[Security] Add an abstract voter

lyrixx · lyrixx · commit 2fb4f3d86fe7 · 2015-11-19T15:20:40.000+01:00
diff --git a/UPGRADE-2.8.md b/UPGRADE-2.8.md
@@ -442,7 +442,7 @@ FrameworkBundle
 Security
 --------
 
- * The AbstractToken::isGranted() method was deprecated. Instead,
+ * The `AbstractVoter::isGranted()` method was deprecated. Instead,
    override the voteOnAttribute() method. This method has one small
    difference: it's passed the TokenInterface instead of the user:
 
@@ -475,6 +475,8 @@ Security
    }
    ```
 
+ * The `AbstractVoter` is deprecated. Use `Voter` instead.
+
 Config
 ------
 
diff --git a/src/Symfony/Component/Security/Core/Authorization/Voter/AbstractVoter.php b/src/Symfony/Component/Security/Core/Authorization/Voter/AbstractVoter.php
@@ -11,13 +11,18 @@
 
 namespace Symfony\Component\Security\Core\Authorization\Voter;
 
+@trigger_error('The '.__NAMESPACE__.'\AbstractVoter class is deprecated since version 2.8, to be removed in 3.0. Upgrade to Symfony\Component\Security\Core\Authorization\Voter\Voter instead.', E_USER_DEPRECATED);
+
+
 use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 
 /**
  * Abstract Voter implementation that reduces boilerplate code required to create a custom Voter.
  *
  * @author Roman Marintšenko <inoryy@gmail.com>
+ *
+ * @deprecated since version 2.8, to be removed in 3.0. Upgrade to Symfony\Component\Security\Core\Authorization\Voter\Voter instead
  */
 abstract class AbstractVoter implements VoterInterface
 {
@@ -92,7 +97,7 @@ public function vote(TokenInterface $token, $object, array $attributes)
      * This method will become abstract in 3.0.
      *
      * @param string $attribute An attribute
-     * @param string $object    The object to secure
+     * @param object $object    The object to secure
      *
      * @return bool True if the attribute and object is supported, false otherwise
      */
diff --git a/src/Symfony/Component/Security/Core/Authorization/Voter/Voter.php b/src/Symfony/Component/Security/Core/Authorization/Voter/Voter.php
@@ -0,0 +1,85 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Authorization\Voter;
+
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+
+/**
+ * Voter is an abstract default implementation of a voter.
+ *
+ * @author Grégoire Pineau <lyrixx@lyrixx.info>
+ */
+abstract class Voter implements VoterInterface
+{
+    /**
+     * {@inheritdoc}
+     */
+    public function supportsAttribute($attribute)
+    {
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function supportsClass($class)
+    {
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function vote(TokenInterface $token, $subject, array $attributes)
+    {
+        // abstain vote by default in case none of the attributes are supported
+        $vote = self::ACCESS_ABSTAIN;
+
+        foreach ($attributes as $attribute) {
+            if (!$this->supports($attribute, $subject)) {
+                continue;
+            }
+
+            // as soon as at least one attribute is supported, default is to
+            // deny access
+            $vote = self::ACCESS_DENIED;
+
+            if ($this->voteOnAttribute($attribute, $subject, $token)) {
+                // grant access as soon as at least one voter returns a positive
+                // response
+                return self::ACCESS_GRANTED;
+            }
+        }
+
+        return $vote;
+    }
+
+    /**
+     * Determines if the attribute and subject are supported by this voter.
+     *
+     * @param string $attribute An attribute
+     * @param string $subject   The subject to secure
+     *
+     * @return bool True if the attribute and subject is supported, false otherwise
+     */
+    abstract protected function supports($attribute, $subject);
+
+    /**
+     * Perform a single access check operation on a given attribute, subject and
+     * token.
+     *
+     * @param string         $attribute
+     * @param mixed          $subject
+     * @param TokenInterface $token
+     *
+     * @return bool
+     */
+    abstract protected function voteOnAttribute($attribute, $subject, TokenInterface $token);
+}
diff --git a/src/Symfony/Component/Security/Core/Authorization/Voter/VoterInterface.php b/src/Symfony/Component/Security/Core/Authorization/Voter/VoterInterface.php
@@ -53,10 +53,10 @@ public function supportsClass($class);
      * ACCESS_GRANTED, ACCESS_DENIED, or ACCESS_ABSTAIN.
      *
      * @param TokenInterface $token      A TokenInterface instance
-     * @param object|null    $object     The object to secure
+     * @param mixed          $subject    The subject to secure
      * @param array          $attributes An array of attributes associated with the method being invoked
      *
      * @return int either ACCESS_GRANTED, ACCESS_ABSTAIN, or ACCESS_DENIED
      */
-    public function vote(TokenInterface $token, $object, array $attributes);
+    public function vote(TokenInterface $token, $subject, array $attributes);
