – April 09, 2014

What happened last week in Symfony?

This week, the most relevant news about Symfony project was the re-introduction of the Symfony Core Team, which could boost the Symfony development. In addition, the first beta of Symfony 2.5 was released, fixing important issues such as the database session storage for high-concurrency websites.

Upcoming Events

The Symfony Community organizes events all over the world on a regular basis. Here are the next ones.

Mexico, Mexico City — SymfonyDay Mexico

from April 23, 2014 to April 25, 2014

Germany, Berlin — Das nächste Treffen der #sfugberlin steht an

on April 23, 2014, from 19:00 to 22:30

Spain, Barcelona — deSymfonyDay 2014

on May 31, 2014, from 09:00 to 20:00

Germany, Köln — Einstieg in Symfony2

on June 05, 2014, from 09:00 to 17:30
About

Blog

New in Symfony 2.5: Create the Correct Denied HTTP Exception
by Fabien Potencier – February 05, 2014 – 7 comments

Do you know the difference between Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException and Symfony\Component\Security\Core\Exception\AccessDeniedException?

Their names look very similar and both deal with resources for which the user does not have access. But which one should you use in a controller? This is probably counter-intuitive, but you should use Symfony\Component\Security\Core\Exception\AccessDeniedException. And when using an IDE, you might import the wrong exception pretty easily. As this is a frequent mistake, we even added a rule about this on SensioLabsInsight (and this violation is triggered quite often).

As of 2.5, you can now rely on a helper method that does the right thing (if you are using the Symfony\Bundle\FrameworkBundle\Controller\Controller base class):

throw $this->createAccessDeniedException('You cannot access this page!');

By the way, Symfony\Component\Security\Core\Exception\AccessDeniedException is the exception class you want to use because it is automatically caught by the Symfony Security Firewall, which generates the correct response for the user.

Add a Comment

Connect to post a comment

Comments

#1 FredV said on the 2014/02/05 at 15:32

So when to use such a "Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException" ?
#2 Piotr Gołębiewski said on the 2014/02/05 at 22:16

@FredVelcro it's used internally and thrown by Symfony/Component/HttpKernel/EventListener/FragmentListener when the request is invalid or it comes from an untrusted ip
#3 Piotr Gołębiewski said on the 2014/02/05 at 22:20

Judgeing by use cases, I'd say the AccessDeniedHttpException is used when the request itself is rejected, and AccessDeniedException is used when user has not enough credentials to access the resource.
#4 Sidora Gleb said on the 2014/02/06 at 08:27

@Piotr Gołębiewski
If the exception is specific to Fragments sub-framework it's namespace should explicitly reference `fragments`
#5 kor3k kor3k said on the 2014/02/09 at 14:20

@FredVelcro or where you intentionally do not want to trigger the firewall handler
#6 Michal Mojzesz said on the 2014/02/11 at 10:57

Thank you! I was writing about that two years ago. Not because of mistakes using wrong exception, but rather because I think 403 is also very often used exception in controllers.

https://github.com/symfony/symfony/issues/4297
#7 JeanBar said on the 2014/03/28 at 13:45

You seems to perfectly now that the name you've choosen sucks.
Instead of correcting it, you keep in the same path and add a useless method.

Why the don't you deprecate something you failed in design ?