symfony
diff --git a/‎src/Symfony/Bridge/Twig/Extension/SecurityExtension.php
Lines changed: 26 additions & 5 deletions b/‎src/Symfony/Bridge/Twig/Extension/SecurityExtension.php
Lines changed: 26 additions & 5 deletions
diff --git a/‎src/Symfony/Bundle/FrameworkBundle/Controller/AbstractController.php
Lines changed: 33 additions & 5 deletions b/‎src/Symfony/Bundle/FrameworkBundle/Controller/AbstractController.php
Lines changed: 33 additions & 5 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/DataCollector/SecurityDataCollector.php
Lines changed: 2 additions & 0 deletions b/‎src/Symfony/Bundle/SecurityBundle/DataCollector/SecurityDataCollector.php
Lines changed: 2 additions & 0 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/EventListener/VoteListener.php
Lines changed: 1 addition & 1 deletion b/‎src/Symfony/Bundle/SecurityBundle/EventListener/VoteListener.php
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Resources/views/Collector/security.html.twig
Lines changed: 6 additions & 3 deletions b/‎src/Symfony/Bundle/SecurityBundle/Resources/views/Collector/security.html.twig
Lines changed: 6 additions & 3 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Security.php
Lines changed: 7 additions & 6 deletions b/‎src/Symfony/Bundle/SecurityBundle/Security.php
Lines changed: 7 additions & 6 deletions
diff --git a/‎src/Symfony/Component/Security/Core/Authorization/AccessDecision.php
Lines changed: 56 additions & 0 deletions b/‎src/Symfony/Component/Security/Core/Authorization/AccessDecision.php
Lines changed: 56 additions & 0 deletions
diff --git a/‎src/Symfony/Component/Security/Core/Authorization/AccessDecisionManager.php
Lines changed: 23 additions & 7 deletions b/‎src/Symfony/Component/Security/Core/Authorization/AccessDecisionManager.php
Lines changed: 23 additions & 7 deletions
diff --git a/‎src/Symfony/Component/Security/Core/Authorization/AccessDecisionManagerInterface.php
Lines changed: 4 additions & 3 deletions b/‎src/Symfony/Component/Security/Core/Authorization/AccessDecisionManagerInterface.php
Lines changed: 4 additions & 3 deletions
diff --git a/‎src/Symfony/Component/Security/Core/Authorization/AuthorizationChecker.php
Lines changed: 2 additions & 2 deletions b/‎src/Symfony/Component/Security/Core/Authorization/AuthorizationChecker.php
Lines changed: 2 additions & 2 deletions
diff --git a/‎src/Symfony/Component/Security/Core/Authorization/AuthorizationCheckerInterface.php
Lines changed: 3 additions & 2 deletions b/‎src/Symfony/Component/Security/Core/Authorization/AuthorizationCheckerInterface.php
Lines changed: 3 additions & 2 deletions
@@ -12,6 +12,7 @@
 namespace Symfony\Bridge\Twig\Extension;
 
 use Symfony\Component\Security\Acl\Voter\FieldVote;
+use Symfony\Component\Security\Core\Authorization\AccessDecision;
 use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
 use Symfony\Component\Security\Core\Authorization\UserAuthorizationCheckerInterface;
 use Symfony\Component\Security\Core\Exception\AuthenticationCredentialsNotFoundException;
@@ -34,7 +35,7 @@ public function __construct(
     ) {
     }
 
-    public function isGranted(mixed $role, mixed $object = null, ?string $field = null): bool
+    public function isGranted(mixed $role, mixed $object = null, ?string $field = null, ?AccessDecision $accessDecision = null): bool
     {
         if (null === $this->securityChecker) {
             return false;
@@ -47,15 +48,23 @@ public function isGranted(mixed $role, mixed $object = null, ?string $field = nu
 
             $object = new FieldVote($object, $field);
         }
+        if (!class_exists(AccessDecision::class)) {
+            try {
+                return $this->securityChecker->isGranted($role, $object);
+            } catch (AuthenticationCredentialsNotFoundException) {
+                return false;
+            }
+        }
+        $accessDecision ??= new AccessDecision();
 
         try {
-            return $this->securityChecker->isGranted($role, $object);
+            return $accessDecision->isGranted = $this->securityChecker->isGranted($role, $object, $accessDecision);
         } catch (AuthenticationCredentialsNotFoundException) {
-            return false;
+            return $accessDecision->isGranted = false;
         }
     }
 
