Is it a good idea to check in the controller that the object called by getUser() of security.context service is actually an object of my custom user class?
public function editAction()
{
$user = $this->container->get('security.context')->getToken()->getUser();
if (!is_object($user) || !$user instanceof \Acme\UserBundle\User) {
throw new AccessDeniedException('This user doesn't have access');
}
// work with $user
// ....
The only thing that is guaranteed is that getUser() returns an object that implemented Symfony\Component\Security\Core\User\UserInterface, nothing else, right?
This means that the controller may potentially receive any type of object (a token anonymous maybe) so if I pass (without control it) the object directly to the view that subsequently call {{ user.biography }}, which is implemented only in Acme\UserBundle\User class .., I'd be making an error?
