feature #16754 [Security] allow arbitrary types in VoterInterface::vote() (xabbuh)

fabpot · fabpot · commit 70f7b1cea6dd · 2015-11-30T13:31:43.000+01:00
This PR was merged into the 3.0-dev branch. Discussion ---------- [Security] allow arbitrary types in VoterInterface::vote() | Q | A | ------------- | --- | Bug fix? | no | New feature? | yes | BC breaks? | yes | Deprecations? | no | Tests pass? | yes | Fixed tickets | #16600 | License | MIT | Doc PR | TODO Commits ------- 9054bdf allow arbitrary types in VoterInterface::vote()
diff --git a/UPGRADE-3.0.md b/UPGRADE-3.0.md
@@ -615,6 +615,10 @@ UPGRADE FROM 2.x to 3.0
 
 ### Security
 
+ * The `vote()` method from the `VoterInterface` was changed to now accept arbitrary
+   types and not only objects. You can rely on the new abstract `Voter` class introduced
+   in 2.8 to ease integrating your own voters.
+
  * The `Resources/` directory was moved to `Core/Resources/`
 
  * The `key` settings of `anonymous`, `remember_me` and `http_digest` are
diff --git a/src/Symfony/Component/Security/Core/Authorization/Voter/AuthenticatedVoter.php b/src/Symfony/Component/Security/Core/Authorization/Voter/AuthenticatedVoter.php
@@ -44,7 +44,7 @@ public function __construct(AuthenticationTrustResolverInterface $authentication
     /**
      * {@inheritdoc}
      */
-    public function vote(TokenInterface $token, $object, array $attributes)
+    public function vote(TokenInterface $token, $subject, array $attributes)
     {
         $result = VoterInterface::ACCESS_ABSTAIN;
         foreach ($attributes as $attribute) {
diff --git a/src/Symfony/Component/Security/Core/Authorization/Voter/ExpressionVoter.php b/src/Symfony/Component/Security/Core/Authorization/Voter/ExpressionVoter.php
@@ -52,7 +52,7 @@ public function addExpressionLanguageProvider(ExpressionFunctionProviderInterfac
     /**
      * {@inheritdoc}
      */
-    public function vote(TokenInterface $token, $object, array $attributes)
+    public function vote(TokenInterface $token, $subject, array $attributes)
     {
         $result = VoterInterface::ACCESS_ABSTAIN;
         $variables = null;
@@ -62,7 +62,7 @@ public function vote(TokenInterface $token, $object, array $attributes)
             }
 
             if (null === $variables) {
-                $variables = $this->getVariables($token, $object);
+                $variables = $this->getVariables($token, $subject);
             }
 
             $result = VoterInterface::ACCESS_DENIED;
@@ -74,7 +74,7 @@ public function vote(TokenInterface $token, $object, array $attributes)
         return $result;
     }
 
-    private function getVariables(TokenInterface $token, $object)
+    private function getVariables(TokenInterface $token, $subject)
     {
         if (null !== $this->roleHierarchy) {
             $roles = $this->roleHierarchy->getReachableRoles($token->getRoles());
@@ -85,16 +85,16 @@ private function getVariables(TokenInterface $token, $object)
         $variables = array(
             'token' => $token,
             'user' => $token->getUser(),
-            'object' => $object,
+            'object' => $subject,
             'roles' => array_map(function ($role) { return $role->getRole(); }, $roles),
             'trust_resolver' => $this->trustResolver,
         );
 
         // this is mainly to propose a better experience when the expression is used
         // in an access control rule, as the developer does not know that it's going
         // to be handled by this voter
-        if ($object instanceof Request) {
-            $variables['request'] = $object;
+        if ($subject instanceof Request) {
+            $variables['request'] = $subject;
         }
 
