NotificationsYou must be signed in to change notification settings
Fork9.6k
Star30.4k

Commitcbab5a8

committed

minor#60550 [Security] do not construct Vote instances inside vote() (xabbuh)

This PR was merged into the 7.3 branch.Discussion----------[Security] do not construct Vote instances inside vote()| Q | A| ------------- | ---| Branch? | 7.3| Bug fix? | no| New feature? | no| Deprecations? | no| Issues || License | MITThe so constructed objects will never be seen from the outside. Thus, adding reasons to them doesn't have an effect.Commits-------5aaa978 do not construct Vote instances inside vote()

2 parents69018fe +5aaa978 commitcbab5a8Copy full SHA for cbab5a8

File tree

9 files changed

+55

-34

lines changed

UPGRADE-7.3.md
src/Symfony/Component/Security
- Core
  - Authorization/Voter
  - Tests/Authorization/Voter
    - VoterTest.php
- Http/Tests/EventListener
  - IsGrantedAttributeListenerTest.php

9 files changed

+55

-34

lines changed

`‎UPGRADE-7.3.md`

Lines changed: 1 addition & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -179,9 +179,7 @@ Security`
`179`	`179`	```php
`180`	`180`	`protected function voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token, ?Vote $vote = null): bool`
`181`	`181`	`{`
`182`		`- $vote ??= new Vote();`
`183`		`-`
`184`		`- $vote->reasons[] = 'A brief explanation of why access is granted or denied, as appropriate.';`
	`182`	`+ $vote?->addReason('A brief explanation of why access is granted or denied, as appropriate.');`
`185`	`183`	`}`
`186`	`184`	```
`187`	`185`

`‎src/Symfony/Component/Security/Core/Authorization/Voter/AuthenticatedVoter.php`

Lines changed: 8 additions & 9 deletions

Original file line number	Diff line number	Diff line change
`@@ -45,11 +45,10 @@ public function __construct(`
`45`	`45`	`*/`
`46`	`46`	`publicfunctionvote(TokenInterface$token,mixed$subject,array$attributes/* , ?Vote $vote = null */):int`
`47`	`47`	`{`
`48`		`-$vote =3 <\func_num_args() ?func_get_arg(3) :newVote();`
`49`		`-$vote ??=newVote();`
	`48`	`+$vote =3 <\func_num_args() ?func_get_arg(3) :null;`
`50`	`49`
`51`	`50`	`if ($attributes === [self::PUBLIC_ACCESS]) {`
`52`		`-$vote->reasons[] ='Access is public.';`
	`51`	`+$vote?->addReason('Access is public.');`
`53`	`52`
`54`	`53`	`return VoterInterface::ACCESS_GRANTED;`
`55`	`54`	`}`
`@@ -73,40 +72,40 @@ public function vote(TokenInterface $token, mixed $subject, array $attributes/*`
`73`	`72`	`if ((self::IS_AUTHENTICATED_FULLY ===$attribute \|\|self::IS_AUTHENTICATED_REMEMBERED ===$attribute)`
`74`	`73`	`&&$this->authenticationTrustResolver->isFullFledged($token)`
`75`	`74`	`) {`
`76`		`-$vote->reasons[] ='The user is fully authenticated.';`
	`75`	`+$vote?->addReason('The user is fully authenticated.');`
`77`	`76`
`78`	`77`	`return VoterInterface::ACCESS_GRANTED;`
`79`	`78`	`}`
`80`	`79`
`81`	`80`	`if (self::IS_AUTHENTICATED_REMEMBERED ===$attribute`
`82`	`81`	`&&$this->authenticationTrustResolver->isRememberMe($token)`
`83`	`82`	`) {`
`84`		`-$vote->reasons[] ='The user is remembered.';`
	`83`	`+$vote?->addReason('The user is remembered.');`
`85`	`84`
`86`	`85`	`return VoterInterface::ACCESS_GRANTED;`
`87`	`86`	`}`
`88`	`87`
`89`	`88`	`if (self::IS_AUTHENTICATED ===$attribute &&$this->authenticationTrustResolver->isAuthenticated($token)) {`
`90`		`-$vote->reasons[] ='The user is authenticated.';`
	`89`	`+$vote?->addReason('The user is authenticated.');`
`91`	`90`
`92`	`91`	`return VoterInterface::ACCESS_GRANTED;`
`93`	`92`	`}`
`94`	`93`
`95`	`94`	`if (self::IS_REMEMBERED ===$attribute &&$this->authenticationTrustResolver->isRememberMe($token)) {`
`96`		`-$vote->reasons[] ='The user is remembered.';`
	`95`	`+$vote?->addReason('The user is remembered.');`
`97`	`96`
`98`	`97`	`return VoterInterface::ACCESS_GRANTED;`
`99`	`98`	`}`
`100`	`99`
`101`	`100`	`if (self::IS_IMPERSONATOR ===$attribute &&$tokeninstanceof SwitchUserToken) {`
`102`		`-$vote->reasons[] ='The user is impersonating another user.';`
	`101`	`+$vote?->addReason('The user is impersonating another user.');`
`103`	`102`
`104`	`103`	`return VoterInterface::ACCESS_GRANTED;`
`105`	`104`	`}`
`106`	`105`	`}`
`107`	`106`
`108`	`107`	`if (VoterInterface::ACCESS_DENIED ===$result) {`
`109`		`-$vote->reasons[] ='The user is not appropriately authenticated.';`
	`108`	`+$vote?->addReason('The user is not appropriately authenticated.');`
`110`	`109`	`}`
`111`	`110`
`112`	`111`	`return$result;`

