What is Symfony?
Get started
Documentation
Community
Services
News

Latest News

OroCRM, the new kid on the Symfony2 block

by Yoav Kutner – March 03, 2014

What happened last week in Symfony?

This week the Console component greatly improved the ProgressBar helper and the ClassLoader component added a PSR-4 compatible class loader. Meanwhile, the refactorization of HttpKernel component started with the extraction of the profiler to a new component. In addition, the internal web server added support for HHVM.

Upcoming Events

The Symfony Community organizes events all over the world on a regular basis. Here are the next ones.

Germany, Cologne — BootCamp Cologne

on March 21, 2014, from 09:00 to 18:00

Germany, Köln — Symfony User Group Cologne - March edition

on March 21, 2014, from 19:00 to 21:30

France, Paris — SymfonyLive Paris 2014

from April 07, 2014 to April 08, 2014

Mexico, Mexico City — SymfonyDay Mexico

from April 23, 2014 to April 25, 2014
About

Blog

New in Symfony 2.5: Create the Correct Denied HTTP Exception
by Fabien Potencier – February 05, 2014 – 6 comments

Do you know the difference between Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException and Symfony\Component\Security\Core\Exception\AccessDeniedException?

Their names look very similar and both deal with resources for which the user does not have access. But which one should you use in a controller? This is probably counter-intuitive, but you should use Symfony\Component\Security\Core\Exception\AccessDeniedException. And when using an IDE, you might import the wrong exception pretty easily. As this is a frequent mistake, we even added a rule about this on SensioLabsInsight (and this violation is triggered quite often).

As of 2.5, you can now rely on a helper method that does the right thing (if you are using the Symfony\Bundle\FrameworkBundle\Controller\Controller base class):

throw $this->createAccessDeniedException('You cannot access this page!');

By the way, Symfony\Component\Security\Core\Exception\AccessDeniedException is the exception class you want to use because it is automatically caught by the Symfony Security Firewall, which generates the correct response for the user.

Add a Comment

Connect to post a comment

Comments

#1 FredV said on the 2014/02/05 at 15:32

So when to use such a "Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException" ?
#2 Piotr Gołębiewski said on the 2014/02/05 at 22:16

@FredVelcro it's used internally and thrown by Symfony/Component/HttpKernel/EventListener/FragmentListener when the request is invalid or it comes from an untrusted ip
#3 Piotr Gołębiewski said on the 2014/02/05 at 22:20

Judgeing by use cases, I'd say the AccessDeniedHttpException is used when the request itself is rejected, and AccessDeniedException is used when user has not enough credentials to access the resource.
#4 Sidora Gleb said on the 2014/02/06 at 08:27

@Piotr Gołębiewski
If the exception is specific to Fragments sub-framework it's namespace should explicitly reference `fragments`
#5 kor3k kor3k said on the 2014/02/09 at 14:20

@FredVelcro or where you intentionally do not want to trigger the firewall handler
#6 Michal Mojzesz said on the 2014/02/11 at 10:57

Thank you! I was writing about that two years ago. Not because of mistakes using wrong exception, but rather because I think 403 is also very often used exception in controllers.

https://github.com/symfony/symfony/issues/4297