-    public function isGrantedForUser(UserInterface $user, mixed $attribute, mixed $subject = null, ?string $field = null): bool
+    public function isGrantedForUser(UserInterface $user, mixed $attribute, mixed $subject = null, ?string $field = null, ?AccessDecision $accessDecision = null): bool
     {
         if (!$this->userSecurityChecker) {
             throw new \LogicException(\sprintf('An instance of "%s" must be provided to use "%s()".', UserAuthorizationCheckerInterface::class, __METHOD__));
@@ -68,8 +77,20 @@ public function isGrantedForUser(UserInterface $user, mixed $attribute, mixed $s
 
             $subject = new FieldVote($subject, $field);
         }
+        if (!class_exists(AccessDecision::class)) {
+            try {
+                return $this->userSecurityChecker->isGrantedForUser($user, $attribute, $subject);
+            } catch (AuthenticationCredentialsNotFoundException) {
+                return false;
+            }
+        }
+        $accessDecision ??= new AccessDecision();
 
-        return $this->userSecurityChecker->isGrantedForUser($user, $attribute, $subject);
+        try {
+            return $accessDecision->isGranted = $this->userSecurityChecker->isGrantedForUser($user, $attribute, $subject, $accessDecision);
+        } catch (AuthenticationCredentialsNotFoundException) {
+            return $accessDecision->isGranted = false;
+        }
     }
 
     public function getImpersonateExitUrl(?string $exitTo = null): string
 
@@ -35,6 +35,7 @@
 use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
 use Symfony\Component\Routing\RouterInterface;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
+use Symfony\Component\Security\Core\Authorization\AccessDecision;
 use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 use Symfony\Component\Security\Core\User\UserInterface;
@@ -202,6 +203,21 @@ protected function isGranted(mixed $attribute, mixed $subject = null): bool
         return $this->container->get('security.authorization_checker')->isGranted($attribute, $subject);
     }
 
+    /**
+     * Checks if the attribute is granted against the current authentication token and optionally supplied subject.
+     */
+    protected function getAccessDecision(mixed $attribute, mixed $subject = null): AccessDecision
+    {
+        if (!$this->container->has('security.authorization_checker')) {
+            throw new \LogicException('The SecurityBundle is not registered in your application. Try running "composer require symfony/security-bundle".');
+        }
+
+        $accessDecision = new AccessDecision();
+        $accessDecision->isGranted = $this->container->get('security.authorization_checker')->isGranted($attribute, $subject, $accessDecision);
+
+        return $accessDecision;
+    }
+
     /**
      * Throws an exception unless the attribute is granted against the current authentication token and optionally
      * supplied subject.
@@ -210,12 +226,24 @@ protected function isGranted(mixed $attribute, mixed $subject = null): bool
      */
     protected function denyAccessUnlessGranted(mixed $attribute, mixed $subject = null, string $message = 'Access Denied.'): void
     {
-        if (!$this->isGranted($attribute, $subject)) {
-            $exception = $this->createAccessDeniedException($message);
-            $exception->setAttributes([$attribute]);
-            $exception->setSubject($subject);
+        if (class_exists(AccessDecision::class)) {
+            $accessDecision = $this->getAccessDecision($attribute, $subject);
+            $isGranted = $accessDecision->isGranted;
+        } else {
+            $accessDecision = null;
+            $isGranted = $this->isGranted($attribute, $subject);
+        }
+
+        if (!$isGranted) {
+            $e = $this->createAccessDeniedException(3 > \func_num_args() && $accessDecision ? $accessDecision->getMessage() : $message);
+            $e->setAttributes([$attribute]);
+            $e->setSubject($subject);
+
+            if ($accessDecision) {
+                $e->setAccessDecision($accessDecision);
+            }
 
-            throw $exception;
+            throw $e;
         }
     }
 
 
@@ -138,6 +138,7 @@ public function collect(Request $request, Response $response, ?\Throwable $excep
 
             // collect voter details
             $decisionLog = $this->accessDecisionManager->getDecisionLog();
+
             foreach ($decisionLog as $key => $log) {
                 $decisionLog[$key]['voter_details'] = [];
                 foreach ($log['voterDetails'] as $voterDetail) {
@@ -147,6 +148,7 @@ public function collect(Request $request, Response $response, ?\Throwable $excep
                         'class' => $classData,
                         'attributes' => $voterDetail['attributes'], // Only displayed for unanimous strategy
                         'vote' => $voterDetail['vote'],
+                        'reasons' => $voterDetail['reasons'] ?? [],
                     ];
                 }
                 unset($decisionLog[$key]['voterDetails']);
 
