[Security] fixed error 500 instead of 403 if previous exception is provided to AccessDeniedException

karion · fabpot · commit b9a76a6f9661 · 2013-12-28T17:11:12.000+01:00
diff --git a/Firewall/ExceptionListener.php b/Firewall/ExceptionListener.php
@@ -83,79 +83,95 @@ public function onKernelException(GetResponseForExceptionEvent $event)
         $exception = $event->getException();
         $request = $event->getRequest();
 
-        // determine the actual cause for the exception
-        while (null !== $previous = $exception->getPrevious()) {
-            $exception = $previous;
-        }
-
-        if ($exception instanceof AuthenticationException) {
-            if (null !== $this->logger) {
-                $this->logger->info(sprintf('Authentication exception occurred; redirecting to authentication entry point (%s)', $exception->getMessage()));
-            }
-
-            try {
-                $response = $this->startAuthentication($request, $exception);
-            } catch (\Exception $e) {
-                $event->setException($e);
-
-                return;
-            }
-        } elseif ($exception instanceof AccessDeniedException) {
-            $event->setException(new AccessDeniedHttpException($exception->getMessage(), $exception));
-
-            $token = $this->context->getToken();
-            if (!$this->authenticationTrustResolver->isFullFledged($token)) {
+        while (null !== $exception) {
+            if ($exception instanceof AuthenticationException) {
                 if (null !== $this->logger) {
-                    $this->logger->debug(sprintf('Access is denied (user is not fully authenticated) by "%s" at line %s; redirecting to authentication entry point', $exception->getFile(), $exception->getLine()));
+                    $this->logger->info(sprintf('Authentication exception occurred; redirecting to authentication entry point (%s)', $exception->getMessage()));
                 }
 
                 try {
-                    $insufficientAuthenticationException = new InsufficientAuthenticationException('Full authentication is required to access this resource.', 0, $exception);
-                    $insufficientAuthenticationException->setToken($token);
-                    $response = $this->startAuthentication($request, $insufficientAuthenticationException);
+                    $response = $this->startAuthentication($request, $exception);
+
+                    break;
                 } catch (\Exception $e) {
                     $event->setException($e);
 
                     return;
                 }
-            } else {
-                if (null !== $this->logger) {
-                    $this->logger->debug(sprintf('Access is denied (and user is neither anonymous, nor remember-me) by "%s" at line %s', $exception->getFile(), $exception->getLine()));
-                }
+            }
 
-                try {
-                    if (null !== $this->accessDeniedHandler) {
-                        $response = $this->accessDeniedHandler->handle($request, $exception);
+            if ($exception instanceof AccessDeniedException) {
+                $event->setException(new AccessDeniedHttpException($exception->getMessage(), $exception));
 
-                        if (!$response instanceof Response) {
-                            return;
-                        }
-                    } elseif (null !== $this->errorPage) {
-                        $subRequest = $this->httpUtils->createRequest($request, $this->errorPage);
-                        $subRequest->attributes->set(SecurityContextInterface::ACCESS_DENIED_ERROR, $exception);
+                $token = $this->context->getToken();
+                if (!$this->authenticationTrustResolver->isFullFledged($token)) {
+                    if (null !== $this->logger) {
+                        $this->logger->debug(sprintf('Access is denied (user is not fully authenticated) by "%s" at line %s; redirecting to authentication entry point', $exception->getFile(), $exception->getLine()));
+                    }
+
+                    try {
+                        $insufficientAuthenticationException = new InsufficientAuthenticationException('Full authentication is required to access this resource.', 0, $exception);
+                        $insufficientAuthenticationException->setToken($token);
+                        $response = $this->startAuthentication($request, $insufficientAuthenticationException);
+
+                        break;
+                    } catch (\Exception $e) {
+                        $event->setException($e);
 
-                        $response = $event->getKernel()->handle($subRequest, HttpKernelInterface::SUB_REQUEST, true);
-                    } else {
                         return;
                     }
-                } catch (\Exception $e) {
+                } else {
                     if (null !== $this->logger) {
-                        $this->logger->error(sprintf('Exception thrown when handling an exception (%s: %s)', get_class($e), $e->getMessage()));
+                        $this->logger->debug(sprintf('Access is denied (and user is neither anonymous, nor remember-me) by "%s" at line %s', $exception->getFile(), $exception->getLine()));
                     }
 
-                    $event->setException(new \RuntimeException('Exception thrown when handling an exception.', 0, $e));
+                    try {
+                        if (null !== $this->accessDeniedHandler) {
+                            $response = $this->accessDeniedHandler->handle($request, $exception);
 
-                    return;
+                            if (!$response instanceof Response) {
+                                return;
+                            }
+
+                            break;
+                        }
+
+                       if (null !== $this->errorPage) {
+                            $subRequest = $this->httpUtils->createRequest($request, $this->errorPage);
+                            $subRequest->attributes->set(SecurityContextInterface::ACCESS_DENIED_ERROR, $exception);
+
+                            $response = $event->getKernel()->handle($subRequest, HttpKernelInterface::SUB_REQUEST, true);
+
+                            break;
+                       }
+
+                       return;
+
+                    } catch (\Exception $e) {
+                        if (null !== $this->logger) {
+                            $this->logger->error(sprintf('Exception thrown when handling an exception (%s: %s)', get_class($e), $e->getMessage()));
+                        }
+
+                        $event->setException(new \RuntimeException('Exception thrown when handling an exception.', 0, $e));
+
+                        return;
+                    }
+                }
+            }
+
+            if ($exception instanceof LogoutException) {
+                if (null !== $this->logger) {
+                    $this->logger->info(sprintf('Logout exception occurred; wrapping with AccessDeniedHttpException (%s)', $exception->getMessage()));
                 }
+
+                return;
             }
-        } elseif ($exception instanceof LogoutException) {
-            if (null !== $this->logger) {
-                $this->logger->info(sprintf('Logout exception occurred; wrapping with AccessDeniedHttpException (%s)', $exception->getMessage()));
+
+            if (null === $exception->getPrevious()) {
+                return;
             }
 
-            return;
-        } else {
-            return;
+            $exception = $exception->getPrevious();
         }
 
         $event->setResponse($response);
