NotificationsYou must be signed in to change notification settings
Fork9.6k
Star30.4k

Commit8d7316b

committed

[Security] Improve DX of recent additions

1 parentca6f399 commit8d7316bCopy full SHA for 8d7316b

File tree

22 files changed

+339

-381

lines changed

src/Symfony
- Bridge/Twig
  - Extension
    - SecurityExtension.php
  - Tests/Extension
    - SecurityExtensionTest.php
- Bundle/SecurityBundle
  - Resources/config
    - security.php
    - templating_twig.php
  - Security.php
- Component/Security
  - Core
    - Authentication/Token
      - UserAuthorizationCheckerToken.php
    - Authorization
    - CHANGELOG.md
    - Tests
      - Authentication/Token
        UserAuthorizationCheckerTokenTest.php
      - Authorization
        AuthorizationCheckerTest.php
        UserAuthorizationCheckerTest.php
        Voter
        AuthenticatedVoterTest.php
        ClosureVoterTest.php
  - Http
    - Attribute
      - IsGranted.php
      - IsGrantedContext.php
    - EventListener
      - IsGrantedAttributeListener.php
    - Tests
      - EventListener
        IsGrantedAttributeWithClosureListenerTest.php
      - Fixtures
        IsGrantedAttributeMethodsWithCallableController.php
        IsGrantedAttributeMethodsWithClosureController.php
        IsGrantedAttributeWithClosureController.php

22 files changed

+339

-381

lines changed

`‎src/Symfony/Bridge/Twig/Extension/SecurityExtension.php`

Lines changed: 8 additions & 8 deletions

Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,6 @@ final class SecurityExtension extends AbstractExtension`
`31`	`31`	`publicfunction__construct(`
`32`	`32`	`private ?AuthorizationCheckerInterface$securityChecker =null,`
`33`	`33`	`private ?ImpersonateUrlGenerator$impersonateUrlGenerator =null,`
`34`		`-private ?UserAuthorizationCheckerInterface$userSecurityChecker =null,`
`35`	`34`	`) {`
`36`	`35`	`}`
`37`	`36`
`@@ -58,8 +57,12 @@ public function isGranted(mixed $role, mixed $object = null, ?string $field = nu`
`58`	`57`
`59`	`58`	`publicfunctionisGrantedForUser(UserInterface$user,mixed$attribute,mixed$subject =null, ?string$field =null, ?AccessDecision$accessDecision =null):bool`
`60`	`59`	`{`
`61`		`-if (!$this->userSecurityChecker) {`
`62`		`-thrownew \LogicException(\sprintf('An instance of "%s" must be provided to use "%s()".', UserAuthorizationCheckerInterface::class,__METHOD__));`
	`60`	`+if (null ===$this->securityChecker) {`
	`61`	`+returnfalse;`
	`62`	`+ }`
	`63`	`+`
	`64`	`+if (!$this->securityCheckerinstanceof UserAuthorizationCheckerInterface) {`
	`65`	`+thrownew \LogicException(\sprintf('You cannot use "%s()" if the authorization checker doesn\'t implement "%s".%s',__METHOD__, UserAuthorizationCheckerInterface::class,interface_exists(UserAuthorizationCheckerInterface::class) ?' Try upgrading the "symfony/security-core" package to v7.3 minimum.' :''));`
`63`	`66`	`}`
`64`	`67`
`65`	`68`	`if (null !==$field) {`
`@@ -71,7 +74,7 @@ public function isGrantedForUser(UserInterface $user, mixed $attribute, mixed $s`
`71`	`74`	`}`
`72`	`75`
`73`	`76`	`try {`
`74`		`-return$this->userSecurityChecker->isGrantedForUser($user,$attribute,$subject,$accessDecision);`
	`77`	`+return$this->securityChecker->isGrantedForUser($user,$attribute,$subject,$accessDecision);`
`75`	`78`	`}catch (AuthenticationCredentialsNotFoundException) {`
`76`	`79`	`returnfalse;`
`77`	`80`	`}`
`@@ -117,16 +120,13 @@ public function getFunctions(): array`
`117`	`120`	`{`
`118`	`121`	`$functions = [`
`119`	`122`	`newTwigFunction('is_granted',$this->isGranted(...)),`
	`123`	`+newTwigFunction('is_granted_for_user',$this->isGrantedForUser(...)),`
`120`	`124`	`newTwigFunction('impersonation_exit_url',$this->getImpersonateExitUrl(...)),`
`121`	`125`	`newTwigFunction('impersonation_exit_path',$this->getImpersonateExitPath(...)),`
`122`	`126`	`newTwigFunction('impersonation_url',$this->getImpersonateUrl(...)),`
`123`	`127`	`newTwigFunction('impersonation_path',$this->getImpersonatePath(...)),`
`124`	`128`	`];`
`125`	`129`
`126`		`-if ($this->userSecurityChecker) {`
`127`		`-$functions[] =newTwigFunction('is_granted_for_user',$this->isGrantedForUser(...));`
`128`		`- }`
`129`		`-`
`130`	`130`	`return$functions;`
`131`	`131`	`}`
`132`	`132`	`}`