`‎src/Symfony/Component/Security/Core/Authorization/Voter/ClosureVoter.php`

Lines changed: 2 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -42,7 +42,6 @@ public function supportsType(string $subjectType): bool`
`42`	`42`
`43`	`43`	`publicfunctionvote(TokenInterface$token,mixed$subject,array$attributes, ?Vote$vote =null):int`
`44`	`44`	`{`
`45`		`-$vote ??=newVote();`
`46`	`45`	`$context =newIsGrantedContext($token,$token->getUser(),$this->authorizationChecker);`
`47`	`46`	`$failingClosures = [];`
`48`	`47`	`$result = VoterInterface::ACCESS_ABSTAIN;`
`@@ -54,7 +53,7 @@ public function vote(TokenInterface $token, mixed $subject, array $attributes, ?`
`54`	`53`	`$name = (new \ReflectionFunction($attribute))->name;`
`55`	`54`	`$result = VoterInterface::ACCESS_DENIED;`
`56`	`55`	`if ($attribute($context,$subject)) {`
`57`		`-$vote->reasons[] =\sprintf('Closure %s returned true.',$name);`
	`56`	`+$vote?->addReason(\sprintf('Closure %s returned true.',$name));`
`58`	`57`
`59`	`58`	`return VoterInterface::ACCESS_GRANTED;`
`60`	`59`	`}`
`@@ -63,7 +62,7 @@ public function vote(TokenInterface $token, mixed $subject, array $attributes, ?`
`63`	`62`	`}`
`64`	`63`
`65`	`64`	`if ($failingClosures) {`
`66`		`-$vote->reasons[] =\sprintf('Closure%s %s returned false.',1 <\count($failingClosures) ?'s' :'',implode(',',$failingClosures));`
	`65`	`+$vote?->addReason(\sprintf('Closure%s %s returned false.',1 <\count($failingClosures) ?'s' :'',implode(',',$failingClosures)));`
`67`	`66`	`}`
`68`	`67`
`69`	`68`	`return$result;`

`‎src/Symfony/Component/Security/Core/Authorization/Voter/ExpressionVoter.php`

Lines changed: 3 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -49,8 +49,7 @@ public function supportsType(string $subjectType): bool`
`49`	`49`	`*/`
`50`	`50`	`publicfunctionvote(TokenInterface$token,mixed$subject,array$attributes/* , ?Vote $vote = null */):int`
`51`	`51`	`{`
`52`		`-$vote =3 <\func_num_args() ?func_get_arg(3) :newVote();`
`53`		`-$vote ??=newVote();`
	`52`	`+$vote =3 <\func_num_args() ?func_get_arg(3) :null;`
`54`	`53`	`$result = VoterInterface::ACCESS_ABSTAIN;`
`55`	`54`	`$variables =null;`
`56`	`55`	`$failingExpressions = [];`
`@@ -64,7 +63,7 @@ public function vote(TokenInterface $token, mixed $subject, array $attributes/*`
`64`	`63`	`$result = VoterInterface::ACCESS_DENIED;`
`65`	`64`
`66`	`65`	`if ($this->expressionLanguage->evaluate($attribute,$variables)) {`
`67`		`-$vote->reasons[] =\sprintf('Expression (%s) is true.',$attribute);`
	`66`	`+$vote?->addReason(\sprintf('Expression (%s) is true.',$attribute));`
`68`	`67`
`69`	`68`	`return VoterInterface::ACCESS_GRANTED;`
`70`	`69`	`}`
`@@ -73,7 +72,7 @@ public function vote(TokenInterface $token, mixed $subject, array $attributes/*`
`73`	`72`	`}`
`74`	`73`
`75`	`74`	`if ($failingExpressions) {`
`76`		`-$vote->reasons[] =\sprintf('Expression (%s) is false.',implode(') \|\| (',$failingExpressions));`
	`75`	`+$vote?->addReason(\sprintf('Expression (%s) is false.',implode(') \|\| (',$failingExpressions)));`
`77`	`76`	`}`
`78`	`77`
`79`	`78`	`return$result;`

