Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[Security] Deprecated ROLE_PREVIOUS_ADMIN #35858

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 25, 2020
Merged

[Security] Deprecated ROLE_PREVIOUS_ADMIN #35858

merged 1 commit into from
Feb 25, 2020

Conversation

wouterj
Copy link
Member

@wouterj wouterj commented Feb 25, 2020
edited
Loading

Q A
Branch? master
Bug fix? no
New feature? no
Deprecations? yes
Tickets n/a
License MIT
Doc PR symfony/symfony-docs#11487

ROLE_PREVIOUS_ADMIN is added to the token roles if the session is an impersonation. Since #31189 we have the IS_IMPERSONATOR attribute which can be used for the same reason. I propose to deprecate the ROLE_PREVIOUS_ADMIN:

  • This is not what roles are for (resulting in hacking this exception in AbstractToken)
  • The role isn't very descriptive
  • I don't like having 2 ways of doing exactly the same thing
  • While every application with impersonation enabled probably needs to be updated, the update is as simple as replacing ROLE_PREVIOUS_ADMIN with IS_IMPERSONATOR: find ./ -type f -exec sed -i 's/ROLE_PREVIOUS_ADMIN/IS_IMPERSONATOR/g' {} +

I'm a bit unsure on how to deprecate this role, but I think having it in RoleVoter is probably the safest (isGranted() and variants + AccessDecisionManager#decide() all use this voter to check if the token has this role).

@wouterj wouterj force-pushed the security/deprecated-role-previous-admin branch from 7a77762 to d0bf1c1 Compare February 25, 2020 12:17
@wouterj wouterj force-pushed the security/deprecated-role-previous-admin branch from d0bf1c1 to dce55f3 Compare February 25, 2020 12:38
@fabpot
Copy link
Member

fabpot commented Feb 25, 2020

Thank you @wouterj.

@fabpot fabpot merged commit 82db995 into symfony:master Feb 25, 2020
@wouterj wouterj deleted the security/deprecated-role-previous-admin branch February 25, 2020 13:03
@wouterj wouterj mentioned this pull request Feb 28, 2020
Merged
fabpot added a commit that referenced this pull request Feb 29, 2020
@fabpot
minor #35895 Added ROLE_PREVIOUS_ADMIN deprecation to UPGRADE guide (…
4520e61 
…wouterj)

This PR was merged into the 5.1-dev branch.

Discussion
----------

Added ROLE_PREVIOUS_ADMIN deprecation to UPGRADE guide

| Q             | A
| ------------- | ---
| Branch?       | master
| Bug fix?      | no
| New feature?  | no
| Deprecations? | no
| Tickets       | n/a
| License       | MIT
| Doc PR        | n/a

I forgot to update the UPGRADE guides in #35858

Commits
-------

3c8d316 Added ROLE_PREVIOUS_ADMIN deprecation to UPGRADE guide
@fabpot fabpot mentioned this pull request May 5, 2020
Merged
@TomasVotruba TomasVotruba mentioned this pull request Jan 27, 2021
Merged
@piddubnij piddubnij mentioned this pull request Oct 6, 2022
Closed
@nicolas-grekas nicolas-grekas mentioned this pull request Jul 13, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fabpot fabpot fabpot approved these changes

Assignees
No one assigned
Labels
Deprecation Security Status: Reviewed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@wouterj @fabpot @carsonbot