`‎src/Symfony/Bridge/Twig/Tests/Extension/SecurityExtensionTest.php`

Lines changed: 61 additions & 26 deletions

Original file line number	Diff line number	Diff line change
`@@ -15,12 +15,23 @@`
`15`	`15`	`useSymfony\Bridge\PhpUnit\ClassExistsMock;`
`16`	`16`	`useSymfony\Bridge\Twig\Extension\SecurityExtension;`
`17`	`17`	`useSymfony\Component\Security\Acl\Voter\FieldVote;`
	`18`	`+useSymfony\Component\Security\Core\Authorization\AccessDecision;`
`18`	`19`	`useSymfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;`
`19`	`20`	`useSymfony\Component\Security\Core\Authorization\UserAuthorizationCheckerInterface;`
`20`	`21`	`useSymfony\Component\Security\Core\User\UserInterface;`
`21`	`22`
`22`	`23`	`class SecurityExtensionTestextends TestCase`
`23`	`24`	`{`
	`25`	`+publicstaticfunctionsetUpBeforeClass():void`
	`26`	`+ {`
	`27`	`+ ClassExistsMock::register(SecurityExtension::class);`
	`28`	`+ }`
	`29`	`+`
	`30`	`+protectedfunctiontearDown():void`
	`31`	`+ {`
	`32`	`+ ClassExistsMock::withMockedClasses([FieldVote::class =>true]);`
	`33`	`+ }`
	`34`	`+`
`24`	`35`	`/**`
`25`	`36`	`* @dataProvider provideObjectFieldAclCases`
`26`	`37`	`*/`
`@@ -39,17 +50,16 @@ public function testIsGrantedCreatesFieldVoteObjectWhenFieldNotNull($object, $fi`
`39`	`50`
`40`	`51`	`publicfunctiontestIsGrantedThrowsWhenFieldNotNullAndFieldVoteClassDoesNotExist()`
`41`	`52`	`{`
`42`		`-if (!class_exists(UserAuthorizationCheckerInterface::class)) {`
	`53`	`+if (!interface_exists(UserAuthorizationCheckerInterface::class)) {`
`43`	`54`	`$this->markTestSkipped('This test requires symfony/security-core 7.3 or superior.');`
`44`	`55`	`}`
`45`	`56`
`46`	`57`	`$securityChecker =$this->createMock(AuthorizationCheckerInterface::class);`
`47`	`58`
`48`		`- ClassExistsMock::register(SecurityExtension::class);`
`49`	`59`	`ClassExistsMock::withMockedClasses([FieldVote::class =>false]);`
`50`	`60`
`51`	`61`	`$this->expectException(\LogicException::class);`
`52`		`-$this->expectExceptionMessageMatches('Passing a $field to the "is_granted()" function requires symfony/acl.');`
	`62`	`+$this->expectExceptionMessage('Passing a $field to the "is_granted()" function requires symfony/acl.');`
`53`	`63`
`54`	`64`	`$securityExtension =newSecurityExtension($securityChecker);`
`55`	`65`	`$securityExtension->isGranted('ROLE','object','bar');`
`@@ -60,49 +70,74 @@ public function testIsGrantedThrowsWhenFieldNotNullAndFieldVoteClassDoesNotExist`
`60`	`70`	`*/`
`61`	`71`	`publicfunctiontestIsGrantedForUserCreatesFieldVoteObjectWhenFieldNotNull($object,$field,$expectedSubject)`
`62`	`72`	`{`
`63`		`-if (!class_exists(UserAuthorizationCheckerInterface::class)) {`
	`73`	`+if (!interface_exists(UserAuthorizationCheckerInterface::class)) {`
`64`	`74`	`$this->markTestSkipped('This test requires symfony/security-core 7.3 or superior.');`
`65`	`75`	`}`
`66`	`76`
`67`	`77`	`$user =$this->createMock(UserInterface::class);`
`68`		`-$userSecurityChecker =$this->createMock(UserAuthorizationCheckerInterface::class);`
`69`		`-$userSecurityChecker`
`70`		`- ->expects($this->once())`
`71`		`- ->method('isGrantedForUser')`
`72`		`- ->with($user,'ROLE',$expectedSubject)`
`73`		`- ->willReturn(true);`
	`78`	`+$securityChecker =$this->createMockAuthorizationChecker();`
`74`	`79`
`75`		`-$securityExtension =newSecurityExtension(null,null,$userSecurityChecker);`
	`80`	`+$securityExtension =newSecurityExtension($securityChecker);`
`76`	`81`	`$this->assertTrue($securityExtension->isGrantedForUser($user,'ROLE',$object,$field));`