`‎src/Symfony/Component/Security/Core/Authorization/Voter/RoleVoter.php`

Lines changed: 3 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -30,8 +30,7 @@ public function __construct(`
`30`	`30`	`*/`
`31`	`31`	`publicfunctionvote(TokenInterface$token,mixed$subject,array$attributes/* , ?Vote $vote = null */):int`
`32`	`32`	`{`
`33`		`-$vote =3 <\func_num_args() ?func_get_arg(3) :newVote();`
`34`		`-$vote ??=newVote();`
	`33`	`+$vote =3 <\func_num_args() ?func_get_arg(3) :null;`
`35`	`34`	`$result = VoterInterface::ACCESS_ABSTAIN;`
`36`	`35`	`$roles =$this->extractRoles($token);`
`37`	`36`	`$missingRoles = [];`
`@@ -44,7 +43,7 @@ public function vote(TokenInterface $token, mixed $subject, array $attributes/*`
`44`	`43`	`$result = VoterInterface::ACCESS_DENIED;`
`45`	`44`
`46`	`45`	`if (\in_array($attribute,$roles,true)) {`
`47`		`-$vote->reasons[] =\sprintf('The user has %s.',$attribute);`
	`46`	`+$vote?->addReason(\sprintf('The user has %s.',$attribute));`
`48`	`47`
`49`	`48`	`return VoterInterface::ACCESS_GRANTED;`
`50`	`49`	`}`
`@@ -53,7 +52,7 @@ public function vote(TokenInterface $token, mixed $subject, array $attributes/*`
`53`	`52`	`}`
`54`	`53`
`55`	`54`	`if (VoterInterface::ACCESS_DENIED ===$result) {`
`56`		`-$vote->reasons[] =\sprintf('The user doesn\'t have%s %s.',1 <\count($missingRoles) ?' any of' :'',implode(',',$missingRoles));`
	`55`	`+$vote?->addReason(\sprintf('The user doesn\'t have%s %s.',1 <\count($missingRoles) ?' any of' :'',implode(',',$missingRoles)));`
`57`	`56`	`}`
`58`	`57`
`59`	`58`	`return$result;`

`‎src/Symfony/Component/Security/Core/Authorization/Voter/TraceableVoter.php`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -32,9 +32,9 @@ public function __construct(`
`32`	`32`
`33`	`33`	`publicfunctionvote(TokenInterface$token,mixed$subject,array$attributes, ?Vote$vote =null):int`
`34`	`34`	`{`
`35`		`-$result =$this->voter->vote($token,$subject,$attributes,$vote ??=newVote());`
	`35`	`+$result =$this->voter->vote($token,$subject,$attributes,$vote);`
`36`	`36`
`37`		`-$this->eventDispatcher->dispatch(newVoteEvent($this->voter,$subject,$attributes,$result,$vote->reasons),'debug.security.authorization.vote');`
	`37`	`+$this->eventDispatcher->dispatch(newVoteEvent($this->voter,$subject,$attributes,$result,$vote->reasons ?? []),'debug.security.authorization.vote');`
`38`	`38`
`39`	`39`	`return$result;`
`40`	`40`	`}`