@@ -31,7 +31,7 @@ public function __construct(
 
     public function onVoterVote(VoteEvent $event): void
     {
-        $this->traceableAccessDecisionManager->addVoterVote($event->getVoter(), $event->getAttributes(), $event->getVote());
+        $this->traceableAccessDecisionManager->addVoterVote($event->getVoter(), $event->getAttributes(), $event->getVote(), $event->getReasons());
     }
 
     public static function getSubscribedEvents(): array
 
@@ -571,14 +571,17 @@
                                                             {% endif %}
                                                             <td class="font-normal text-small">
                                                                 {% if voter_detail['vote'] == constant('Symfony\\Component\\Security\\Core\\Authorization\\Voter\\VoterInterface::ACCESS_GRANTED') %}
-                                                                    ACCESS GRANTED
+                                                                    GRANTED
                                                                 {% elseif voter_detail['vote'] == constant('Symfony\\Component\\Security\\Core\\Authorization\\Voter\\VoterInterface::ACCESS_ABSTAIN') %}
-                                                                    ACCESS ABSTAIN
+                                                                    ABSTAIN
                                                                 {% elseif voter_detail['vote'] == constant('Symfony\\Component\\Security\\Core\\Authorization\\Voter\\VoterInterface::ACCESS_DENIED') %}
-                                                                    ACCESS DENIED
+                                                                    DENIED
                                                                 {% else %}
                                                                     unknown ({{ voter_detail['vote'] }})
                                                                 {% endif %}
+                                                                {% if voter_detail['reasons'] is not empty %}
+                                                                <br>{{ voter_detail['reasons'] | join('<br>') }}
+                                                                {% endif %}
                                                             </td>
                                                         </tr>
                                                     {% endfor %}
 
@@ -17,6 +17,7 @@
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authorization\AccessDecision;
 use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
 use Symfony\Component\Security\Core\Authorization\UserAuthorizationCheckerInterface;
 use Symfony\Component\Security\Core\Exception\LogicException;
@@ -58,10 +59,10 @@ public function getUser(): ?UserInterface
     /**
      * Checks if the attributes are granted against the current authentication token and optionally supplied subject.
      */
-    public function isGranted(mixed $attributes, mixed $subject = null): bool
+    public function isGranted(mixed $attributes, mixed $subject = null, AccessDecision $accessDecision = new AccessDecision()): bool
     {
-        return $this->container->get('security.authorization_checker')
-            ->isGranted($attributes, $subject);
+        return $accessDecision->isGranted = $this->container->get('security.authorization_checker')
+            ->isGranted($attributes, $subject, $accessDecision);
     }
 
     public function getToken(): ?TokenInterface
@@ -154,10 +155,10 @@ public function logout(bool $validateCsrfToken = true): ?Response
      *
      * This should be used over isGranted() when checking permissions against a user that is not currently logged in or while in a CLI context.
      */
-    public function isGrantedForUser(UserInterface $user, mixed $attribute, mixed $subject = null): bool
+    public function isGrantedForUser(UserInterface $user, mixed $attribute, mixed $subject = null, AccessDecision $accessDecision = new AccessDecision()): bool
     {
-        return $this->container->get('security.user_authorization_checker')
-            ->isGrantedForUser($user, $attribute, $subject);
+        return $accessDecision->isGranted = $this->container->get('security.user_authorization_checker')
+            ->isGrantedForUser($user, $attribute, $subject, $accessDecision);
     }
 
     private function getAuthenticator(?string $authenticatorName, string $firewallName): AuthenticatorInterface
 
@@ -0,0 +1,56 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Authorization;
+
+use Symfony\Component\Security\Core\Authorization\Voter\Vote;
+use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
+
+/**
+ * Contains the access verdict and all the related votes.
+ *
+ * @author Dany Maillard <[email protected]>
+ * @author Roman JOLY <[email protected]>
+ * @author Nicolas Grekas <[email protected]>
+ */
+final class AccessDecision
+{
+    /**
+     * @var class-string<AccessDecisionStrategyInterface>|string|null
+     */
+    public ?string $strategy = null;
+
+    public bool $isGranted;
+
+    /**
+     * @var Vote[]
+     */
+    public $votes = [];
+
+    public function getMessage(): string
+    {
+        $message = $this->isGranted ? 'Access granted.' : 'Access denied.';
+        $access = $this->isGranted ? VoterInterface::ACCESS_GRANTED : VoterInterface::ACCESS_DENIED;
+
+        if ($this->votes) {
+            foreach ($this->votes as $vote) {
+                if ($vote->result !== $access) {
+                    continue;
+                }
+                foreach ($vote->reasons as $reason) {
+                    $message .= ' '.$reason;
+                }
+            }
+        }
+
+        return $message;
+    }
+}
@@ -15,6 +15,8 @@
 use Symfony\Component\Security\Core\Authorization\Strategy\AccessDecisionStrategyInterface;
 use Symfony\Component\Security\Core\Authorization\Strategy\AffirmativeStrategy;
 use Symfony\Component\Security\Core\Authorization\Voter\CacheableVoterInterface;
+use Symfony\Component\Security\Core\Authorization\Voter\TraceableVoter;
+use Symfony\Component\Security\Core\Authorization\Voter\Vote;
 use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
 use Symfony\Component\Security\Core\Exception\InvalidArgumentException;
 