	`82`	`+$this->assertSame($user,$securityChecker->user);`
	`83`	`+$this->assertSame('ROLE',$securityChecker->attribute);`
	`84`	`+`
	`85`	`+if (null ===$field) {`
	`86`	`+$this->assertSame($object,$securityChecker->subject);`
	`87`	`+ }else {`
	`88`	`+$this->assertEquals($expectedSubject,$securityChecker->subject);`
	`89`	`+ }`
	`90`	`+ }`
	`91`	`+`
	`92`	`+publicstaticfunctionprovideObjectFieldAclCases()`
	`93`	`+ {`
	`94`	`+return [`
	`95`	`+ [null,null,null],`
	`96`	`+ ['object',null,'object'],`
	`97`	`+ ['object',false,newFieldVote('object',false)],`
	`98`	`+ ['object',0,newFieldVote('object',0)],`
	`99`	`+ ['object','',newFieldVote('object','')],`
	`100`	`+ ['object','field',newFieldVote('object','field')],`
	`101`	`+ ];`
`77`	`102`	`}`
`78`	`103`
`79`	`104`	`publicfunctiontestIsGrantedForUserThrowsWhenFieldNotNullAndFieldVoteClassDoesNotExist()`
`80`	`105`	`{`
`81`		`-if (!class_exists(UserAuthorizationCheckerInterface::class)) {`
	`106`	`+if (!interface_exists(UserAuthorizationCheckerInterface::class)) {`
`82`	`107`	`$this->markTestSkipped('This test requires symfony/security-core 7.3 or superior.');`
`83`	`108`	`}`
`84`	`109`
`85`		`-$securityChecker =$this->createMock(UserAuthorizationCheckerInterface::class);`
	`110`	`+$securityChecker =$this->createMockAuthorizationChecker();`
`86`	`111`
`87`		`- ClassExistsMock::register(SecurityExtension::class);`
`88`	`112`	`ClassExistsMock::withMockedClasses([FieldVote::class =>false]);`
`89`	`113`
`90`	`114`	`$this->expectException(\LogicException::class);`
`91`		`-$this->expectExceptionMessageMatches('Passing a $field to the "is_granted_for_user()" function requires symfony/acl.');`
	`115`	`+$this->expectExceptionMessage('Passing a $field to the "is_granted_for_user()" function requires symfony/acl.');`
`92`	`116`
`93`		`-$securityExtension =newSecurityExtension(null,null,$securityChecker);`
`94`		`-$securityExtension->isGrantedForUser($this->createMock(UserInterface::class),'object','bar');`
	`117`	`+$securityExtension =newSecurityExtension($securityChecker);`
	`118`	`+$securityExtension->isGrantedForUser($this->createMock(UserInterface::class),'ROLE','object','bar');`
`95`	`119`	`}`
`96`	`120`
`97`		`-publicstaticfunctionprovideObjectFieldAclCases()`
	`121`	`+privatefunctioncreateMockAuthorizationChecker():AuthorizationCheckerInterface&UserAuthorizationCheckerInterface`
`98`	`122`	`{`
`99`		`-return [`
`100`		`- [null,null,null],`
`101`		`- ['object',null,'object'],`
`102`		`- ['object',false,newFieldVote('object',false)],`
`103`		`- ['object',0,newFieldVote('object',0)],`
`104`		`- ['object','',newFieldVote('object','')],`
`105`		`- ['object','field',newFieldVote('object','field')],`
`106`		`- ];`
	`123`	`+returnnewclassimplements AuthorizationCheckerInterface, UserAuthorizationCheckerInterface {`
	`124`	`+publicUserInterface$user;`
	`125`	`+publicmixed$attribute;`
	`126`	`+publicmixed$subject;`
	`127`	`+`
	`128`	`+publicfunctionisGranted(mixed$attribute,mixed$subject =null, ?AccessDecision$accessDecision =null):bool`
	`129`	`+ {`
	`130`	`+thrownew \BadMethodCallException('This method should not be called.');`
	`131`	`+ }`
	`132`	`+`
	`133`	`+publicfunctionisGrantedForUser(UserInterface$user,mixed$attribute,mixed$subject =null, ?AccessDecision$accessDecision =null):bool`
	`134`	`+ {`
	`135`	`+$this->user =$user;`
	`136`	`+$this->attribute =$attribute;`
	`137`	`+$this->subject =$subject;`
	`138`	`+`
	`139`	`+returntrue;`
	`140`	`+ }`
	`141`	`+ };`
`107`	`142`	`}`
`108`	`143`	`}`