`‎src/Symfony/Component/Security/Core/Authorization/Voter/Voter.php`

Lines changed: 17 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -29,10 +29,9 @@ abstract class Voter implements VoterInterface, CacheableVoterInterface`
`29`	`29`	`*/`
`30`	`30`	`publicfunctionvote(TokenInterface$token,mixed$subject,array$attributes/* , ?Vote $vote = null */):int`
`31`	`31`	`{`
`32`		`-$vote =3 <\func_num_args() ?func_get_arg(3) :newVote();`
`33`		`-$vote ??=newVote();`
	`32`	`+$vote =3 <\func_num_args() ?func_get_arg(3) :null;`
`34`	`33`	`// abstain vote by default in case none of the attributes are supported`
`35`		`-$vote->result =self::ACCESS_ABSTAIN;`
	`34`	`+$voteResult =self::ACCESS_ABSTAIN;`
`36`	`35`
`37`	`36`	`foreach ($attributesas$attribute) {`
`38`	`37`	`try {`
`@@ -48,15 +47,27 @@ public function vote(TokenInterface $token, mixed $subject, array $attributes/*`
`48`	`47`	`}`
`49`	`48`
`50`	`49`	`// as soon as at least one attribute is supported, default is to deny access`
`51`		`-$vote->result =self::ACCESS_DENIED;`
	`50`	`+$voteResult =self::ACCESS_DENIED;`
	`51`	`+`
	`52`	`+if (null !==$vote) {`
	`53`	`+$vote->result =$voteResult;`
	`54`	`+ }`
`52`	`55`
`53`	`56`	`if ($this->voteOnAttribute($attribute,$subject,$token,$vote)) {`
`54`	`57`	`// grant access as soon as at least one attribute returns a positive response`
`55`		`-return$vote->result =self::ACCESS_GRANTED;`
	`58`	`+if (null !==$vote) {`
	`59`	`+$vote->result =self::ACCESS_GRANTED;`
	`60`	`+ }`
	`61`	`+`
	`62`	`+returnself::ACCESS_GRANTED;`
`56`	`63`	`}`
`57`	`64`	`}`
`58`	`65`
`59`		`-return$vote->result;`
	`66`	`+if (null !==$vote) {`
	`67`	`+$vote->result =$voteResult;`
	`68`	`+ }`
	`69`	`+`
	`70`	`+return$voteResult;`
`60`	`71`	`}`
`61`	`72`
`62`	`73`	`/**`

`‎src/Symfony/Component/Security/Core/Tests/Authorization/Voter/VoterTest.php`

Lines changed: 18 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -33,35 +33,51 @@ public static function getTests(): array`
`33`	`33`
`34`	`34`	`return [`
`35`	`35`	`[$voter, ['EDIT'], VoterInterface::ACCESS_GRANTED,new \stdClass(),'ACCESS_GRANTED if attribute and class are supported and attribute grants access'],`
	`36`	`+ [$voter, ['EDIT'], VoterInterface::ACCESS_GRANTED,new \stdClass(),'ACCESS_GRANTED if attribute and class are supported and attribute grants access',newVote()],`
`36`	`37`	`[$voter, ['CREATE'], VoterInterface::ACCESS_DENIED,new \stdClass(),'ACCESS_DENIED if attribute and class are supported and attribute does not grant access'],`
	`38`	`+ [$voter, ['CREATE'], VoterInterface::ACCESS_DENIED,new \stdClass(),'ACCESS_DENIED if attribute and class are supported and attribute does not grant access',newVote()],`
`37`	`39`
`38`	`40`	`[$voter, ['DELETE','EDIT'], VoterInterface::ACCESS_GRANTED,new \stdClass(),'ACCESS_GRANTED if one attribute is supported and grants access'],`
	`41`	`+ [$voter, ['DELETE','EDIT'], VoterInterface::ACCESS_GRANTED,new \stdClass(),'ACCESS_GRANTED if one attribute is supported and grants access',newVote()],`
`39`	`42`	`[$voter, ['DELETE','CREATE'], VoterInterface::ACCESS_DENIED,new \stdClass(),'ACCESS_DENIED if one attribute is supported and denies access'],`
	`43`	`+ [$voter, ['DELETE','CREATE'], VoterInterface::ACCESS_DENIED,new \stdClass(),'ACCESS_DENIED if one attribute is supported and denies access',newVote()],`
`40`	`44`
`41`	`45`	`[$voter, ['CREATE','EDIT'], VoterInterface::ACCESS_GRANTED,new \stdClass(),'ACCESS_GRANTED if one attribute grants access'],`
	`46`	`+ [$voter, ['CREATE','EDIT'], VoterInterface::ACCESS_GRANTED,new \stdClass(),'ACCESS_GRANTED if one attribute grants access',newVote()],`
`42`	`47`
`43`	`48`	`[$voter, ['DELETE'], VoterInterface::ACCESS_ABSTAIN,new \stdClass(),'ACCESS_ABSTAIN if no attribute is supported'],`
	`49`	`+ [$voter, ['DELETE'], VoterInterface::ACCESS_ABSTAIN,new \stdClass(),'ACCESS_ABSTAIN if no attribute is supported',newVote()],`
`44`	`50`
`45`	`51`	`[$voter, ['EDIT'], VoterInterface::ACCESS_ABSTAIN,newclass {},'ACCESS_ABSTAIN if class is not supported'],`
	`52`	`+ [$voter, ['EDIT'], VoterInterface::ACCESS_ABSTAIN,newclass {},'ACCESS_ABSTAIN if class is not supported',newVote()],`
`46`	`53`
`47`	`54`	`[$voter, ['EDIT'], VoterInterface::ACCESS_ABSTAIN,null,'ACCESS_ABSTAIN if object is null'],`
	`55`	`+ [$voter, ['EDIT'], VoterInterface::ACCESS_ABSTAIN,null,'ACCESS_ABSTAIN if object is null',newVote()],`
`48`	`56`
`49`	`57`	`[$voter, [], VoterInterface::ACCESS_ABSTAIN,new \stdClass(),'ACCESS_ABSTAIN if no attributes were provided'],`
	`58`	`+ [$voter, [], VoterInterface::ACCESS_ABSTAIN,new \stdClass(),'ACCESS_ABSTAIN if no attributes were provided',newVote()],`
`50`	`59`
`51`	`60`	`[$voter, [newStringableAttribute()], VoterInterface::ACCESS_GRANTED,new \stdClass(),'ACCESS_GRANTED if attribute and class are supported and attribute grants access'],`
	`61`	`+ [$voter, [newStringableAttribute()], VoterInterface::ACCESS_GRANTED,new \stdClass(),'ACCESS_GRANTED if attribute and class are supported and attribute grants access',newVote()],`
`52`	`62`
`53`	`63`	`[$voter, [new \stdClass()], VoterInterface::ACCESS_ABSTAIN,new \stdClass(),'ACCESS_ABSTAIN if attributes were not strings'],`
	`64`	`+ [$voter, [new \stdClass()], VoterInterface::ACCESS_ABSTAIN,new \stdClass(),'ACCESS_ABSTAIN if attributes were not strings',newVote()],`
`54`	`65`
`55`	`66`	`[$integerVoter, [42], VoterInterface::ACCESS_GRANTED,new \stdClass(),'ACCESS_GRANTED if attribute is an integer'],`
	`67`	`+ [$integerVoter, [42], VoterInterface::ACCESS_GRANTED,new \stdClass(),'ACCESS_GRANTED if attribute is an integer',newVote()],`
`56`	`68`	`];`
`57`	`69`	`}`
`58`	`70`
`59`	`71`	`/**`
`60`	`72`	`* @dataProvider getTests`
`61`	`73`	`*/`
`62`		`-publicfunctiontestVote(VoterInterface$voter,array$attributes,$expectedVote,$object,$message)`
	`74`	`+publicfunctiontestVote(VoterInterface$voter,array$attributes,$expectedVote,$object,$message, ?Vote$vote =null)`
`63`	`75`	`{`
`64`		`-$this->assertEquals($expectedVote,$voter->vote($this->token,$object,$attributes),$message);`
	`76`	`+$this->assertSame($expectedVote,$voter->vote($this->token,$object,$attributes,$vote),$message);`
	`77`	`+`
	`78`	`+if (null !==$vote) {`
	`79`	`+self::assertSame($expectedVote,$vote->result);`
	`80`	`+ }`
`65`	`81`	`}`
`66`	`82`
`67`	`83`	`publicfunctiontestVoteWithTypeError()`

