Skip to content

Commit 35b812c

Browse files
committed
[#12605] Transformed GET parameter notice to caution
1 parent 1120d23 commit 35b812c

File tree

1 file changed

+10
-5
lines changed

1 file changed

+10
-5
lines changed

security/access_control.rst

Lines changed: 10 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -93,11 +93,10 @@ Take the following ``access_control`` entries as an example:
9393
]);
9494
9595
For each incoming request, Symfony will decide which ``access_control``
96-
to use based on the URI (without the ``GET`` parameters), the
97-
client's IP address, the incoming host name, and the request method.
98-
Remember, the first rule that matches is used, and if ``ips``, ``host``
99-
or ``methods`` are not specified for an entry, that ``access_control``
100-
will match any ``ips``, ``host`` or ``methods``:
96+
to use based on the URI, the client's IP address, the incoming host name, and
97+
the request method. Remember, the first rule that matches is used, and if
98+
``ips``, ``host`` or ``methods`` are not specified for an entry, that
99+
``access_control`` will match any ``ips``, ``host`` or ``methods``:
101100

102101
+-----------------+-------------+-------------+------------+--------------------------------+-------------------------------------------------------------+
103102
| URI | IP | HOST | METHOD | ``access_control`` | Why? |
@@ -127,6 +126,12 @@ will match any ``ips``, ``host`` or ``methods``:
127126
| | | | | | URI doesn't match any of the ``path`` values. |
128127
+-----------------+-------------+-------------+------------+--------------------------------+-------------------------------------------------------------+
129128

129+
.. caution::
130+
131+
Matching the URI is done without ``$_GET`` parameters.
132+
:ref:`Deny access in PHP code <security-securing-controller>` if you want
133+
to disallow access based on ``$_GET`` parameter values.
134+
130135
.. _security-access-control-enforcement-options:
131136

132137
2. Access Enforcement

0 commit comments

Comments
 (0)