         return $variables;
diff --git a/src/Symfony/Component/Security/Core/Authorization/Voter/RoleVoter.php b/src/Symfony/Component/Security/Core/Authorization/Voter/RoleVoter.php
@@ -35,7 +35,7 @@ public function __construct($prefix = 'ROLE_')
     /**
      * {@inheritdoc}
      */
-    public function vote(TokenInterface $token, $object, array $attributes)
+    public function vote(TokenInterface $token, $subject, array $attributes)
     {
         $result = VoterInterface::ACCESS_ABSTAIN;
         $roles = $this->extractRoles($token);
diff --git a/src/Symfony/Component/Security/Core/Authorization/Voter/Voter.php b/src/Symfony/Component/Security/Core/Authorization/Voter/Voter.php
@@ -24,20 +24,20 @@ abstract class Voter implements VoterInterface
     /**
      * {@inheritdoc}
      */
-    public function vote(TokenInterface $token, $object, array $attributes)
+    public function vote(TokenInterface $token, $subject, array $attributes)
     {
         // abstain vote by default in case none of the attributes are supported
         $vote = self::ACCESS_ABSTAIN;
 
         foreach ($attributes as $attribute) {
-            if (!$this->supports($attribute, $object)) {
+            if (!$this->supports($attribute, $subject)) {
                 continue;
             }
 
             // as soon as at least one attribute is supported, default is to deny access
             $vote = self::ACCESS_DENIED;
 
-            if ($this->voteOnAttribute($attribute, $object, $token)) {
+            if ($this->voteOnAttribute($attribute, $subject, $token)) {
                 // grant access as soon as at least one attribute returns a positive response
                 return self::ACCESS_GRANTED;
             }
diff --git a/src/Symfony/Component/Security/Core/Authorization/Voter/VoterInterface.php b/src/Symfony/Component/Security/Core/Authorization/Voter/VoterInterface.php
@@ -31,10 +31,10 @@ interface VoterInterface
      * ACCESS_GRANTED, ACCESS_DENIED, or ACCESS_ABSTAIN.
      *
      * @param TokenInterface $token      A TokenInterface instance
-     * @param object|null    $object     The object to secure
+     * @param mixed          $subject    The subject to secure
      * @param array          $attributes An array of attributes associated with the method being invoked
      *
      * @return int either ACCESS_GRANTED, ACCESS_ABSTAIN, or ACCESS_DENIED
      */
-    public function vote(TokenInterface $token, $object, array $attributes);
+    public function vote(TokenInterface $token, $subject, array $attributes);
 }

Original file line number	Diff line number	Diff line change
`@@ -44,7 +44,7 @@ public function __construct(AuthenticationTrustResolverInterface $authentication`
`44`	`44`	`/**`
`45`	`45`	`* {@inheritdoc}`
`46`	`46`	`*/`
`47`		`- public function vote(TokenInterface $token, $object, array $attributes)`
	`47`	`+ public function vote(TokenInterface $token, $subject, array $attributes)`
`48`	`48`	`{`
`49`	`49`	`$result = VoterInterface::ACCESS_ABSTAIN;`
`50`	`50`	`foreach ($attributes as $attribute) {`
Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,7 @@ public function __construct($prefix = 'ROLE_')`
`35`	`35`	`/**`
`36`	`36`	`* {@inheritdoc}`
`37`	`37`	`*/`
`38`		`- public function vote(TokenInterface $token, $object, array $attributes)`
	`38`	`+ public function vote(TokenInterface $token, $subject, array $attributes)`
`39`	`39`	`{`
`40`	`40`	`$result = VoterInterface::ACCESS_ABSTAIN;`
`41`	`41`	`$roles = $this->extractRoles($token);`
Original file line number	Diff line number	Diff line change
`@@ -31,10 +31,10 @@ interface VoterInterface`
`31`	`31`	`* ACCESS_GRANTED, ACCESS_DENIED, or ACCESS_ABSTAIN.`
`32`	`32`	`*`
`33`	`33`	`* @param TokenInterface $token A TokenInterface instance`
`34`		`- * @param object\|null $object The object to secure`
	`34`	`+ * @param mixed $subject The subject to secure`
`35`	`35`	`* @param array $attributes An array of attributes associated with the method being invoked`
`36`	`36`	`*`
`37`	`37`	`* @return int either ACCESS_GRANTED, ACCESS_ABSTAIN, or ACCESS_DENIED`
`38`	`38`	`*/`
`39`		`- public function vote(TokenInterface $token, $object, array $attributes);`
	`39`	`+ public function vote(TokenInterface $token, $subject, array $attributes);`
`40`	`40`	`}`