`‎src/Symfony/Component/Security/Http/Tests/EventListener/IsGrantedAttributeListenerTest.php`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -232,7 +232,7 @@ protected function supports(string $attribute, mixed $subject): bool`
`232`	`232`
`233`	`233`	`protectedfunctionvoteOnAttribute(string$attribute,mixed$subject,TokenInterface$token, ?Vote$vote =null):bool`
`234`	`234`	`{`
`235`		`-$vote->reasons[] ='Because I can 😈.';`
	`235`	`+$vote?->addReason('Because I can 😈.');`
`236`	`236`
`237`	`237`	`returnfalse;`
`238`	`238`	`}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Commitcbab5a8

File tree

9 files changed

9 files changed

`‎UPGRADE-7.3.md`

`‎src/Symfony/Component/Security/Core/Authorization/Voter/AuthenticatedVoter.php`

`‎src/Symfony/Component/Security/Core/Authorization/Voter/ClosureVoter.php`

`‎src/Symfony/Component/Security/Core/Authorization/Voter/ExpressionVoter.php`

`‎src/Symfony/Component/Security/Core/Authorization/Voter/RoleVoter.php`

`‎src/Symfony/Component/Security/Core/Authorization/Voter/TraceableVoter.php`

`‎src/Symfony/Component/Security/Core/Authorization/Voter/Voter.php`

`‎src/Symfony/Component/Security/Core/Tests/Authorization/Voter/VoterTest.php`

`‎src/Symfony/Component/Security/Http/Tests/EventListener/IsGrantedAttributeListenerTest.php`

0 commit comments