Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Improve #[IsGranted] #46912

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
nicolas-grekas opened this issue Jul 12, 2022 · 0 comments · Fixed by #46978
Closed

Improve #[IsGranted] #46912

nicolas-grekas opened this issue Jul 12, 2022 · 0 comments · Fixed by #46978
Labels
Help wanted Issues and PRs which are looking for volunteers to complete them. Security

Comments

@nicolas-grekas
Copy link
Member

Description

As part of the effort to move features of SensioFrameworkExtraBundle #44705 into code, we are considering not moving @Security and instead improving #[IsGranted].

A first idea has been described by @stof in #45415 (comment):

Also, I would not migrated the Security attribute as is. The implementation of this attribute is currently a hack, as it does not rely on triggering the authorization system to perform the security check (instead, it duplicates part of that system, which broke when switching to the new security system).
The best practice for using that attribute is to restrict yourselves to using is_granted inside the expression (or to switch to IsGranted for all cases where it can be used, as that attribute does not hack the authorization system).

To me, this should rather be left out, adding a few advanced features to IsGranted:
The one I would need personally is having a subject_expression feature, allowing to use ExpressionLanguage to build the subject being voted on (but with a better approach than Security where we have clashes between controller argument names and built-in variables of the expression) when we need a more complex vote.
Another one that could be needed is a way to specify that the permission being checked is an expression for ExpressionVoter (but this may be supported already on PHP 8.1 when using attributes rather than annotations, but using new Expression)

Let's discuss what we want to do. Help wanted to make it happen.

Example

No response
@nicolas-grekas nicolas-grekas added the Help wanted Issues and PRs which are looking for volunteers to complete them. label Jul 12, 2022
@nicolas-grekas nicolas-grekas mentioned this issue Jul 12, 2022
Closed
@HypeMC HypeMC mentioned this issue Jul 18, 2022
Merged
nicolas-grekas added a commit that referenced this issue Aug 2, 2022
@nicolas-grekas
feature #46978 [Security] Allow using expressions with the #[IsGrante…
e7fbf28 
…d] attribute (HypeMC)

This PR was merged into the 6.2 branch.

Discussion
----------

[Security] Allow using expressions with the #[IsGranted] attribute

| Q             | A
| ------------- | ---
| Branch?       | 6.2
| Bug fix?      | no
| New feature?  | yes
| Deprecations? | no
| Tickets       | Fix #46912
| License       | MIT
| Doc PR        | -

Allows using the expression language with the `#[IsGranted]` attribute:

```php
#[IsGranted(
    attribute: new Expression('"ROLE_ADMIN" in role_names or is_granted("POST_VIEW", subject)'),
    subject: 'post',
)]
public function index(Post $post)
{
}

#[IsGranted(
    attribute: new Expression('user === subject'),
    subject: new Expression('args["post"].getAuthor()'),
)]
public function index(Post $post)
{
}

#[IsGranted(
    attribute: new Expression('user === subject["author"] and subject["post"].isPublished()'),
    subject: [
        'author' => new Expression('args["post"].getAuthor()'),
        'post' => 'post',
    ],
)]
public function index(Post $post)
{
}
```

Commits
-------

f5cee77 [Security] Allow using expressions with the #[IsGranted] attribute
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Help wanted Issues and PRs which are looking for volunteers to complete them. Security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Security] Allow using expressions with the #[IsGranted] attribute HypeMC/symfony
2 participants
@nicolas-grekas @xabbuh