minor #20388 [Security] use access decision manager to control which token to vote on (xabbuh)

javiereguiluz · javiereguiluz · commit 0e8d2b674296 · 2024-11-19T10:09:15.000+01:00
This PR was merged into the 5.4 branch. Discussion ---------- [Security] use access decision manager to control which token to vote on Following symfony/symfony#58754: calling. `Security::isGranted()` inside a voter has the drawback that we do not know if the checks performed here act on the same token that we have in our voter as the token inside the token storage might have change or may change in between. Commits ------- fc0030a use access decision manager to control which token to vote on
diff --git a/security/impersonating_user.rst b/security/impersonating_user.rst
@@ -309,17 +309,17 @@ logic you want::
     namespace App\Security\Voter;
 
     use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+    use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
     use Symfony\Component\Security\Core\Authorization\Voter\Voter;
-    use Symfony\Component\Security\Core\Security;
     use Symfony\Component\Security\Core\User\UserInterface;
 
     class SwitchToCustomerVoter extends Voter
     {
-        private $security;
+        private $accessDecisionManager;
 
-        public function __construct(Security $security)
+        public function __construct(AccessDecisionManager $accessDecisionManager)
         {
-            $this->security = $security;
+            $this->accessDecisionManager = $accessDecisionManager;
         }
 
         protected function supports($attribute, $subject): bool
@@ -337,12 +337,12 @@ logic you want::
             }
 
             // you can still check for ROLE_ALLOWED_TO_SWITCH
-            if ($this->security->isGranted('ROLE_ALLOWED_TO_SWITCH')) {
+            if ($this->accessDecisionManager->isGranted($token, ['ROLE_ALLOWED_TO_SWITCH'])) {
                 return true;
             }
 
             // check for any roles you want
-            if ($this->security->isGranted('ROLE_TECH_SUPPORT')) {
+            if ($this->accessDecisionManager->isGranted($token, ['ROLE_TECH_SUPPORT'])) {
                 return true;
             }
 
diff --git a/security/voters.rst b/security/voters.rst
@@ -222,33 +222,33 @@ Checking for Roles inside a Voter
 ---------------------------------
 
 What if you want to call ``isGranted()`` from *inside* your voter - e.g. you want
-to see if the current user has ``ROLE_SUPER_ADMIN``. That's possible by injecting
-the :class:`Symfony\\Component\\Security\\Core\\Security`
-into your voter. You can use this to, for example, *always* allow access to a user
+to see if the current user has ``ROLE_SUPER_ADMIN``. That's possible by using an
+:class:`access decision manager <Symfony\\Component\\Security\\Core\\Authorization\\AccessDecisionManagerInterface>`
+inside your voter. You can use this to, for example, *always* allow access to a user
 with ``ROLE_SUPER_ADMIN``::
 
     // src/Security/PostVoter.php
 
     // ...
-    use Symfony\Component\Security\Core\Security;
+    use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
 
     class PostVoter extends Voter
     {
         // ...
 
-        private $security;
+        private $accessDecisionManager;
 
-        public function __construct(Security $security)
+        public function __construct(AccessDecisionManagerInterface $accessDecisionManager)
         {
-            $this->security = $security;
+            $this->accessDecisionManager = $accessDecisionManager;
         }
 
         protected function voteOnAttribute($attribute, $subject, TokenInterface $token): bool
         {
             // ...
 
             // ROLE_SUPER_ADMIN can do anything! The power!
-            if ($this->security->isGranted('ROLE_SUPER_ADMIN')) {
+            if ($this->accessDecisionManager->isGranted($token, ['ROLE_SUPER_ADMIN'])) {
                 return true;
             }
 

Original file line number	Diff line number	Diff line change
`@@ -309,17 +309,17 @@ logic you want::`
`309`	`309`	`namespace App\Security\Voter;`
`310`	`310`
`311`	`311`	`use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;`
	`312`	`+ use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;`
`312`	`313`	`use Symfony\Component\Security\Core\Authorization\Voter\Voter;`
`313`		`- use Symfony\Component\Security\Core\Security;`
`314`	`314`	`use Symfony\Component\Security\Core\User\UserInterface;`
`315`	`315`
`316`	`316`	`class SwitchToCustomerVoter extends Voter`
`317`	`317`	`{`
`318`		`- private $security;`
	`318`	`+ private $accessDecisionManager;`
`319`	`319`
`320`		`- public function __construct(Security $security)`
	`320`	`+ public function __construct(AccessDecisionManager $accessDecisionManager)`
`321`	`321`	`{`
`322`		`- $this->security = $security;`
	`322`	`+ $this->accessDecisionManager = $accessDecisionManager;`
`323`	`323`	`}`
`324`	`324`
`325`	`325`	`protected function supports($attribute, $subject): bool`
`@@ -337,12 +337,12 @@ logic you want::`
`337`	`337`	`}`
`338`	`338`
`339`	`339`	`// you can still check for ROLE_ALLOWED_TO_SWITCH`
`340`		`- if ($this->security->isGranted('ROLE_ALLOWED_TO_SWITCH')) {`
	`340`	`+ if ($this->accessDecisionManager->isGranted($token, ['ROLE_ALLOWED_TO_SWITCH'])) {`
`341`	`341`	`return true;`
`342`	`342`	`}`
`343`	`343`
`344`	`344`	`// check for any roles you want`
`345`		`- if ($this->security->isGranted('ROLE_TECH_SUPPORT')) {`
	`345`	`+ if ($this->accessDecisionManager->isGranted($token, ['ROLE_TECH_SUPPORT'])) {`
`346`	`346`	`return true;`
`347`	`347`	`}`
`348`	`348`