[Security/Core] Add "is_granted()" to security expressions, deprecate "has_role()" #27305
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
stof
requested changes
May 18, 2018
| { | ||
| if ($authChecker instanceof RoleHierarchyInterface) { | ||
| @trigger_error(sprintf('Passing a RoleHierarchyInterface to "%s()" is deprecated since Symfony 4.2. Pass an AuthorizationCheckerInterface instead.', __METHOD__), E_USER_DEPRECATED); | ||
| $authChecker = $roleHierarchy; |
There was a problem hiding this comment.
Using a single argument for either the auth checker or the role hierarchy is broken. We still need to pass the role hierarchy all the time, otherwise we cannot provide the Bc layer for has_role
There was a problem hiding this comment.
wrong assignation, fixed
8e6cba4 to
1ceffe1
Compare
xabbuh
reviewed
May 18, 2018
UPGRADE-4.2.md
Outdated
| Security | ||
| -------- | ||
|
|
||
| * Using the "has_role()" function in security expressions is deprecated, use the "is_granted()' function instead. |
There was a problem hiding this comment.
Use backticks instead of quotes?
There was a problem hiding this comment.
yeah, would be much better.
Or if you really want to use quotes, use the same one on both sides at least.
xabbuh
reviewed
May 18, 2018
| new ExpressionFunction('is_remember_me', function () { | ||
| return '$trust_resolver->isRememberMe($token)'; | ||
| }, function (array $variables) { | ||
| return $variables['trust_resolver']->isRememberMe($variables['token']); | ||
| }), | ||
|
|
||
| new ExpressionFunction('has_role', function ($role) { | ||
| @trigger_error('Using the "has_role()" function in security expressions is deprecated since Symfony 4.2, use "is_granted()" instead.', E_USER_DEPRECATED); |
There was a problem hiding this comment.
Won't this trigger the deprecation too early (i.e. at compile instead of runtime)?
There was a problem hiding this comment.
well, it will trigger it at compile time when compiling an expression using the deprecated function. that's totally fine, as Symfony 5.0 will also fail at compile time.
xabbuh
reviewed
May 18, 2018
| $roleHierarchy = $authChecker; | ||
| $authChecker = null; | ||
| } elseif (null === $authChecker) { | ||
| @trigger_error(sprintf('"%s()" expects an AuthorizationCheckerInterface as 3rd argument, not passing it is deprecated since Symfony 4.2.', __METHOD__), E_USER_DEPRECATED); |
xabbuh
reviewed
May 18, 2018
| } elseif (null === $authChecker) { | ||
| @trigger_error(sprintf('"%s()" expects an AuthorizationCheckerInterface as 3rd argument, not passing it is deprecated since Symfony 4.2.', __METHOD__), E_USER_DEPRECATED); | ||
| } elseif (!$authChecker instanceof AuthorizationCheckerInterface) { | ||
| throw new \InvalidArgumentException(sprintf('Argument 3 passed to %s() must be instance of %s or null, %s given.', __METHOD__, AuthorizationCheckerInterface::class, is_object($authChecker) ? get_class($authChecker) : gettype($authChecker))); |
dunglas
approved these changes
May 18, 2018
stof
reviewed
May 18, 2018
| @@ -119,6 +119,7 @@ | |||
| <service id="security.access.expression_voter" class="Symfony\Component\Security\Core\Authorization\Voter\ExpressionVoter"> | |||
| <argument type="service" id="security.expression_language" /> | |||
| <argument type="service" id="security.authentication.trust_resolver" /> | |||
| <argument type="service" id="security.authorization_checker" on-invalid="null" /> | |||
There was a problem hiding this comment.
why making it optional ? If you have a voter, you will also have the auth checker (otherwise your voter is useless anyway as it is used by the auth checker)
1ceffe1 to
2ecd8f1
Compare
|
looks like some tests still need to be updated |
2ecd8f1 to
9dbf399
Compare
ogizanagi
approved these changes
May 18, 2018
chalasr
approved these changes
May 19, 2018
fabpot
approved these changes
May 21, 2018
|
Thank you @nicolas-grekas. |
fabpot
added a commit
that referenced
this pull request
May 21, 2018
…ions, deprecate "has_role()" (nicolas-grekas) This PR was merged into the 4.2-dev branch. Discussion ---------- [Security/Core] Add "is_granted()" to security expressions, deprecate "has_role()" | Q | A | ------------- | --- | Branch? | master | Bug fix? | no | New feature? | yes | BC breaks? | no | Deprecations? | yes | Tests pass? | yes | Fixed tickets | #23084 | License | MIT | Doc PR | - Because `has_role()` doesn't use the auth checker, it is confusing. Let's move `is_granted()` to core (it's provided by SensioFrameworkExtraBundle / ApiPlatform for now. Commits ------- 9dbf399 [Security/Core] Add "is_granted()" to security expressions, deprecate "has_role()"
OskarStark
added a commit
to OskarStark/symfony-docs
that referenced
this pull request
Jun 12, 2018
OskarStark
added a commit
to OskarStark/symfony-docs
that referenced
this pull request
Jun 13, 2018
OskarStark
added a commit
to OskarStark/symfony-docs
that referenced
this pull request
Jun 18, 2018
javiereguiluz
added a commit
to symfony/symfony-docs
that referenced
this pull request
Jun 19, 2018
…tark) This PR was merged into the master branch. Discussion ---------- use is_granted() instead of deprecated has_role() using `has_role()` was deprecated in symfony/symfony#27305 since `4.2` by @nicolas-grekas Commits ------- 5e6031b use is_granted() instead of deprecated has_role()
Liinkiing
pushed a commit
to Liinkiing/symfony-docs
that referenced
this pull request
Aug 24, 2018
Liinkiing
pushed a commit
to Liinkiing/symfony-docs
that referenced
this pull request
Aug 24, 2018
This was referenced Nov 3, 2018
Closed
Merged
fabpot
added a commit
that referenced
this pull request
Feb 25, 2020
…guage functions (wouterj) This PR was merged into the 5.1-dev branch. Discussion ---------- [Security] Use new IS_* attributes in the expression language functions | Q | A | ------------- | --- | Branch? | master | Bug fix? | no | New feature? | no | Deprecations? | no | Tickets | n/a | License | MIT | Doc PR | n/a #31189 has been merged which introduces some new attributes (`IS_ANONYMOUS` & friends). We can now modify the code behind the `is_*()` expression language functions to use these new attributes. This avoids any possibility of having them out of sync. In case you - just like me - are interested why `isGranted("IS_AUTHENTICATED_FULLY")` wasn't used before: These functions were implemented without `auth_checker` being available. The auth checker variable was introduced in 4.2 by #27305, so now we can use this. Commits ------- 3f0c599 Use new IS_* attributes in the expression language functions
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Because
has_role()doesn't use the auth checker, it is confusing. Let's moveis_granted()to core (it's provided by SensioFrameworkExtraBundle / ApiPlatform for now.