minor #47144 [Security] Remove using multiple attributes with #[IsGranted] (HypeMC)

nicolas-grekas · nicolas-grekas · commit 445f0f1036ca · 2022-08-02T09:48:18.000+02:00
This PR was merged into the 6.2 branch. Discussion ---------- [Security] Remove using multiple attributes with #[IsGranted] | Q | A | ------------- | --- | Branch? | 6.2 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #46978 (comment) | License | MIT | Doc PR | - Passing multiple attributes to `isGranted()` has been removed in #33584, so the following doesn't work any more: ```php #[IsGranted(attributes: ['ROLE_ADMIN'])] public function index(Post $post) { } #[IsGranted(attributes: ['ROLE_USER', 'ROLE_ADMIN'])] public function index(Post $post) { } ``` As mentioned in sensiolabs/SensioFrameworkExtraBundle#648 , expressions should be used instead, see #46978 . This PR removes the possibility of using multiple attributes with `#[IsGranted]`. Also, it's currently possible to use `#[IsGranted()]` with no attributes (`null`). Since this doesn't seem to work either, nor can I find a reason why it even should, this PR removes that option as well. If I'm wrong about this one, please let me know. Commits ------- 663dc3e [Security] Remove using multiple attributes with #[IsGranted]
diff --git a/src/Symfony/Component/Security/Http/Attribute/IsGranted.php b/src/Symfony/Component/Security/Http/Attribute/IsGranted.php
@@ -21,7 +21,7 @@ public function __construct(
         /**
          * Sets the first argument that will be passed to isGranted().
          */
-        public array|string|null $attributes = null,
+        public string $attribute,
 
         /**
          * Sets the second argument passed to isGranted().
diff --git a/src/Symfony/Component/Security/Http/EventListener/IsGrantedAttributeListener.php b/src/Symfony/Component/Security/Http/EventListener/IsGrantedAttributeListener.php
@@ -60,15 +60,15 @@ public function onKernelControllerArguments(ControllerArgumentsEvent $event)
                 }
             }
 
-            if (!$this->authChecker->isGranted($attribute->attributes, $subject)) {
+            if (!$this->authChecker->isGranted($attribute->attribute, $subject)) {
                 $message = $attribute->message ?: sprintf('Access Denied by #[IsGranted(%s)] on controller', $this->getIsGrantedString($attribute));
 
                 if ($statusCode = $attribute->statusCode) {
                     throw new HttpException($statusCode, $message);
                 }
 
                 $accessDeniedException = new AccessDeniedException($message);
-                $accessDeniedException->setAttributes($attribute->attributes);
+                $accessDeniedException->setAttributes($attribute->attribute);
                 $accessDeniedException->setSubject($subject);
 
                 throw $accessDeniedException;
@@ -83,11 +83,13 @@ public static function getSubscribedEvents(): array
 
     private function getIsGrantedString(IsGranted $isGranted): string
     {
-        $attributes = array_map(fn ($attribute) => '"'.$attribute.'"', (array) $isGranted->attributes);
-        $argsString = 1 === \count($attributes) ? reset($attributes) : '['.implode(', ', $attributes).']';
+        $processValue = fn ($value) => sprintf('"%s"', $value);
 
-        if (null !== $isGranted->subject) {
-            $argsString .= ', "'.implode('", "', (array) $isGranted->subject).'"';
+        $argsString = $processValue($isGranted->attribute);
+
+        if (null !== $subject = $isGranted->subject) {
+            $subject = array_map($processValue, (array) $subject);
+            $argsString .= ', '.(1 === \count($subject) ? reset($subject) : '['.implode(', ', $subject).']');
         }
 
