[Security] Add IS_IMPERSONATOR, IS_ANONYMOUS and IS_REMEMBERED #31189
Conversation
71f08d8 to
234dc0d
Compare
|
Looks great, thanks. |
234dc0d to
48d4813
Compare
|
Thanks for the suggestion @chalasr! I've updated the PR. Also realized that I forgot to do the same for |
19ed26f to
7b9b167
Compare
|
Actually, I've decided to take another step and deprecate all |
|
|
7b9b167 to
613789f
Compare
|
Didn't realize 4.3 release was soo close. I've updated the PR to 4.4 and added a documentation PR. Ready for review when 4.3 is released |
I'm not sure the new version is more clear: having role inheritance in mind, the current wording is clear to me. The new one might make me think one is authenticated not-anonymously. |
|
Hmm, I completely forgot about this PR. Sorry! Let's see how we can continue and what we manage to get into 4.4/5.0 before the freeze:
From what I see above, people seem to agree on (1) and (3). So let's remove change (2) from this PR, to allow this to be merged? (2) seems up for debate and now I think about this, I think it's indeed a confusing change, people would maybe think that |
|
Moving to milestone "next", meaning for 5.1 or later. |
|
@wouterj I'd like that we move forward with all your PRs/issues/big plans related to security. Whenever you have time, ping me and we will see how to make it work for 5.1. |
a17ee3a to
2fb0a98
Compare
Yeah, the bundle requires |
28606e1 to
4038d6c
Compare
|
@wouterj Bumping to |
4038d6c to
fda7e0a
Compare
|
Thanks for the quick response. I've bumped the requirement. The tests should now pass |
|
status: needs review |
src/Symfony/Component/Security/Core/Tests/Authorization/ExpressionLanguageTest.php
Outdated
Show resolved
Hide resolved
src/Symfony/Component/Security/Core/Authorization/ExpressionLanguageProvider.php
Outdated
Show resolved
Hide resolved
fda7e0a to
6c522a7
Compare
|
Thank you @wouterj. |
…guage functions (wouterj) This PR was merged into the 5.1-dev branch. Discussion ---------- [Security] Use new IS_* attributes in the expression language functions | Q | A | ------------- | --- | Branch? | master | Bug fix? | no | New feature? | no | Deprecations? | no | Tickets | n/a | License | MIT | Doc PR | n/a #31189 has been merged which introduces some new attributes (`IS_ANONYMOUS` & friends). We can now modify the code behind the `is_*()` expression language functions to use these new attributes. This avoids any possibility of having them out of sync. In case you - just like me - are interested why `isGranted("IS_AUTHENTICATED_FULLY")` wasn't used before: These functions were implemented without `auth_checker` being available. The auth checker variable was introduced in 4.2 by #27305, so now we can use this. Commits ------- 3f0c599 Use new IS_* attributes in the expression language functions
This PR was merged into the 5.1-dev branch. Discussion ---------- [Security] Deprecated ROLE_PREVIOUS_ADMIN | Q | A | ------------- | --- | Branch? | master | Bug fix? | no | New feature? | no | Deprecations? | yes | Tickets | n/a | License | MIT | Doc PR | symfony/symfony-docs#11487 `ROLE_PREVIOUS_ADMIN` is added to the token roles if the session is an impersonation. Since #31189 we have the `IS_IMPERSONATOR` attribute which can be used for the same reason. I propose to deprecate the `ROLE_PREVIOUS_ADMIN`: * This is not what roles are for ([resulting in hacking this exception in `AbstractToken`](https://github.com/symfony/symfony/blob/5.0/src/Symfony/Component/Security/Core/Authentication/Token/AbstractToken.php#L275-L277)) * The role isn't very descriptive * I don't like having 2 ways of doing exactly the same thing * While every application with impersonation enabled probably needs to be updated, the update is as simple as replacing `ROLE_PREVIOUS_ADMIN` with `IS_IMPERSONATOR`: `find ./ -type f -exec sed -i 's/ROLE_PREVIOUS_ADMIN/IS_IMPERSONATOR/g' {} +` --- I'm a bit unsure on how to deprecate this role, but I think having it in `RoleVoter` is probably the safest (`isGranted()` and variants + `AccessDecisionManager#decide()` all use this voter to check if the token has this role). Commits ------- dce55f3 Deprecated ROLE_PREVIOUS_ADMIN
This PR was merged into the 5.1-dev branch. Discussion ---------- [Security] Deprecated ROLE_PREVIOUS_ADMIN | Q | A | ------------- | --- | Branch? | master | Bug fix? | no | New feature? | no | Deprecations? | yes | Tickets | n/a | License | MIT | Doc PR | symfony/symfony-docs#11487 `ROLE_PREVIOUS_ADMIN` is added to the token roles if the session is an impersonation. Since symfony/symfony#31189 we have the `IS_IMPERSONATOR` attribute which can be used for the same reason. I propose to deprecate the `ROLE_PREVIOUS_ADMIN`: * This is not what roles are for ([resulting in hacking this exception in `AbstractToken`](https://github.com/symfony/symfony/blob/5.0/src/Symfony/Component/Security/Core/Authentication/Token/AbstractToken.php#L275-L277)) * The role isn't very descriptive * I don't like having 2 ways of doing exactly the same thing * While every application with impersonation enabled probably needs to be updated, the update is as simple as replacing `ROLE_PREVIOUS_ADMIN` with `IS_IMPERSONATOR`: `find ./ -type f -exec sed -i 's/ROLE_PREVIOUS_ADMIN/IS_IMPERSONATOR/g' {} +` --- I'm a bit unsure on how to deprecate this role, but I think having it in `RoleVoter` is probably the safest (`isGranted()` and variants + `AccessDecisionManager#decide()` all use this voter to check if the token has this role). Commits ------- dce55f352a Deprecated ROLE_PREVIOUS_ADMIN
…S and IS_REMEMBERED attributes (wouterj) This PR was merged into the master branch. Discussion ---------- [Security] Documented new IS_IMPERSONATOR, IS_ANONYMOUS and IS_REMEMBERED attributes Changes the documentation to no longer use security attributes/functions that will be deprecated in symfony/symfony#31189 . It's funny to see how the docs were also confusing about the old attributes, as wrong attributes were used. While doing these changes, I've also rewritten some parts to no longer talk about attributes as something the users have (like roles), but instead as something the user is matched against. Commits ------- 0e2b406 Documented new security attributes
This continues work of @HeahDude and finally finishes one of the code PRs I've been working on during the ⭐️ EUFOSSA Hackathon.
Changes
The PRs modifies some of the attributes used by the
AuthenticatedVoter:IS_IMPERSONATOR,IS_ANONYMOUSandIS_REMEMBEREDattributes are introduced to indicate the user either impersonated, anonymous or rembered.IS_AUTHENTICATED_ANONYMOUSLYactually meant "is authenticated, either anonymous or fully". As this is confusing, it is replaced byIS_AUTHENTICATED.Allis_*()functions in expressions are deprecated in favor ofis_granted('IS_*'). It's not worth duplicating theAuthenticatedVoterlogic in two places now we have shorterIS_*attributesBefore
After
DiscussionThe only thing I'm wondering is how we combine this with the
is_authenticated()expression function:symfony/src/Symfony/Component/Security/Core/Authorization/ExpressionLanguageProvider.php
Lines 33 to 37 in 98929dc
As you can see, theIS_AUTHENTICATEDattribute andis_authenticated()expression function do not have the same meaning. Should we somehow deprecate the current behavior ofis_authenticated()or should we find another name forIS_AUTHENTICATED(that would be a shame imo).