Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 82db995

Browse files
fabpotfabpot
committed
feature #35858 [Security] Deprecated ROLE_PREVIOUS_ADMIN (wouterj)
This PR was merged into the 5.1-dev branch. Discussion ---------- [Security] Deprecated ROLE_PREVIOUS_ADMIN | Q | A | ------------- | --- | Branch? | master | Bug fix? | no | New feature? | no | Deprecations? | yes | Tickets | n/a | License | MIT | Doc PR | symfony/symfony-docs#11487 `ROLE_PREVIOUS_ADMIN` is added to the token roles if the session is an impersonation. Since #31189 we have the `IS_IMPERSONATOR` attribute which can be used for the same reason. I propose to deprecate the `ROLE_PREVIOUS_ADMIN`: * This is not what roles are for ([resulting in hacking this exception in `AbstractToken`](https://github.com/symfony/symfony/blob/5.0/src/Symfony/Component/Security/Core/Authentication/Token/AbstractToken.php#L275-L277)) * The role isn't very descriptive * I don't like having 2 ways of doing exactly the same thing * While every application with impersonation enabled probably needs to be updated, the update is as simple as replacing `ROLE_PREVIOUS_ADMIN` with `IS_IMPERSONATOR`: `find ./ -type f -exec sed -i 's/ROLE_PREVIOUS_ADMIN/IS_IMPERSONATOR/g' {} +` --- I'm a bit unsure on how to deprecate this role, but I think having it in `RoleVoter` is probably the safest (`isGranted()` and variants + `AccessDecisionManager#decide()` all use this voter to check if the token has this role). Commits ------- dce55f3 Deprecated ROLE_PREVIOUS_ADMIN
2 parents a4c0bfa + dce55f3 commit 82db995

File tree

3 files changed

+17
-1
lines changed

3 files changed

+17
-1
lines changed

src/Symfony/Component/Security/Core/Authorization/Voter/RoleVoter.php

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -40,6 +40,10 @@ public function vote(TokenInterface $token, $subject, array $attributes)
4040
continue;
4141
}
4242

43+
if ('ROLE_PREVIOUS_ADMIN' === $attribute) {
44+
trigger_deprecation('symfony/security-core', '5.1', 'The ROLE_PREVIOUS_ADMIN role is deprecated and will be removed in version 6.0, use the IS_IMPERSONATOR attribute instead.');
45+
}
46+
4347
$result = VoterInterface::ACCESS_DENIED;
4448
foreach ($roles as $role) {
4549
if ($attribute === $role) {

src/Symfony/Component/Security/Core/Tests/Authorization/Voter/RoleVoterTest.php

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -44,6 +44,17 @@ public function getVoteTests()
4444
];
4545
}
4646

47+
/**
48+
* @group legacy
49+
* @expectedDeprecation Since symfony/security-core 5.1: The ROLE_PREVIOUS_ADMIN role is deprecated and will be removed in version 6.0, use the IS_IMPERSONATOR attribute instead.
50+
*/
51+
public function testDeprecatedRolePreviousAdmin()
52+
{
53+
$voter = new RoleVoter();
54+
55+
$voter->vote($this->getTokenWithRoleNames(['ROLE_USER', 'ROLE_PREVIOUS_ADMIN']), null, ['ROLE_PREVIOUS_ADMIN']);
56+
}
57+
4758
protected function getTokenWithRoleNames(array $roles)
4859
{
4960
$token = $this->getMockBuilder(AbstractToken::class)->getMock();

src/Symfony/Component/Security/Core/composer.json

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,8 @@
1818
"require": {
1919
"php": "^7.2.5",
2020
"symfony/event-dispatcher-contracts": "^1.1|^2",
21-
"symfony/service-contracts": "^1.1.6|^2"
21+
"symfony/service-contracts": "^1.1.6|^2",
22+
"symfony/deprecation-contracts": "^2.1"
2223
},
2324
"require-dev": {
2425
"psr/container": "^1.0",

0 commit comments

Comments
 (0)