         return $argsString;
diff --git a/src/Symfony/Component/Security/Http/Tests/EventListener/IsGrantedAttributeListenerTest.php b/src/Symfony/Component/Security/Http/Tests/EventListener/IsGrantedAttributeListenerTest.php
@@ -208,18 +208,15 @@ public function testExceptionWhenMissingSubjectAttribute()
     /**
      * @dataProvider getAccessDeniedMessageTests
      */
-    public function testAccessDeniedMessages(array $attributes, ?string $subject, string $method, string $expectedMessage)
+    public function testAccessDeniedMessages(string $attribute, string|array|null $subject, string $method, int $numOfArguments, string $expectedMessage)
     {
         $authChecker = $this->getMockBuilder(AuthorizationCheckerInterface::class)->getMock();
         $authChecker->expects($this->any())
             ->method('isGranted')
             ->willReturn(false);
 
         // avoid the error of the subject not being found in the request attributes
-        $arguments = [];
-        if (null !== $subject) {
-            $arguments[] = 'bar';
-        }
+        $arguments = array_fill(0, $numOfArguments, 'bar');
 
         $listener = new IsGrantedAttributeListener($authChecker);
 
@@ -236,9 +233,9 @@ public function testAccessDeniedMessages(array $attributes, ?string $subject, st
             $this->fail();
         } catch (AccessDeniedException $e) {
             $this->assertSame($expectedMessage, $e->getMessage());
-            $this->assertSame($attributes, $e->getAttributes());
+            $this->assertSame([$attribute], $e->getAttributes());
             if (null !== $subject) {
-                $this->assertSame('bar', $e->getSubject());
+                $this->assertSame($subject, $e->getSubject());
             } else {
                 $this->assertNull($e->getSubject());
             }
@@ -247,9 +244,9 @@ public function testAccessDeniedMessages(array $attributes, ?string $subject, st
 
     public function getAccessDeniedMessageTests()
     {
-        yield [['ROLE_ADMIN'], null, 'admin', 'Access Denied by #[IsGranted("ROLE_ADMIN")] on controller'];
-        yield [['ROLE_ADMIN', 'ROLE_USER'], null, 'adminOrUser', 'Access Denied by #[IsGranted(["ROLE_ADMIN", "ROLE_USER"])] on controller'];
-        yield [['ROLE_ADMIN', 'ROLE_USER'], 'product', 'adminOrUserWithSubject', 'Access Denied by #[IsGranted(["ROLE_ADMIN", "ROLE_USER"], "product")] on controller'];
+        yield ['ROLE_ADMIN', null, 'admin', 0, 'Access Denied by #[IsGranted("ROLE_ADMIN")] on controller'];
+        yield ['ROLE_ADMIN', 'bar', 'withSubject', 2, 'Access Denied by #[IsGranted("ROLE_ADMIN", "arg2Name")] on controller'];
+        yield ['ROLE_ADMIN', ['arg1Name' => 'bar', 'arg2Name' => 'bar'], 'withSubjectArray', 2, 'Access Denied by #[IsGranted("ROLE_ADMIN", ["arg1Name", "arg2Name"])] on controller'];
     }
 
     public function testNotFoundHttpException()
diff --git a/src/Symfony/Component/Security/Http/Tests/Fixtures/IsGrantedAttributeController.php b/src/Symfony/Component/Security/Http/Tests/Fixtures/IsGrantedAttributeController.php
@@ -13,10 +13,10 @@
 
 use Symfony\Component\Security\Http\Attribute\IsGranted;
 
-#[IsGranted(attributes: ['ROLE_ADMIN', 'ROLE_USER'])]
+#[IsGranted(attribute: 'ROLE_USER')]
 class IsGrantedAttributeController
 {
-    #[IsGranted(attributes: ['ROLE_ADMIN'])]
+    #[IsGranted(attribute: 'ROLE_ADMIN')]
     public function foo()
     {
     }
diff --git a/src/Symfony/Component/Security/Http/Tests/Fixtures/IsGrantedAttributeMethodsController.php b/src/Symfony/Component/Security/Http/Tests/Fixtures/IsGrantedAttributeMethodsController.php
@@ -19,42 +19,27 @@ public function noAttribute()
     {
     }
 