 }
diff --git a/src/Symfony/Component/Security/Core/Tests/Authorization/Voter/VoterTest.php b/src/Symfony/Component/Security/Core/Tests/Authorization/Voter/VoterTest.php
@@ -0,0 +1,70 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Tests\Authorization\Voter;
+
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authorization\Voter\Voter;
+use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
+
+class VoterTest extends \PHPUnit_Framework_TestCase
+{
+    protected $token;
+
+    protected function setUp()
+    {
+        $this->token = $this->getMock('Symfony\Component\Security\Core\Authentication\Token\TokenInterface');
+    }
+
+    public function getTests()
+    {
+        return array(
+            array(array('EDIT'), VoterInterface::ACCESS_GRANTED, new \stdClass(), 'ACCESS_GRANTED if attribute and class are supported and attribute grants access'),
+            array(array('CREATE'), VoterInterface::ACCESS_DENIED, new \stdClass(), 'ACCESS_DENIED if attribute and class are supported and attribute does not grant access'),
+
+            array(array('DELETE', 'EDIT'), VoterInterface::ACCESS_GRANTED, new \stdClass(), 'ACCESS_GRANTED if one attribute is supported and grants access'),
+            array(array('DELETE', 'CREATE'), VoterInterface::ACCESS_DENIED, new \stdClass(), 'ACCESS_DENIED if one attribute is supported and denies access'),
+
+            array(array('CREATE', 'EDIT'), VoterInterface::ACCESS_GRANTED, new \stdClass(), 'ACCESS_GRANTED if one attribute grants access'),
+
+            array(array('DELETE'), VoterInterface::ACCESS_ABSTAIN, new \stdClass(), 'ACCESS_ABSTAIN if no attribute is supported'),
+
+            array(array('EDIT'), VoterInterface::ACCESS_ABSTAIN, $this, 'ACCESS_ABSTAIN if class is not supported'),
+
+            array(array('EDIT'), VoterInterface::ACCESS_ABSTAIN, null, 'ACCESS_ABSTAIN if object is null'),
+
+            array(array(), VoterInterface::ACCESS_ABSTAIN, new \stdClass(), 'ACCESS_ABSTAIN if no attributes were provided'),
+        );
+    }
+
+    /**
+     * @dataProvider getTests
+     */
+    public function testVote(array $attributes, $expectedVote, $object, $message)
+    {
+        $voter = new AbstractVoterTest_Voter();
+
+        $this->assertEquals($expectedVote, $voter->vote($this->token, $object, $attributes), $message);
+    }
+}
+
+class AbstractVoterTest_Voter extends Voter
+{
+    protected function voteOnAttribute($attribute, $object, TokenInterface $token)
+    {
+        return 'EDIT' === $attribute;
+    }
+
+    protected function supports($attribute, $object)
+    {
+        return $object instanceof \stdClass && in_array($attribute, array('EDIT', 'CREATE'));
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -11,13 +11,18 @@`
`11`	`11`
`12`	`12`	`namespace Symfony\Component\Security\Core\Authorization\Voter;`
`13`	`13`
	`14`	`+@trigger_error('The '.__NAMESPACE__.'\AbstractVoter class is deprecated since version 2.8, to be removed in 3.0. Upgrade to Symfony\Component\Security\Core\Authorization\Voter\Voter instead.', E_USER_DEPRECATED);`
	`15`	`+`
	`16`	`+`
`14`	`17`	`use Symfony\Component\Security\Core\User\UserInterface;`
`15`	`18`	`use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;`
`16`	`19`
`17`	`20`	`/**`
`18`	`21`	`* Abstract Voter implementation that reduces boilerplate code required to create a custom Voter.`
`19`	`22`	`*`
`20`	`23`	`* @author Roman Marintšenko <[email protected]>`
	`24`	`+ *`
	`25`	`+ * @deprecated since version 2.8, to be removed in 3.0. Upgrade to Symfony\Component\Security\Core\Authorization\Voter\Voter instead`
`21`	`26`	`*/`
`22`	`27`	`abstract class AbstractVoter implements VoterInterface`
`23`	`28`	`{`
`@@ -92,7 +97,7 @@ public function vote(TokenInterface $token, $object, array $attributes)`
`92`	`97`	`* This method will become abstract in 3.0.`
`93`	`98`	`*`
`94`	`99`	`* @param string $attribute An attribute`
`95`		`- * @param string $object The object to secure`
	`100`	`+ * @param object $object The object to secure`
`96`	`101`	`*`
`97`	`102`	`* @return bool True if the attribute and object is supported, false otherwise`
`98`	`103`	`*/`
Original file line number	Diff line number	Diff line change
`@@ -53,10 +53,10 @@ public function supportsClass($class);`
`53`	`53`	`* ACCESS_GRANTED, ACCESS_DENIED, or ACCESS_ABSTAIN.`
`54`	`54`	`*`
`55`	`55`	`* @param TokenInterface $token A TokenInterface instance`
`56`		`- * @param object\|null $object The object to secure`
	`56`	`+ * @param mixed $subject The subject to secure`
`57`	`57`	`* @param array $attributes An array of attributes associated with the method being invoked`
`58`	`58`	`*`
`59`	`59`	`* @return int either ACCESS_GRANTED, ACCESS_ABSTAIN, or ACCESS_DENIED`
`60`	`60`	`*/`
`61`		`- public function vote(TokenInterface $token, $object, array $attributes);`
	`61`	`+ public function vote(TokenInterface $token, $subject, array $attributes);`
`62`	`62`	`}`