Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

[Security] Add setVoters() on AccessDecisionManager#14733

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
fabpot merged 1 commit intosymfony:2.8fromnicolas-grekas:allow-no-voters
Jun 1, 2015

Conversation

nicolas-grekas
Copy link
Member

QA
Bug fix?no
New feature?yes
BC breaks?no
Deprecations?no
Tests pass?yes
Fixed ticketspartially#12360
LicenseMIT
Doc PR-

Alternative for#14550

@@ -41,12 +41,8 @@ class AccessDecisionManager implements AccessDecisionManagerInterface
*
* @throws \InvalidArgumentException
*/
public function __construct(array $voters, $strategy = self::STRATEGY_AFFIRMATIVE, $allowIfAllAbstainDecisions = false, $allowIfEqualGrantedDeniedDecisions = true)
public function __construct(array $voters = array(), $strategy = self::STRATEGY_AFFIRMATIVE, $allowIfAllAbstainDecisions = false, $allowIfEqualGrantedDeniedDecisions = true)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I don't see how it would make a difference anyway, but we don't need to make this option - the "old" way would of course also allow an empty array.

Copy link
MemberAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

This is not required, but if setting no voters on instantiation is allowed, I thought it would be more consistent to make the argument optional also.

@weaverryan
Copy link
Member

👍 I tested this - it allows for thesecurity.access.decision_manager service to be injected into voters without a circular reference (e.g. so that a voter could checkisGranted('ROLE_ADMIN').

For docs:symfony/symfony-docs#5306, I have an issue to doc this.

@linaori
Copy link
Contributor

@weaverryan wouldn't that lead to potential recursion?

@weaverryan
Copy link
Member

@iltar Recursion where? Do you mean a circular reference? If so, then no - the container is able to create the AccessDecisionManager, then create the voters, then finish the AccessDecisionManager by callingsetVoters(). Or do you mean recursion in that AccessDecisionManager refers to voters, which refer back to the AccessDecisionManager? If so, then yes, which isn't really a problem except for garbage collection (see#14550 (comment)), in which case you could callsetVoters() with an empty array to clear things if you really needed to. More broadly, I don't think there's another possible way to fix this, rather than giving the voters access to the AccessDecisionManager.

@ogizanagi
Copy link
Contributor

@weaverryan : I think what@iltar means isn't about the circular object graph, but in the case of a voterA callingisGranted on an object and attribute supported by voterB, and voterB callingisGranted on the same object and attribute supported by voterA again. OrA calling itself.
But if there is such a case, I think it's only due to a bad design.

@weaverryan
Copy link
Member

@ogizanagi OOOH, yes, of course - I don't know how I missed that. Yes, it's possible - but I agree with you - that would be an error on the developer, and one that they would suffer during development and fix. And this is already true today if you use a voter to go back through the AccessDecisionManager ("possible" if you inject the container into a voter - it's hacky, hence this PR).

@linaori
Copy link
Contributor

@weaverryan that's exactly what I meant. Maybe we could somehow make the AccesDecisionManager track what it's voting for, so when it tries to vote again on the same role, it will throw an exception.

@weaverryan
Copy link
Member

I don't think it's possible because itmay make sense to call a voter recursively - the attributes or token may be different, or the voter may be holding some state (it shouldn't) that makes it act different the second time. I like the thought - but I'm not sure it's possible

@fabpot
Copy link
Member

Thank you@nicolas-grekas.

@fabpotfabpot merged commit3fd7cea intosymfony:2.8Jun 1, 2015
fabpot added a commit that referenced this pull requestJun 1, 2015
…icolas-grekas)This PR was merged into the 2.8 branch.Discussion----------[Security] Add setVoters() on AccessDecisionManager| Q             | A| ------------- | ---| Bug fix?      | no| New feature?  | yes| BC breaks?    | no| Deprecations? | no| Tests pass?   | yes| Fixed tickets | partially#12360| License       | MIT| Doc PR        | -Alternative for#14550Commits-------3fd7cea [Security] Add setVoters() on AccessDecisionManager
@nicolas-grekasnicolas-grekas deleted the allow-no-voters branchJune 2, 2015 23:16
fabpot added a commit that referenced this pull requestSep 24, 2015
… TokenInterface (weaverryan)This PR was squashed before being merged into the 2.8 branch (closes#15870).Discussion----------Updating AbstractVoter so that the method receives the TokenInterface| Q             | A| ------------- | ---| Bug fix?      | no| New feature?  | yes| BC breaks?    | no| Deprecations? | yes| Tests pass?   | yes| Fixed tickets |#12360| License       | MIT| Doc PR        | not yetThisfixes#12360, and along with already-merged#14733, this would make it possible to make calls back to the `AccessDecisionManager` inside a voter (e.g. you might check to see if `IS_AUTHENTICATED_FULLY` from inside your voter).We originally passed the User instead of the token to be nice, but it's a limitation, and since we never sanitized the User (i.e. a string may be passed to `AbstractToken::isGranted()`), it's not helpful anyways.Thanks!Commits-------948ccec Updating AbstractVoter so that the method receives the TokenInterface
@fabpotfabpot mentioned this pull requestNov 16, 2015
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

5 participants
@nicolas-grekas@weaverryan@linaori@ogizanagi@fabpot
[8]ページ先頭
©2009-2025 Movatter.jp