[Security] Make request always available to #[IsGranted]
#48080
Conversation
#[IsGranted]#[IsGranted]
#[IsGranted]#[IsGranted]
|
Thank you @HypeMC. |
|
@HypeMC can you please send a PR to the doc to mention this? |
| 'args' => $arguments, | ||
| ]); | ||
| } | ||
|
|
||
| if (!\array_key_exists($subjectRef, $arguments)) { | ||
| if ('request' === $subjectRef) { |
There was a problem hiding this comment.
I don't think we should add that special case. It can be surprising as strings mean argument names. Having special string values makes things harder to explain request means the current request only when you don't have an argument named $request in this code).
To me, voting on the Request object is something that case be solved by using the Expression.
There was a problem hiding this comment.
Thanks for the feedback, will create a followup PR to address this issue.
@stof There are two tests that check if the request variable is passed to the |
|
indeed, this is probably covered by your update of the existing tests using expressions. |
…ect (HypeMC) This PR was merged into the 6.2 branch. Discussion ---------- [Security] Remove special case for `#[IsGranted()]` subject | Q | A | ------------- | --- | Branch? | 6.2 | Bug fix? | no | New feature? | no | Deprecations? | no | Tickets | Fix #48080 (comment) | License | MIT | Doc PR | - Addresses a comment by `@stof` Instead of having `request` as a special case, an expression can be used instead: ```diff -#[IsGranted(attribute: 'SOME_ATTRIBUTE', subject: 'request')] +#[IsGranted(attribute: 'SOME_ATTRIBUTE', subject: new Expression('request'))] public function index() { } ``` Commits ------- 3e0ac4f [Security] Remove special case for #[IsGranted()] subject
… (HypeMC) This PR was merged into the 6.2 branch. Discussion ---------- [Security] Use expression for `#[IsGranted()]` subject symfony/symfony#46978 symfony/symfony#48080 symfony/symfony#48102 Commits ------- 9d4045f [Security] Use expression for #[IsGranted()] subject
… (HypeMC) This PR was merged into the 6.2 branch. Discussion ---------- [Security] Use expression for `#[IsGranted()]` subject symfony/symfony#46978 symfony/symfony#48080 symfony/symfony#48102 Commits ------- 9d4045f [Security] Use expression for #[IsGranted()] subject
Currently, the request is only available to the
#[IsGranted]attribute when it's a controller argument, eg:However, since the
$requestvariable might not always be needed in the controller itself, it seems kind of weird to have to add it as an argument just so the#[IsGranted]attribute could work. With this PR, the request will always be available to the attribute:Don't know if this qualifies as a tweak for 6.2 or feature for 6.3.