-    #[IsGranted()]
-    public function emptyAttribute()
-    {
-    }
-
-    #[IsGranted(attributes: 'ROLE_ADMIN')]
+    #[IsGranted(attribute: 'ROLE_ADMIN')]
     public function admin()
     {
     }
 
-    #[IsGranted(attributes: ['ROLE_ADMIN', 'ROLE_USER'])]
-    public function adminOrUser()
-    {
-    }
-
-    #[IsGranted(attributes: ['ROLE_ADMIN', 'ROLE_USER'], subject: 'product')]
-    public function adminOrUserWithSubject($product)
-    {
-    }
-
-    #[IsGranted(attributes: 'ROLE_ADMIN', subject: 'arg2Name')]
+    #[IsGranted(attribute: 'ROLE_ADMIN', subject: 'arg2Name')]
     public function withSubject($arg1Name, $arg2Name)
     {
     }
 
-    #[IsGranted(attributes: 'ROLE_ADMIN', subject: ['arg1Name', 'arg2Name'])]
+    #[IsGranted(attribute: 'ROLE_ADMIN', subject: ['arg1Name', 'arg2Name'])]
     public function withSubjectArray($arg1Name, $arg2Name)
     {
     }
 
-    #[IsGranted(attributes: 'ROLE_ADMIN', subject: 'non_existent')]
+    #[IsGranted(attribute: 'ROLE_ADMIN', subject: 'non_existent')]
     public function withMissingSubject()
     {
     }
 
-    #[IsGranted(attributes: 'ROLE_ADMIN', statusCode: 404, message: 'Not found')]
+    #[IsGranted(attribute: 'ROLE_ADMIN', message: 'Not found', statusCode: 404)]
     public function notFound()
     {
     }

