Really awesome ! Many thanks for that feature !

@javiereguiluz Can you rebase as tests have been fixed since your submitted the PR.

Apart from my minor comments, 👍

I've made all the requested changes (thanks for the review!) ... but before merging this, it should be tested by someone which works on Symfony apps with complex security needs (maybe @iltar could help us?)

@javiereguiluz sadly still running on 2.8 in the application I can test it on properly. The 3.0 upgrade will be done somewhere starting in 2 weeks as we are still gathering deprecations in our production env. Maybe I'll be able to upgrade just the security bundle as most (if not all) of those are already fixed.

@javiereguiluz I've downloaded your branch as zip, extracted it and symlinked vendor/symfony/symfony to your branch. However, I cannot get it to work. The error I'm getting is Warning: Invalid argument supplied for foreach():

issue 1

Most important part of the stacktrace:

in SecurityDataCollector.php line 117
at ErrorHandler->handleError('2', 'Invalid argument supplied for foreach()', '/home/ivanderberg/projects/forks/symfony-fix_17856/src/Symfony/Bundle/SecurityBundle/DataCollector/SecurityDataCollector.php', '117', ...)

I've checked the service and it has the DebugAccessDecisionManager which is correct. However, getVoters() returns null. I've checked and setVoters() is never called. I've traced that back to AddSecurityVotersPass:48:

$container->getDefinition('security.access.decision_manager')->addMethodCall('setVoters', array(array_values($voters)));

There's 2 possible solutions:

• DebugAccessDecisionManager setVoters()should be removed andgetVoters()should forward the call to$this->manager. Sadly this class doesn't havegetVoters()` yet so it will have to be added.
• The setVoters() should also be called on the decorating service. It seems like this is not added because the decoration pass is later (correct me if I'm wrong)

issue 2

After patching either one of the above issues, I have a serialization issue "You cannot serialize or unserialize PDO instances". The @template is being cached now and causes the bug I fixed in this pending PR: sensiolabs/SensioFrameworkExtraBundle#404. However, fixing this issue didn't solve my serialization issue. After digging a bit deeper it made sense... The request also contains your session. This means that if you use a database session storage like I do, it will try to serialize this. This will also fail if you use the @ParamConverter and put objects in your attribute bag.

I've changed DebugAccessDecisionManager:50 to 'object' => is_object($object) ? get_class($object) : gettype($object), and now it works. In the actual PR you might want to use the ClassUtils from doctrine to fetch the actual class though, otherwise you'll see useless proxy names.

After fixing

The following screens are on my login page. The first thing I notice is that the Token column might be redundant.

When I'm logged in, it shows more information on my dashboard. The things I notice:

• The attributes are not shown in the most readable format for the most common case (1 attribute).
• Column numbers get put on multiple lines
• The Token column is redundant
• I'm unable to trace back where it came from (but this could be a future PR)

When viewing a page which as a lot of isGranted() checks, it becomes hard to trace back the data. Maybe it could be grouped but that would be annoying to trace back either way. A nice feature that I'm missing is the ability to show the "identifier" of an entity in this case. In this list it looks like I have inconsistent results while in fact it's 80 different entities being checked in a list. Finding the identifier might be nice as it will help debugging a lot but you will run into the same issue I have: linaori/http-bundle#12.

and the list goes on

Looking at a page with less different objects, it becomes a bit of a mess as well.

Conclusion

It's a nice start but with lots of information it becomes a mess really quick. A possible solution would be to group the checks per object (via object hash?) and to add the ID of an object if managed by doctrine (plug & play system so people can hook in?). Additionally the last column could be removed and the attributes shown with the just attribute as comma imploded string.

@iltar thank you very much for your incredible review!!

I've made some changes as requested:

• Removed the token column in the decision log
• Improved the way we display attributes when there is only 1 attribute
• Tried to improve the way objects are represented (this needs to be tested)
• Related to previous one: don't store objects to avoid serializing errors
• Other minor design tweaks

I still need to fix the setVoters() problem.

Once the setVoters() is fixed I'll run it through the application again if I have some time today, otherwise it will be tomorrow. Can you ping me when it's ready to be tested?

@iltar it should be ready for review. Thanks!

Not sure if the Request gives the desired effect now, but works for me:

The list is a lot easier to read now but differences between objects is still hard to find. I suppose getting the actual ID field + the value of the object in question (if entity) would be too hard to implement in this patch for now. It's already an improvement but it takes a lot of time to see the different objects.

2 different objects

Many different objects

Found one with a basic type, someone found it necessary to use an ID instead of an object...

Besides of the minor comments (which are hard to fix), I think this shows a lot of usable information already. What I would still like to see is a way to identify an Entity in a generic fashion; I need it mysel and it could be re-used here to show useful info.

I hope this helps 👍

@iltar great! We're making progress here. I've just added a special case to check if getId() method exists to use it instead of the object hash. I think it's worth it because getId() is used very commonly.

I agree that this covers most use-cases. In a later stage I would like to ask the entity metadata what the identifier is, but I want this done in a generic fashion as not everything is a doctrine entity for example which probably blows up the scope of this PR.

Good to merge? ping @symfony/deciders

I've tested all kinds of attributes and objects and it seems to work as expected:

The Travis errors are unrelated.

That looks really nice and useful! 👍

Thank you @javiereguiluz.

Great great great!!! Congrats @javiereguiluz @iltar