@@ -49,35 +51,49 @@ public function __construct(
     /**
      * @param bool $allowMultipleAttributes Whether to allow passing multiple values to the $attributes array
      */
-    public function decide(TokenInterface $token, array $attributes, mixed $object = null, bool $allowMultipleAttributes = false): bool
+    public function decide(TokenInterface $token, array $attributes, mixed $object = null, bool|AccessDecision $accessDecision = new AccessDecision(), bool $allowMultipleAttributes = false): bool
     {
+        if (\is_bool($accessDecision)) {
+            $allowMultipleAttributes = $accessDecision;
+            $accessDecision = new AccessDecision();
+        }
+
         // Special case for AccessListener, do not remove the right side of the condition before 6.0
         if (\count($attributes) > 1 && !$allowMultipleAttributes) {
             throw new InvalidArgumentException(\sprintf('Passing more than one Security attribute to "%s()" is not supported.', __METHOD__));
         }
 
-        return $this->strategy->decide(
-            $this->collectResults($token, $attributes, $object)
+        $accessDecision->strategy = $this->strategy instanceof \Stringable ? $this->strategy : get_debug_type($this->strategy);
+
+        return $accessDecision->isGranted = $this->strategy->decide(
+            $this->collectResults($token, $attributes, $object, $accessDecision)
         );
     }
 
     /**
-     * @return \Traversable<int, int>
+     * @return \Traversable<VoterInterface::ACCESS_*>
      */
-    private function collectResults(TokenInterface $token, array $attributes, mixed $object): \Traversable
+    private function collectResults(TokenInterface $token, array $attributes, mixed $object, AccessDecision $accessDecision): \Traversable
     {
         foreach ($this->getVoters($attributes, $object) as $voter) {
-            $result = $voter->vote($token, $object, $attributes);
+            $vote = new Vote();
+            $result = $voter->vote($token, $object, $attributes, $vote);
+
             if (!\is_int($result) || !(self::VALID_VOTES[$result] ?? false)) {
                 throw new \LogicException(\sprintf('"%s::vote()" must return one of "%s" constants ("ACCESS_GRANTED", "ACCESS_DENIED" or "ACCESS_ABSTAIN"), "%s" returned.', get_debug_type($voter), VoterInterface::class, var_export($result, true)));
             }
 
+            $voter = $voter instanceof TraceableVoter ? $voter->getDecoratedVoter() : $voter;
+            $vote->voter = $voter instanceof \Stringable ? $voter : get_debug_type($voter);
+            $vote->result = $result;
+            $accessDecision->votes[] = $vote;
+
             yield $result;
         }
     }
 
     /**
-     * @return iterable<mixed, VoterInterface>
+     * @return iterable<VoterInterface>
      */
     private function getVoters(array $attributes, $object = null): iterable
     {
 
@@ -23,8 +23,9 @@ interface AccessDecisionManagerInterface
     /**
      * Decides whether the access is possible or not.
      *
-     * @param array $attributes An array of attributes associated with the method being invoked
-     * @param mixed $object     The object to secure
+     * @param array          $attributes     An array of attributes associated with the method being invoked
+     * @param mixed          $object         The object to secure
+     * @param AccessDecision $accessDecision Should be used to explain the decision
      */
-    public function decide(TokenInterface $token, array $attributes, mixed $object = null): bool;
+    public function decide(TokenInterface $token, array $attributes, mixed $object = null/* , AccessDecision $accessDecision = new AccessDecision() */): bool;
 }
@@ -30,14 +30,14 @@ public function __construct(
     ) {
     }
 
