[Security] Fix infinite loop when token storage has no token #37314
Conversation
How do you render a login page without allowing anonymous access? |
|
Any problem to render a login page occurs only if the login page is covered by a security rule (voter, access_control...) isn't it ? |
|
I fear this change will break the behavior of apps that expect the session to be started when an access listener is enabled. |
|
I'm not totally sure what the changes of this PR result in (I can't test it atm), so please ignore me if I'm understanding it completely wrong😅. If this PR means that the only routes that are secured are the ones behind an |
|
@nicolas-grekas I'm not sure to get the use-case. This change should only affect configurations where anonymous mode is disabled (but maybe I miss something). Is there other cases where @wouterj I'm agree with your thoughts and indeed if this PR breaks the current behavior, it should be closed. But (as far as I understand) the authentication mechanism (triggered by But maybe I miss an important part of how the component work. In that case your knowledge on this is very welcome :))) |
|
I don't think this PR is correct. I did a similar change in #37314, and it was reverted in #34358 to fix #34357. See #34358 (comment) Closing therefor. Dunno about the infinite loop (it's a configuration issue in the first place, isn't it?) |
When token storage is empty (anonymous not enabled in the config of the fullstack framework) and when we try to access to a page covered by an access control rule, an infinite loop is triggered:
This PR aims to fix that behavior.