`‎src/Symfony/Bundle/SecurityBundle/Resources/config/security.php`

Lines changed: 3 additions & 10 deletions

Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,6 @@`
`31`	`31`	`useSymfony\Component\Security\Core\Authorization\AuthorizationChecker;`
`32`	`32`	`useSymfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;`
`33`	`33`	`useSymfony\Component\Security\Core\Authorization\ExpressionLanguage;`
`34`		`-useSymfony\Component\Security\Core\Authorization\UserAuthorizationChecker;`
`35`	`34`	`useSymfony\Component\Security\Core\Authorization\UserAuthorizationCheckerInterface;`
`36`	`35`	`useSymfony\Component\Security\Core\Authorization\Voter\AuthenticatedVoter;`
`37`	`36`	`useSymfony\Component\Security\Core\Authorization\Voter\ClosureVoter;`
`@@ -69,12 +68,7 @@`
`69`	`68`	`service('security.access.decision_manager'),`
`70`	`69`	`])`
`71`	`70`	`->alias(AuthorizationCheckerInterface::class,'security.authorization_checker')`
`72`		`-`
`73`		`- ->set('security.user_authorization_checker', UserAuthorizationChecker::class)`
`74`		`- ->args([`
`75`		`-service('security.access.decision_manager'),`
`76`		`- ])`
`77`		`- ->alias(UserAuthorizationCheckerInterface::class,'security.user_authorization_checker')`
	`71`	`+ ->alias(UserAuthorizationCheckerInterface::class,'security.authorization_checker')`
`78`	`72`
`79`	`73`	`->set('security.token_storage', UsageTrackingTokenStorage::class)`
`80`	`74`	`->args([`
`@@ -94,7 +88,7 @@`
`94`	`88`	`service_locator([`
`95`	`89`	`'security.token_storage' =>service('security.token_storage'),`
`96`	`90`	`'security.authorization_checker' =>service('security.authorization_checker'),`
`97`		`-'security.user_authorization_checker' =>service('security.user_authorization_checker'),`
	`91`	`+'security.user_authorization_checker' =>service('security.authorization_checker'),`
`98`	`92`	`'security.authenticator.managers_locator' =>service('security.authenticator.managers_locator')->ignoreOnInvalid(),`
`99`	`93`	`'request_stack' =>service('request_stack'),`
`100`	`94`	`'security.firewall.map' =>service('security.firewall.map'),`
`@@ -174,8 +168,7 @@`
`174`	`168`
`175`	`169`	`->set('security.access.closure_voter', ClosureVoter::class)`
`176`	`170`	`->args([`
`177`		`-service('security.access.decision_manager'),`
`178`		`-service('security.authentication.trust_resolver'),`
	`171`	`+service('security.authorization_checker'),`
`179`	`172`	`])`
`180`	`173`	`->tag('security.voter', ['priority' =>245])`
`181`	`174`

