[SecurityBundle] Allow for custom request matchers #20272
Conversation
|
To clarify; the real issue is i want to target a specific controller/action, without depending on Currently we need to duplicate a path definition as a regex ourselves (instead of relying on the compiled regex out-of-the-box) which is error prone. |
| ->children() | ||
| ->scalarNode('matcher')->defaultNUll()->end() |
There was a problem hiding this comment.
defaultNUll should be defaultNull 😄
| /** | ||
| * @author Roland Franssen <[email protected]> | ||
| */ | ||
| class ChainRequestMatcher implements RequestMatcherInterface |
There was a problem hiding this comment.
Is this class related to this PR? It's not used anywhere?
About the name, "chain" usually means "delegation chain", ie the first applicable in the chain takes responsibility for the job. Here, this is something else, like AllMatchersRequestMatcher (dummy suggestion, I'm not really proud of it :) )
There was a problem hiding this comment.
Nope. It's outdate-ish. I moved it to #20274.
| @@ -180,9 +182,6 @@ private function addAccessControlSection(ArrayNodeDefinition $rootNode) | |||
| ->prototype('scalar')->end() | |||
| ->end() | |||
| ->scalarNode('allow_if')->defaultNull()->end() | |||
| ->end() | |||
| ->fixXmlConfig('role') | |||
There was a problem hiding this comment.
this CS should be applied to a lower branch
| $access['ips'] | ||
| ); | ||
| if (null !== $access['matcher']) { | ||
| $matcher = new Reference($access['matcher']); |
There was a problem hiding this comment.
the currently created matcher is configured by many props in $access. Thus, is this extension point really enough when you don't give it these parameters?
There was a problem hiding this comment.
Im not sure about the "right" approach here. Perhaps we should talk config/API first.
But we could do matcher|<combination of other keys>.
DX-wise i think - { route: foo, roles: [] } is best and probably same for firewalls? (using an array of routes).
As goes for - { expression: foo }. But that could work counter-intuitive with allow_if.
|
Closing in favor of #20274, im not sure about the matcher approach here. Maybe something better comes out. The integration is definitely missing though. But, im going to experiment with |
Quick proof of concept to allow for custom request matchers in the security bundle.
This would allow for matching a request based on a route name (routing happens before security!).
With only this setting it would still be cumbersome to do it though;
To solve this we could allow arguments or have it built in:
edit: added
ChainRequestMatcheras it could be useful to have a complex matcher built from simple matchers. Allows to refactor the currentRequestMatcherto be built fromMethodRequestMatcher,SchemeRequestMatchter, etc. I would like this kind of reuseability a lot :)edit2: added separated PR for it (#20274)