From 40bbd81828be424d8dcf92a5e8fdfd46bb9a6493 Mon Sep 17 00:00:00 2001 From: Thomas Landauer Date: Thu, 16 Apr 2020 17:15:32 +0200 Subject: [PATCH 1/8] Explaining controllers as viable alternative See https://github.com/symfony/symfony-docs/issues/13406#issuecomment-614697619 --- security/voters.rst | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/security/voters.rst b/security/voters.rst index 8fe7070c736..cc7cdaff2f4 100644 --- a/security/voters.rst +++ b/security/voters.rst @@ -31,6 +31,17 @@ in the application, which can be: affirmative, consensus or unanimous. For more information take a look at :ref:`the section about access decision managers `. +The example used throughout this page features just two routes (``post_show`` and ``post_edit``). +However, the main advantage of voters is that you can reuse them in *many* controllers. So if you +really need to secure just one or two routes, you can get away without setting up voters, by +doing the check right inside your controller(s):: + + // src/AppBundle/Controller/PostController.php + + if ($post->getOwner() !== $this->getUser()) { + throw new AccessDeniedException(); + } + The Voter Interface ------------------- From 2bc5c541e20aa339de7341b02fb78f5e2e9cb6df Mon Sep 17 00:00:00 2001 From: Thomas Landauer Date: Thu, 16 Apr 2020 17:27:50 +0200 Subject: [PATCH 2/8] Update voters.rst Fixing https://github.com/symfony/symfony-docs/pull/13554/checks?check_run_id=592603240 --- security/voters.rst | 1 - 1 file changed, 1 deletion(-) diff --git a/security/voters.rst b/security/voters.rst index cc7cdaff2f4..8fa5f14b767 100644 --- a/security/voters.rst +++ b/security/voters.rst @@ -37,7 +37,6 @@ really need to secure just one or two routes, you can get away without setting u doing the check right inside your controller(s):: // src/AppBundle/Controller/PostController.php - if ($post->getOwner() !== $this->getUser()) { throw new AccessDeniedException(); } From 164aec4dd1af7f98e202788e17fe70f6017b8640 Mon Sep 17 00:00:00 2001 From: Wouter J Date: Thu, 16 Apr 2020 18:55:05 +0200 Subject: [PATCH 3/8] [#13554] Slightly reworded the tip --- security/voters.rst | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/security/voters.rst b/security/voters.rst index 8fa5f14b767..a07a906d78c 100644 --- a/security/voters.rst +++ b/security/voters.rst @@ -31,15 +31,20 @@ in the application, which can be: affirmative, consensus or unanimous. For more information take a look at :ref:`the section about access decision managers `. -The example used throughout this page features just two routes (``post_show`` and ``post_edit``). -However, the main advantage of voters is that you can reuse them in *many* controllers. So if you -really need to secure just one or two routes, you can get away without setting up voters, by -doing the check right inside your controller(s):: +.. tip:: - // src/AppBundle/Controller/PostController.php - if ($post->getOwner() !== $this->getUser()) { - throw new AccessDeniedException(); - } + The advantage of voters is that you can reuse them in *many* places and centralize + all permission logic. If you don't reuse permissions and the permissions are simple, + you might want to do the check in the controller directly and throw an ``AccessDeniedException`` + to create the correct response:: + + // src/AppBundle/Controller/PostController.php + use Symfony\Component\Security\Core\Exception\AccessDeniedException; + + // ... + if ($post->getOwner() !== $this->getUser()) { + throw new AccessDeniedException(); + } The Voter Interface ------------------- From 221bbb159ec8d8b07edce001ab8657166988de0e Mon Sep 17 00:00:00 2001 From: Thomas Landauer Date: Thu, 16 Apr 2020 19:05:12 +0200 Subject: [PATCH 4/8] Update voters.rst --- security/voters.rst | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/security/voters.rst b/security/voters.rst index a07a906d78c..0f2b8f05bc6 100644 --- a/security/voters.rst +++ b/security/voters.rst @@ -33,9 +33,10 @@ For more information take a look at .. tip:: - The advantage of voters is that you can reuse them in *many* places and centralize - all permission logic. If you don't reuse permissions and the permissions are simple, - you might want to do the check in the controller directly and throw an ``AccessDeniedException`` + The example used throughout this page features just two routes (``post_show`` and ``post_edit``). + However, the advantage of voters is that you can reuse them in *many* places and centralize + all permission logic. If you don't reuse permissions and the rules are simple, you instead + might want to do the check in the controller directly and throw an ``AccessDeniedException`` to create the correct response:: // src/AppBundle/Controller/PostController.php From fdfd1adab43eead11822b7788d0ba869f427ad94 Mon Sep 17 00:00:00 2001 From: Thomas Landauer Date: Fri, 17 Apr 2020 12:25:40 +0200 Subject: [PATCH 5/8] Update security/voters.rst Co-Authored-By: Antoine Makdessi --- security/voters.