`‎src/Symfony/Bundle/SecurityBundle/Resources/config/templating_twig.php`

Lines changed: 0 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,6 @@`
`26`	`26`	`->args([`
`27`	`27`	`service('security.authorization_checker')->ignoreOnInvalid(),`
`28`	`28`	`service('security.impersonate_url_generator')->ignoreOnInvalid(),`
`29`		`-service('security.user_authorization_checker')->ignoreOnInvalid(),`
`30`	`29`	`])`
`31`	`30`	`->tag('twig.extension')`
`32`	`31`	`;`

`‎src/Symfony/Bundle/SecurityBundle/Security.php`

Lines changed: 11 additions & 11 deletions

Original file line number	Diff line number	Diff line change
`@@ -65,6 +65,17 @@ public function isGranted(mixed $attributes, mixed $subject = null, ?AccessDecis`
`65`	`65`	`->isGranted($attributes,$subject,$accessDecision);`
`66`	`66`	`}`
`67`	`67`
	`68`	`+/**`
	`69`	`+ * Checks if the attribute is granted against the user and optionally supplied subject.`
	`70`	`+ *`
	`71`	`+ * This should be used over isGranted() when checking permissions against a user that is not currently logged in or while in a CLI context.`
	`72`	`+ */`
	`73`	`+publicfunctionisGrantedForUser(UserInterface$user,mixed$attribute,mixed$subject =null, ?AccessDecision$accessDecision =null):bool`
	`74`	`+ {`
	`75`	`+return$this->container->get('security.user_authorization_checker')`
	`76`	`+ ->isGrantedForUser($user,$attribute,$subject,$accessDecision);`
	`77`	`+ }`
	`78`	`+`
`68`	`79`	`publicfunctiongetToken(): ?TokenInterface`
`69`	`80`	`{`
`70`	`81`	`return$this->container->get('security.token_storage')->getToken();`
`@@ -150,17 +161,6 @@ public function logout(bool $validateCsrfToken = true): ?Response`
`150`	`161`	`return$logoutEvent->getResponse();`
`151`	`162`	`}`
`152`	`163`
`153`		`-/**`
`154`		`- * Checks if the attribute is granted against the user and optionally supplied subject.`
`155`		`- *`
`156`		`- * This should be used over isGranted() when checking permissions against a user that is not currently logged in or while in a CLI context.`
`157`		`- */`
`158`		`-publicfunctionisGrantedForUser(UserInterface$user,mixed$attribute,mixed$subject =null, ?AccessDecision$accessDecision =null):bool`
`159`		`- {`
`160`		`-return$this->container->get('security.user_authorization_checker')`
`161`		`- ->isGrantedForUser($user,$attribute,$subject,$accessDecision);`
`162`		`- }`
`163`		`-`
`164`	`164`	`privatefunctiongetAuthenticator(?string$authenticatorName,string$firewallName):AuthenticatorInterface`
`165`	`165`	`{`
`166`	`166`	`if (!isset($this->authenticators[$firewallName])) {`

`‎src/Symfony/Component/Security/Core/Authentication/Token/UserAuthorizationCheckerToken.php`

Lines changed: 0 additions & 31 deletions

This file was deleted.

