symfony · nicolas-grekas · Jul 12, 2022 · Jul 11, 2022 · weaverryan · Jul 11, 2022
@@ -42,6 +42,7 @@
 use Symfony\Component\Security\Core\Validator\Constraints\UserPasswordValidator;
 use Symfony\Component\Security\Http\Authentication\AuthenticationUtils;
 use Symfony\Component\Security\Http\Controller\UserValueResolver;
+use Symfony\Component\Security\Http\EventListener\IsGrantedAttributeListener;
 use Symfony\Component\Security\Http\Firewall;
 use Symfony\Component\Security\Http\FirewallMapInterface;
 use Symfony\Component\Security\Http\HttpUtils;
@@ -269,5 +270,9 @@
                 service('security.expression_language'),
             ])
             ->tag('kernel.cache_warmer')
+
+        ->set('controller.is_granted_attribute_listener', IsGrantedAttributeListener::class)
+            ->args([service('security.authorization_checker')])
+            ->tag('kernel.event_subscriber')
     ;
 };
@@ -19,10 +19,10 @@
         "php": ">=8.1",
         "composer-runtime-api": ">=2.1",
         "ext-xml": "*",
-        "symfony/config": "^5.4|^6.0",
-        "symfony/dependency-injection": "^5.4|^6.0",
+        "symfony/config": "^6.1",
+        "symfony/dependency-injection": "^6.1",
         "symfony/event-dispatcher": "^5.4|^6.0",
-        "symfony/http-kernel": "^5.4|^6.0",
+        "symfony/http-kernel": "^6.2",
         "symfony/http-foundation": "^5.4|^6.0",
         "symfony/password-hasher": "^5.4|^6.0",
         "symfony/security-core": "^5.4|^6.0",

@@ -0,0 +1,43 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\Attribute;
+
+/**
+ * @author Ryan Weaver <[email protected]>
+ */
+#[\Attribute(\Attribute::IS_REPEATABLE | \Attribute::TARGET_CLASS | \Attribute::TARGET_METHOD | \Attribute::TARGET_FUNCTION)]
+class IsGranted
+{
+    public function __construct(
+        /**
+         * Sets the first argument that will be passed to isGranted().
+         */
+        public array|string|null $attributes = null,
+
+        /**
+         * Sets the second argument passed to isGranted().
+         */
+        public array|string|null $subject = null,
+
+        /**
+         * The message of the exception - has a nice default if not set.
+         */
+        public ?string $message = null,
+
+        /**
+         * If set, will throw HttpKernel's HttpException with the given $statusCode.
+         * If null, Security\Core's AccessDeniedException will be used.
+         */
+        public ?int $statusCode = null,
+    ) {
+    }
+}
@@ -5,6 +5,7 @@ CHANGELOG
 ---
 
  * Add maximum username length enforcement of 4096 characters in `UserBadge`
+ * Add `#[IsGranted()]`
 
 6.0
 ---

@@ -0,0 +1,106 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\EventListener;
+
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Component\HttpKernel\Event\ControllerArgumentsEvent;
+use Symfony\Component\HttpKernel\Exception\HttpException;
+use Symfony\Component\HttpKernel\KernelEvents;
+use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
+use Symfony\Component\Security\Http\Attribute\IsGranted;
+
+/**
+ * Handles the IsGranted attribute on controllers.
+ *
+ * @author Ryan Weaver <[email protected]>
+ */
+class IsGrantedAttributeListener implements EventSubscriberInterface
+{
+    public function __construct(
+        private AuthorizationCheckerInterface $authChecker,
+    ) {
+    }
+
+    public function onKernelControllerArguments(ControllerArgumentsEvent $event)
+    {
+        /** @var IsGranted[] $attributes */
+        if (!\is_array($attributes = $event->getAttributes()[IsGranted::class] ?? null)) {
+            return;
+        }
+
+        $namedArguments = [];
+        $arguments = $event->getArguments();
+        $r = $event->getRequest()->attributes->get('_controller_reflectors')[1] ?? new \ReflectionFunction($event->getController());
+
+        foreach ($r->getParameters() as $i => $param) {
+            if ($param->isVariadic()) {
+                $namedArguments[$param->name] = \array_slice($arguments, $i);
+                break;
+            }
+            if (\array_key_exists($i, $arguments)) {
+                $namedArguments[$param->name] = $arguments[$i];
+            }
+        }
+
+        foreach ($attributes as $attribute) {
+            $subjectRef = $attribute->subject;
+            $subject = null;
+
+            if ($subjectRef) {
+                if (\is_array($subjectRef)) {
+                    foreach ($subjectRef as $ref) {
+                        if (!\array_key_exists($ref, $namedArguments)) {
+                            throw new \RuntimeException(sprintf('Could not find the subject "%s" for the #[IsGranted] attribute. Try adding a "$%s" argument to your controller method.', $ref, $ref));
+                        }
+                        $subject[$ref] = $namedArguments[$ref];
+                    }
+                } elseif (!\array_key_exists($subjectRef, $namedArguments)) {
+                    throw new \RuntimeException(sprintf('Could not find the subject "%s" for the #[IsGranted] attribute. Try adding a "$%s" argument to your controller method.', $subjectRef, $subjectRef));
+                } else {
+                    $subject = $namedArguments[$subjectRef];
+                }
+            }
+
+            if (!$this->authChecker->isGranted($attribute->attributes, $subject)) {
+                $message = $attribute->message ?: sprintf('Access Denied by #[IsGranted(%s)] on controller', $this->getIsGrantedString($attribute));
+
+                if ($statusCode = $attribute->statusCode) {
+                    throw new HttpException($statusCode, $message);
+                }
+
+                $accessDeniedException = new AccessDeniedException($message);
+                $accessDeniedException->setAttributes($attribute->attributes);
+                $accessDeniedException->setSubject($subject);
+
+                throw $accessDeniedException;
+            }
+        }
+    }
+
+    public static function getSubscribedEvents(): array
+    {
+        return [KernelEvents::CONTROLLER_ARGUMENTS => ['onKernelControllerArguments', 10]];
+    }
+
+    private function getIsGrantedString(IsGranted $isGranted): string
+    {
+        $attributes = array_map(fn ($attribute) => '"'.$attribute.'"', (array) $isGranted->attributes);
+        $argsString = 1 === \count($attributes) ? reset($attributes) : '['.implode(', ', $attributes).']';
+
+        if (null !== $isGranted->subject) {
+            $argsString .= ', "'.implode('", "', (array) $isGranted->subject).'"';
+        }
+
+        return $argsString;
+    }
+}
-Original file line number
+Diff line change
@@ Expand Up / @@ -5,6 +5,7 @@ CHANGELOG @@
     ---
      * Add maximum username length enforcement of 4096 characters in `UserBadge`
+     * Add `#[IsGranted()]`
 .0
     ---
@@ Expand Down @@