-    final public function isGranted(mixed $attribute, mixed $subject = null): bool
+    final public function isGranted(mixed $attribute, mixed $subject = null, AccessDecision $accessDecision = new AccessDecision()): bool
     {
         $token = $this->tokenStorage->getToken();
 
         if (!$token || !$token->getUser()) {
             $token = new NullToken();
         }
 
-        return $this->accessDecisionManager->decide($token, [$attribute], $subject);
+        return $accessDecision->isGranted = $this->accessDecisionManager->decide($token, [$attribute], $subject, $accessDecision);
     }
 }
@@ -21,7 +21,8 @@ interface AuthorizationCheckerInterface
     /**
      * Checks if the attribute is granted against the current authentication token and optionally supplied subject.
      *
-     * @param mixed $attribute A single attribute to vote on (can be of any type, string and instance of Expression are supported by the core)
+     * @param mixed          $attribute      A single attribute to vote on (can be of any type, string and instance of Expression are supported by the core)
+     * @param AccessDecision $accessDecision Should be used to explain the decision
      */
-    public function isGranted(mixed $attribute, mixed $subject = null): bool;
+    public function isGranted(mixed $attribute, mixed $subject = null/* , AccessDecision $accessDecision = new AccessDecision() */): bool;
 }
Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,7 @@ public function __construct(`
`31`	`31`
`32`	`32`	`public function onVoterVote(VoteEvent $event): void`
`33`	`33`	`{`
`34`		`- $this->traceableAccessDecisionManager->addVoterVote($event->getVoter(), $event->getAttributes(), $event->getVote());`
	`34`	`+ $this->traceableAccessDecisionManager->addVoterVote($event->getVoter(), $event->getAttributes(), $event->getVote(), $event->getReasons());`
`35`	`35`	`}`
`36`	`36`
`37`	`37`	`public static function getSubscribedEvents(): array`
Original file line number	Diff line number	Diff line change
`@@ -23,8 +23,9 @@ interface AccessDecisionManagerInterface`
`23`	`23`	`/**`
`24`	`24`	`* Decides whether the access is possible or not.`
`25`	`25`	`*`
`26`		`- * @param array $attributes An array of attributes associated with the method being invoked`
`27`		`- * @param mixed $object The object to secure`
	`26`	`+ * @param array $attributes An array of attributes associated with the method being invoked`
	`27`	`+ * @param mixed $object The object to secure`
	`28`	`+ * @param AccessDecision $accessDecision Should be used to explain the decision`
`28`	`29`	`*/`
`29`		`- public function decide(TokenInterface $token, array $attributes, mixed $object = null): bool;`
	`30`	`+ public function decide(TokenInterface $token, array $attributes, mixed $object = null/* , AccessDecision $accessDecision = new AccessDecision() */): bool;`
`30`	`31`	`}`
Original file line number	Diff line number	Diff line change
`@@ -30,14 +30,14 @@ public function __construct(`
`30`	`30`	`) {`
`31`	`31`	`}`
`32`	`32`
`33`		`- final public function isGranted(mixed $attribute, mixed $subject = null): bool`
	`33`	`+ final public function isGranted(mixed $attribute, mixed $subject = null, AccessDecision $accessDecision = new AccessDecision()): bool`
`34`	`34`	`{`
`35`	`35`	`$token = $this->tokenStorage->getToken();`
`36`	`36`
`37`	`37`	`if (!$token \|\| !$token->getUser()) {`
`38`	`38`	`$token = new NullToken();`
`39`	`39`	`}`
`40`	`40`
`41`		`- return $this->accessDecisionManager->decide($token, [$attribute], $subject);`
	`41`	`+ return $accessDecision->isGranted = $this->accessDecisionManager->decide($token, [$attribute], $subject, $accessDecision);`
`42`	`42`	`}`
`43`	`43`	`}`
Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,8 @@ interface AuthorizationCheckerInterface`
`21`	`21`	`/**`
`22`	`22`	`* Checks if the attribute is granted against the current authentication token and optionally supplied subject.`
`23`	`23`	`*`
`24`		`- * @param mixed $attribute A single attribute to vote on (can be of any type, string and instance of Expression are supported by the core)`
	`24`	`+ * @param mixed $attribute A single attribute to vote on (can be of any type, string and instance of Expression are supported by the core)`
	`25`	`+ * @param AccessDecision $accessDecision Should be used to explain the decision`
`25`	`26`	`*/`
`26`		`- public function isGranted(mixed $attribute, mixed $subject = null): bool;`
	`27`	`+ public function isGranted(mixed $attribute, mixed $subject = null/* , AccessDecision $accessDecision = new AccessDecision() */): bool;`
`27`	`28`	`}`