I am using Sulu CMF and have a custom controller for the sales process on a website. Only logged-in users with a specific security context may access the pages served by the controller, so the controller implements the SecuredControllerInterface.
class SaleController extends AbstractController implements SecuredControllerInterface
{
/* ... */
public function getSecurityContext() {
return 'private_sale.sale.purchase';
}
/* ... */
}
When a logged in user browses a page managed by this controller, and if the user does not have the respective permissions, the server responds with a 403 page.
Is there a way that the user gets redirected to another page, instead of returning 403?
It would be an incorrect behavior.
403 means "not authorized", which translates to You are logged in, and I know who you are; but you do not have access to this content.
401 means "not authenticated", which translates to I don't know who you are, you need to log in to continue.
Only in the second case it would make sense to redirect to the login page.
You want to redirect to log in on 401, and show "not authorized" on 403.
If a non-authenticated user is reaching the controller, and you are checking for authorization there, then you have a different issue, and you should configure that only fully authenticated can access the page.
Then non-authenticated would get a 401 (and be redirected to the login page by Symfony directly), and authenticated but non-authorized would get the 403 response, correctly.
And if you want, on your 403 page you can show whatever is pertinent. You can customize using these instructions: https://docs.sulu.io/en/2.5/cookbook/custom-error-page.html