[HttpKernel] Add ControllerResolver::allowControllers() to define whi…

[nicolas-grekas]

Q	A
Feature PR	symfony/symfony#52471
PR author(s)	@nicolas-grekas
Merged in	6.4

We created this issue to not forget to document this new feature. We would really appreciate if you can help us with this task. If you are not sure how to do it, please ask us and we will help you.

To fix this issue, please create a PR against the 6.4 branch in the symfony-docs repository.

Thank you! 😃

[alexandre-daubois]

It could be added here: https://symfony.com/doc/current/components/http_kernel.html#2-resolve-the-controller. But it seems really internal.

That's why, I'm not 100% sure it has its place in the documentation. Moreover, PR's first sentence is "when one doesn't configure properly their APP_SECRET" and I don't know if it is worth documenting a feature useful when somebody misconfigured its app? 🤔

[dkarlovi]

@alexandre-daubois

I don't know if it is worth documenting a feature useful when somebody misconfigured its app?

Misconfiguring the app is a fact of life, not some Neverland, it does and will happen. Explaining what happens and how to fix common mistakes doesn't seem like it would be out of place in the docs.

[alexandre-daubois]

I agree, but we cannot document everything that may go wrong. But it's a new feature so it could be worth mentioning it. Where would you add this, and how if you have an idea? Because I have no clue here on how to add this 😕

[dkarlovi]

The purpose of this feature is to create a sort of "allow list" of what Symfony considers to be a "controller". Up until now, any callable is a controller which is not a good default, this feature allows you to sort of "double opt-in" to say

Yes, this callable is honestly, truly a controller, cross my heart.

Any controller marked with the AsController or extending AbstractController will automagically get added to this list (AFAIK). The main audience for this doc update would be people who have controllers which for some reason don't match either of those two, they need to do additional work to mark their controllers as real controllers.

So, I'd say this belongs to wherever Symfony Docs is defining what "a controller" is and how do add one.

[alexandre-daubois]

@javiereguiluz that may belong to your addition here 🙂

[carsonbot]

Thank you for this issue.
There has not been a lot of activity here for a while. Has this been resolved?

[carsonbot]

Hello? This issue is about to be closed if nobody replies.

[carsonbot]

Hey,

I didn't hear anything so I'm going to close it. Feel free to comment if this is still relevant, I can always reopen!

[javiereguiluz]

Let's reopen because this was never documented.

[nicolas-grekas]

I think this could be nicely documented in http_cache/esi.rst, section _http_cache-fragments, since FramentListener is the only place where _check_controller_is_allowed is turned on. Next to where we tell about signing I'd say since all this is related to security hardening.