Skip to content

Allow a whitelist of errors to be shown when showerrors is true#2521

Closed
monkeyiq wants to merge 4 commits intosimplesamlphp:simplesamlphp-2.5from
monkeyiq:2025/oct/limited-show-errors
Closed

Allow a whitelist of errors to be shown when showerrors is true#2521
monkeyiq wants to merge 4 commits intosimplesamlphp:simplesamlphp-2.5from
monkeyiq:2025/oct/limited-show-errors

Conversation

@monkeyiq
Copy link
Copy Markdown
Contributor

@monkeyiq monkeyiq commented Oct 6, 2025

If this whitelist is not used then all errors are shown if showerrors is true. If you use this new option then you have to list every error you would like to be shown to the user with a description and backtrace.

This was raised in
#2513

@monkeyiq
Allow a whitelist of errors to be shown when showerrors is true
f347374 
If this whitelist is not used then all errors are shown if showerrors
is true. If you use this new option then you have to list every error
you would like to be shown to the user with a description and
backtrace.

This was raised in
simplesamlphp#2513
@monkeyiq monkeyiq mentioned this pull request Oct 6, 2025
Merged
@tvdijen
Copy link
Copy Markdown
Member

tvdijen commented Oct 6, 2025

I don't think we need yet another configuration option.. All these errors have one thing in common; they decent from \SimpleSAML\Error\Error .. Let's use that to our advantage

@monkeyiq
Copy link
Copy Markdown
Contributor Author

monkeyiq commented Oct 7, 2025

In this PR I have attempted to allow the admin to select which of the exceptions will have the message and backtrace shown to the user. This is to provide a grey scale between turning showerrors=false (nothing) and showerrors=true (everything).

If there are other ways to allow this to be configured I am very happy to discuss them

mingsong-hu
mingsong-hu reviewed Oct 14, 2025
View reviewed changes
Comment thread src/SimpleSAML/Error/Error.php
mingsong-hu
mingsong-hu reviewed Oct 14, 2025
View reviewed changes
Comment thread src/SimpleSAML/Error/Error.php
@monkeyiq
include default as default config.php.dist setting
9442687 
explain that if an error is missing in the list then it will not have
a backtrace by default
@monkeyiq
Copy link
Copy Markdown
Contributor Author

monkeyiq commented Oct 20, 2025

The intent of the PR is to not change behaviour by default. If you use the new config.php setting then you can explicitly cherry pick which errors will be shown with detailed messages.

@monkeyiq monkeyiq mentioned this pull request Oct 20, 2025
Merged
@monkeyiq
Copy link
Copy Markdown
Contributor Author

monkeyiq commented Oct 20, 2025

I am moving this over to master. I think it is useful to have as it explicitly allows the list of which errors will be filtered through to the user. The admin might wish to allow some errors to permeate while others can be kept silent from the user. It also allows for specific errors to be hidden if they are seen to be problematic while leaving the remainder of the system as it as rather than shutting off all errors in a single option.

If people don't want the complexity then they can safely ignore the option and set showerrors=true or showerrors=false and either swing the big axe or not as in 2.4.

@monkeyiq monkeyiq closed this Oct 20, 2025
@github-actions github-actions Bot locked as resolved and limited conversation to collaborators Jan 19, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@mingsong-hu mingsong-hu mingsong-hu left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@monkeyiq @tvdijen @mingsong-hu