Security separates expected denials from broken security state.
Use AuthorizationResult when a denied permission is normal application flow.
$result = $authorizer->decide($context, 'reports.export');
if ($result->isDenied()) {
return $result->reason();
}Use authorize() when the caller prefers exceptions.
$authorizer->authorize($context, 'reports.export');Denied access throws AccessDeniedException.
InvalidCsrfTokenException covers:
- invalid token ids or values;
- missing tokens;
- mismatched submitted values;
- expired tokens;
- malformed stored token state;
- invalid token generator configuration.
PasswordHashException wraps hashing and rehash-check configuration failures.
Verification failures are not exceptional; verify() returns false.
PolicyNotFoundException is thrown when code asks for an unregistered policy by name.