`‎src/Symfony/Component/Security/Core/Authorization/AuthorizationChecker.php`

Lines changed: 20 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -11,8 +11,11 @@`
`11`	`11`
`12`	`12`	`namespaceSymfony\Component\Security\Core\Authorization;`
`13`	`13`
	`14`	`+useSymfony\Component\Security\Core\Authentication\Token\AbstractToken;`
`14`	`15`	`useSymfony\Component\Security\Core\Authentication\Token\NullToken;`
	`16`	`+useSymfony\Component\Security\Core\Authentication\Token\OfflineTokenInterface;`
`15`	`17`	`useSymfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;`
	`18`	`+useSymfony\Component\Security\Core\User\UserInterface;`
`16`	`19`
`17`	`20`	`/**`
`18`	`21`	`* AuthorizationChecker is the main authorization point of the Security component.`
`@@ -22,8 +25,9 @@`
`22`	`25`	`* @author Fabien Potencier <fabien@symfony.com>`
`23`	`26`	`* @author Johannes M. Schmitt <schmittjoh@gmail.com>`
`24`	`27`	`*/`
`25`		`-class AuthorizationCheckerimplements AuthorizationCheckerInterface`
	`28`	`+class AuthorizationCheckerimplements AuthorizationCheckerInterface, UserAuthorizationCheckerInterface`
`26`	`29`	`{`
	`30`	`+privatearray$tokenStack = [];`
`27`	`31`	`privatearray$accessDecisionStack = [];`
`28`	`32`
`29`	`33`	`publicfunction__construct(`
`@@ -34,7 +38,7 @@ public function __construct(`
`34`	`38`
`35`	`39`	`finalpublicfunctionisGranted(mixed$attribute,mixed$subject =null, ?AccessDecision$accessDecision =null):bool`
`36`	`40`	`{`
`37`		`-$token =$this->tokenStorage->getToken();`
	`41`	`+$token =end($this->tokenStack) ?:$this->tokenStorage->getToken();`
`38`	`42`
`39`	`43`	`if (!$token \|\| !$token->getUser()) {`
`40`	`44`	`$token =newNullToken();`
`@@ -48,4 +52,18 @@ final public function isGranted(mixed $attribute, mixed $subject = null, ?Access`
`48`	`52`	`array_pop($this->accessDecisionStack);`
`49`	`53`	`}`
`50`	`54`	`}`
	`55`	`+`
	`56`	`+finalpublicfunctionisGrantedForUser(UserInterface$user,mixed$attribute,mixed$subject =null, ?AccessDecision$accessDecision =null):bool`
	`57`	`+ {`
	`58`	`+$token =newclass($user->getRoles())extends AbstractTokenimplements OfflineTokenInterface {};`
	`59`	`+$token->setUser($user);`
	`60`	`+$this->tokenStack[] =$token;`
	`61`	`+`
	`62`	`+try {`
	`63`	`+return$this->isGranted($attribute,$subject,$accessDecision);`
	`64`	`+ }finally {`
	`65`	`+array_pop($this->tokenStack);`
	`66`	`+array_pop($this->accessDecisionStack);`
	`67`	`+ }`
	`68`	`+ }`
`51`	`69`	`}`

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Commit8d7316b

File tree

22 files changed

22 files changed

`‎src/Symfony/Bridge/Twig/Extension/SecurityExtension.php`

`‎src/Symfony/Bridge/Twig/Tests/Extension/SecurityExtensionTest.php`

`‎src/Symfony/Bundle/SecurityBundle/Resources/config/security.php`

`‎src/Symfony/Bundle/SecurityBundle/Resources/config/templating_twig.php`

`‎src/Symfony/Bundle/SecurityBundle/Security.php`

`‎src/Symfony/Component/Security/Core/Authentication/Token/UserAuthorizationCheckerToken.php`

`‎src/Symfony/Component/Security/Core/Authorization/AuthorizationChecker.php`

`‎src/Symfony/Component/Security/Core/Authorization/UserAuthorizationChecker.php`

0 commit comments