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/voters.rst b/security/voters.rst index 0f2b8f05bc6..99c6eca2b48 100644 --- a/security/voters.rst +++ b/security/voters.rst @@ -35,7 +35,7 @@ For more information take a look at The example used throughout this page features just two routes (``post_show`` and ``post_edit``). However, the advantage of voters is that you can reuse them in *many* places and centralize - all permission logic. If you don't reuse permissions and the rules are simple, you instead + all permission logic. If you don't reuse permissions or the rules are basic, you instead might want to do the check in the controller directly and throw an ``AccessDeniedException`` to create the correct response:: From 577dfa22ae5b85429430235fb91f9a4528d4489f Mon Sep 17 00:00:00 2001 From: Thomas Landauer Date: Fri, 17 Apr 2020 13:27:29 +0200 Subject: [PATCH 6/8] Update voters.rst See https://github.com/symfony/symfony-docs/pull/13554#discussion_r410150210 --- security/voters.rst | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/security/voters.rst b/security/voters.rst index 99c6eca2b48..cfbe28d215c 100644 --- a/security/voters.rst +++ b/security/voters.rst @@ -40,11 +40,10 @@ For more information take a look at to create the correct response:: // src/AppBundle/Controller/PostController.php - use Symfony\Component\Security\Core\Exception\AccessDeniedException; - // ... + if ($post->getOwner() !== $this->getUser()) { - throw new AccessDeniedException(); + throw $this-> createAccessDeniedException(); } The Voter Interface From bb0872a149cf6d4545f17a49b96dcbd96449b6b5 Mon Sep 17 00:00:00 2001 From: Thomas Landauer Date: Fri, 17 Apr 2020 14:26:02 +0200 Subject: [PATCH 7/8] Update voters.rst Trying to merge the suggestions of 4 people ;-) What's really odd is that on this dedicated voters page, the reader is referred to someplace else for more info on voters ;-) > Take a look at the authorization article for an even deeper understanding on voters. So in the long run, these two should be merged - or at least the voters part integrated into this page. --- security/voters.rst | 38 +++++++++++++++++--------------------- 1 file changed, 17 insertions(+), 21 deletions(-) diff --git a/security/voters.rst b/security/voters.rst index cfbe28d215c..7934d594810 100644 --- a/security/voters.rst +++ b/security/voters.rst @@ -6,8 +6,22 @@ How to Use Voters to Check User Permissions =========================================== -Security voters are the most granular way of checking permissions (e.g. "can this -specific user edit the given item?"). This article explains voters in detail. +Voters are Symfony's most powerful way of managing permissions. They allow you +to centralize all permission logic, then reuse them in many places. + +However, if you don't reuse permissions or your rules are basic, you can always +put that logic directly into your controller instead. Here's an example how +this could look like, if you want to make a route accessible to the "owner" only:: + + // src/AppBundle/Controller/PostController.php + // ... + + if ($post->getOwner() !== $this->getUser()) { + throw $this->createAccessDeniedException(); + } + +In that sense, the following example used throughout this page is more like a +minimal example for voters, rather than a real-world use case. .. tip:: @@ -15,10 +29,7 @@ specific user edit the given item?"). This article explains voters in detail. :doc:`authorization ` article for an even deeper understanding on voters. -How Symfony Uses Voters ------------------------ - -In order to use voters, you have to understand how Symfony works with them. +Here's how Symfony works with voters: All voters are called each time you use the ``isGranted()`` method on Symfony's authorization checker or call ``denyAccessUnlessGranted`` in a controller (which uses the authorization checker), or by @@ -31,21 +42,6 @@ in the application, which can be: affirmative, consensus or unanimous. For more information take a look at :ref:`the section about access decision managers `. -.. tip:: - - The example used throughout this page features just two routes (``post_show`` and ``post_edit``). - However, the advantage of voters is that you can reuse them in *many* places and centralize - all permission logic. If you don't reuse permissions or the rules are basic, you instead - might want to do the check in the controller directly and throw an ``AccessDeniedException`` - to create the correct response:: - - // src/AppBundle/Controller/PostController.php - // ... - - if ($post->getOwner() !== $this->getUser()) { - throw $this-> createAccessDeniedException(); - } - The Voter Interface ------------------- From 15c4adc8e7f227ac9c694f2a9d0292259a638038 Mon Sep 17 00:00:00 2001 From: Thomas Landauer Date: Tue, 21 Apr 2020 13:43:38 +0200 Subject: [PATCH 8/8] Update voters.rst See https://github.com/symfony/symfony-docs/pull/13554#discussion_r411850997 --- security/voters.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/security/voters.rst b/security/voters.rst index 7934d594810..2d8e1ea1467 100644 --- a/security/voters.rst +++ b/security/voters.rst @@ -20,8 +20,8 @@ this could look like, if you want to make a route accessible to the "owner" only throw $this->createAccessDeniedException(); } -In that sense, the following example used throughout this page is more like a -minimal example for voters, rather than a real-world use case. +In that sense, the following example used throughout this page is a minimal +example for voters. .. tip::