Symfony 2 the book, Security: Why the additional ROLE_NO_ACCESS in ESI part?
Why there is a need for ROLE_NO_ACCESS rule in Symfony 2 The Book,
Security link? Shouldn't the access_control work like a white list (only
users that pass one of the listed rules can access the path)? I googled a
little and found this link, where Fabien says about security hole, when
the additional rule in the access_control is missing, but I still don't
quite understand why is it needed? Do I always need to specify "match all
users and deny" rule as the last one, to properly secure a confidential
path?
No comments:
Post a Comment