New in Symfony 3.1: Improved the Security Profiler Panel

April 14, 2016 Published by Avatar of Javier Eguiluz Javier Eguiluz

Warning: This post is about an unsupported Symfony version. Some of this information may be out of date. Read the most recent Symfony Docs.

Javier Eguiluz
Contributed by Javier Eguiluz in #17887

The Symfony Profiler (and the web debug toolbar) are the most useful tools to check out what's going on during the execution of your application. Most of the profiler panels provide lots of information, except one of them: the security panel.

This is how the current security panel looks for the Symfony Demo application:

You can see the username of the logged in user, their roles, the token class and that's all. Considering that the Symfony Security component is a complex beast, you may be wondering where's all the information missing in that panel.

In Symfony 3.1 we decided to update this panel to provide much more information. First, we'll list the security voters active in your application and the voting strategy used:

In addition, we now log all the voting decisions made during the rendering of the page. Consider for example the Symfony Demo page that renders a single blog post. In the base template, the application checks whether the user is an admin:

1
2
3
{% if is_granted('ROLE_ADMIN') %}
    <a href="{{ path('admin_post_index') }}">...</a>
{% endif %}

In addition, the template that renders the blog post checks whether the user is logged to decide if they can post comments:

1
2
3
4
5
{% if is_granted('IS_AUTHENTICATED_FULLY') %}
    {{ render(controller('AppBundle:Blog:commentForm', { id: post.id })) }}
{% else %}
    ...
{% endif %}

These security checks performed with the is_granted() helper are now logged and displayed in the security panel to help you debug any issue:

In this simple example, the object is always null and the attribute is just a string, but the profiler supports any kind of object or data type and multiple attributes too. Besides, they are always properly formatted to improve your productivity:

The Symfony Demo application only makes security decisions in the templates with the is_granted() helper, but if your application uses the isGranted() method in your PHP code, those decisions will also be logged.

Combining all these new features, this is how the screenshot showed at the beginning of this article will look in Symfony 3.1:

Published in #Living on the edge

Help the Symfony project!

As with any Open-Source project, contributing code or documentation is the most common way to help, but we also have a wide range of sponsoring opportunities.

Comments

Avatar of Clément Darrouzes
Clément Darrouzes said on Apr 14, 2016
That's cool nice improvement
Avatar of Kevin T'Syen
Kevin T'Syen said on Apr 14, 2016
Awesome!
Avatar of Piero Recchia
Piero Recchia said on Apr 14, 2016
Great news!!!
Avatar of Romain Gautier
Romain Gautier Certified said on Apr 14, 2016
Thank you Javier !
Avatar of Vasily Khayrulin
Vasily Khayrulin said on Apr 14, 2016
I think there should be File/Line number (or stack trace) where access decision was requested
Avatar of Jovan Perovic
Jovan Perovic said on Apr 15, 2016
Much appreciated! Thanks! :)
Avatar of putera kahfi
putera kahfi said on Apr 15, 2016
awesome!
Avatar of Dennis Fridrich
Dennis Fridrich said on Apr 15, 2016
Great feature!
Avatar of Quentin Fahrner
Quentin Fahrner Certified said on Apr 15, 2016
Excellent ! Very usefull feature.
Avatar of Richard van Laak
Richard van Laak said on Apr 15, 2016
This will definitely help us with debugging a lot!

Comments are closed.

To ensure that comments stay relevant, they are closed for old posts.