Hi,

I have an API with unanimous voters strategy and when a voter refuse a api call, I would like to throw an exception depending to what voter refused the call. All voter vote on the same attribute of course (eg : Attributes::API_CALL).

I think it's a real use case, but there is no way to know what voter(s) refused the call.

There is several way to do that, and I can make a PR, but before I woul'd like to discuss about it to know if it worth or if the SF team do not want it.

For example, we coul'd add a function "getDecision" or "getAuthorization" on the AthorizationChecker class, which would return an object, with some properties like "granted" (bool), and "denyingVoters" (array).

Another simplier way coul'd be adding a "getException" on the VoterInterface which can return null or an exception to throw if the voter deny the access, but it is not really a good design here imo (only relevant on unanimous strategy)..

Anyway, this woul'd result to a refactoring of the AccessDecisionManager and a BC break.. maybe for SF4 ?

I know I coul'd avoid that with one attribute per voter, but it loose the interest to have voters.