Original file line number	Diff line number	Diff line change
`@@ -60,15 +60,15 @@ public function onKernelControllerArguments(ControllerArgumentsEvent $event)`
`60`	`60`	`}`
`61`	`61`	`}`
`62`	`62`
`63`		`- if (!$this->authChecker->isGranted($attribute->attributes, $subject)) {`
	`63`	`+ if (!$this->authChecker->isGranted($attribute->attribute, $subject)) {`
`64`	`64`	`$message = $attribute->message ?: sprintf('Access Denied by #[IsGranted(%s)] on controller', $this->getIsGrantedString($attribute));`
`65`	`65`
`66`	`66`	`if ($statusCode = $attribute->statusCode) {`
`67`	`67`	`throw new HttpException($statusCode, $message);`
`68`	`68`	`}`
`69`	`69`
`70`	`70`	`$accessDeniedException = new AccessDeniedException($message);`
`71`		`- $accessDeniedException->setAttributes($attribute->attributes);`
	`71`	`+ $accessDeniedException->setAttributes($attribute->attribute);`
`72`	`72`	`$accessDeniedException->setSubject($subject);`
`73`	`73`
`74`	`74`	`throw $accessDeniedException;`
`@@ -83,11 +83,13 @@ public static function getSubscribedEvents(): array`
`83`	`83`
`84`	`84`	`private function getIsGrantedString(IsGranted $isGranted): string`
`85`	`85`	`{`
`86`		`- $attributes = array_map(fn ($attribute) => '"'.$attribute.'"', (array) $isGranted->attributes);`
`87`		`- $argsString = 1 === \count($attributes) ? reset($attributes) : '['.implode(', ', $attributes).']';`
	`86`	`+ $processValue = fn ($value) => sprintf('"%s"', $value);`
`88`	`87`
`89`		`- if (null !== $isGranted->subject) {`
`90`		`- $argsString .= ', "'.implode('", "', (array) $isGranted->subject).'"';`
	`88`	`+ $argsString = $processValue($isGranted->attribute);`
	`89`	`+`
	`90`	`+ if (null !== $subject = $isGranted->subject) {`
	`91`	`+ $subject = array_map($processValue, (array) $subject);`
	`92`	`+ $argsString .= ', '.(1 === \count($subject) ? reset($subject) : '['.implode(', ', $subject).']');`
`91`	`93`	`}`
`92`	`94`
`93`	`95`	`return $argsString;`
Original file line number	Diff line number	Diff line change
`@@ -13,10 +13,10 @@`
`13`	`13`
`14`	`14`	`use Symfony\Component\Security\Http\Attribute\IsGranted;`
`15`	`15`
`16`		`-#[IsGranted(attributes: ['ROLE_ADMIN', 'ROLE_USER'])]`
	`16`	`+#[IsGranted(attribute: 'ROLE_USER')]`
`17`	`17`	`class IsGrantedAttributeController`
`18`	`18`	`{`
`19`		`- #[IsGranted(attributes: ['ROLE_ADMIN'])]`
	`19`	`+ #[IsGranted(attribute: 'ROLE_ADMIN')]`
`20`	`20`	`public function foo()`
`21`	`21`	`{`
`22`	`22`	`}`
Original file line number	Diff line number	Diff line change
`@@ -19,42 +19,27 @@ public function noAttribute()`
`19`	`19`	`{`
`20`	`20`	`}`
`21`	`21`
`22`		`- #[IsGranted()]`
`23`		`- public function emptyAttribute()`
`24`		`- {`
`25`		`- }`
`26`		`-`
`27`		`- #[IsGranted(attributes: 'ROLE_ADMIN')]`
	`22`	`+ #[IsGranted(attribute: 'ROLE_ADMIN')]`
`28`	`23`	`public function admin()`
`29`	`24`	`{`
`30`	`25`	`}`
`31`	`26`
`32`		`- #[IsGranted(attributes: ['ROLE_ADMIN', 'ROLE_USER'])]`
`33`		`- public function adminOrUser()`
`34`		`- {`
`35`		`- }`
`36`		`-`
`37`		`- #[IsGranted(attributes: ['ROLE_ADMIN', 'ROLE_USER'], subject: 'product')]`
`38`		`- public function adminOrUserWithSubject($product)`
`39`		`- {`
`40`		`- }`
`41`		`-`
`42`		`- #[IsGranted(attributes: 'ROLE_ADMIN', subject: 'arg2Name')]`
	`27`	`+ #[IsGranted(attribute: 'ROLE_ADMIN', subject: 'arg2Name')]`
`43`	`28`	`public function withSubject($arg1Name, $arg2Name)`
`44`	`29`	`{`
`45`	`30`	`}`
`46`	`31`
`47`		`- #[IsGranted(attributes: 'ROLE_ADMIN', subject: ['arg1Name', 'arg2Name'])]`
	`32`	`+ #[IsGranted(attribute: 'ROLE_ADMIN', subject: ['arg1Name', 'arg2Name'])]`
`48`	`33`	`public function withSubjectArray($arg1Name, $arg2Name)`
`49`	`34`	`{`
`50`	`35`	`}`
`51`	`36`
`52`		`- #[IsGranted(attributes: 'ROLE_ADMIN', subject: 'non_existent')]`
	`37`	`+ #[IsGranted(attribute: 'ROLE_ADMIN', subject: 'non_existent')]`
`53`	`38`	`public function withMissingSubject()`
`54`	`39`	`{`
`55`	`40`	`}`
`56`	`41`
`57`		`- #[IsGranted(attributes: 'ROLE_ADMIN', statusCode: 404, message: 'Not found')]`
	`42`	`+ #[IsGranted(attribute: 'ROLE_ADMIN', message: 'Not found', statusCode: 404)]`
`58`	`43`	`public function notFound()`
`59`	`44`	`{`
`60`	`45`	`}`