Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

[Security] make it possible to configure a custom access decision manager service#19034

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Conversation

@xabbuh
Copy link
Member

@xabbuhxabbuh commentedJun 12, 2016
edited
Loading

QA
Branch?3.4
Bug fix?no
New feature?yes
BC breaks?no
Deprecations?no
Tests pass?yes
Fixed tickets#942,#14049,#15295,#16828,#16843,
LicenseMIT
Doc PRTODO

These changes will make it possible to let users define their own voting strategies without the need for custom compiler passes that replace the built-inAccessDecisionManager (see linked issues in the PR table for some use cases).

GuilhemN, Koc, sstok, and chapterjason reacted with thumbs up emojiHeahDude reacted with hooray emoji
*
* @author Christian Flothmann <christian.flothmann@xabbuh.de>
*/
class StrategyAwareAccessDecisionManager implements AccessDecisionManagerInterface
Copy link
MemberAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I don't really like this name. So I welcome any suggestions for something better.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I'm not really sure why you introduced a new class here, it looks like the old class has equal behaviour?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

If we want to deprecate the old one in favor of this one, I would call itVotingAccessDecisionManager or the like. The special thing about this implementation is that it uses voters to decide the access.

@xabbuh
Copy link
MemberAuthor

I just realised that@hhamon suggested almost the same years ago (see#942) which was closed in favour of creating more specialised access decision managers (though that never happened). What do you think about that idea? Should we create one class per access decision strategy instead and then make it easier to inject your own access decision manager by introducing a new config option in the SecurityBundle?

@xabbuh
Copy link
MemberAuthor

@symfony/deciders What are your thoughts on this?

@fabpot
Copy link
Member

Not sure if we need to create classes for existing strategies, we could keep them inline as today. If not, I would make those classes final.


if ($strategyinstanceof VoteStrategyInterface) {
$this->voteStrategy =$strategy;
}elseif (self::STRATEGY_AFFIRMATIVE ===$strategy) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

what about deprecating passing a string as strategy?

Koc reacted with thumbs up emoji
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

And maybe removingallowIfAllAbstainDecisions,allowIfEqualGrantedDeniedDecisions from constructor of this class in future?

@wouterj
Copy link
Member

I like the idea of having all strategies in seperate classes and configuring the service ID of the strategy to use (with a shortcut forsecurity.strategy.%s IDs, soaffirmative will set thesecurity.strategy.affirmative service andapp.custom_strategy will use that ID).

@wouterj
Copy link
Member

Status: needs work

@xabbuh
Copy link
MemberAuthor

I like the idea of having all strategies in seperate classes and configuring the service ID of the strategy to use [...]

@wouterj My main concern is if we really need to go the way of custom strategies then or if it wasn't enough to configure a service implementing theAuthenticationManagerInterface and then making it easy to change that service?

@fabpot
Copy link
Member

@xabbuh Any interest in finishing this one by taking into account comments?

@xabbuh
Copy link
MemberAuthor

Well, we should first decide which way we would like to go (i.e. making the vote strategy configurable or making it possible to configure the access decision manager like suggested in#942). I think my favourite solution is to keep the separated vote strategies for greater flexibility (as they are now in this PR), but remove the StrategyAwareAccessDecisionManager and instead allow just configure the access decision manager service in the SecurityBundle (you will only be able to configure either the access decision manager or the vote strategy). What do you think?

@wouterj
Copy link
Member

On second thought, I think we should remove the strategy stuff and just allow to configure the AccessDecisionManager service ID. With the VoteStrategyInterface, we add an extra layer of complexity for almost nothing. The AccessDecisionManager simply only proxies it'sdecide() call to the VoteStrategy and there is no other code in the manager.

So simply creating a custom manager and setting it through a service should be more than enough.

@xabbuhxabbuhforce-pushed theconfigurable-access-decision-strategy branch from6ef3459 to7ec99f0CompareNovember 16, 2016 08:09
@xabbuhxabbuhforce-pushed theconfigurable-access-decision-strategy branch 2 times, most recently from6417e74 toc28ca0aCompareNovember 28, 2016 08:09
@xabbuh
Copy link
MemberAuthor

I pushed an update that reverts the changes made to theAccessDecisionManager, but makes it possible to configure a service providing anAccessDecisionManagerInterface implementation.

@nicolas-grekasnicolas-grekas added this to the3.x milestoneDec 6, 2016
@xabbuh
Copy link
MemberAuthor

ping @symfony/deciders

@HeahDude
Copy link
Contributor

Does it make sense to keep the strategy configurable for a custom access decision manager as a service?

@xabbuh
Copy link
MemberAuthor

@HeahDude I first thought when I introduced theVoteStrategyInterface. But thinking about it again I don't think there's much value in having reusable voting strategies. Reusing them wouldn't be much different from using the built-in access decision manager IMO.

@xabbuhxabbuhforce-pushed theconfigurable-access-decision-strategy branch fromc28ca0a to4abe705CompareDecember 27, 2016 10:47
@xabbuh
Copy link
MemberAuthor

Status: Needs Review

@xabbuhxabbuhforce-pushed theconfigurable-access-decision-strategy branch 2 times, most recently from099c769 to9a8779fCompareJanuary 30, 2017 16:08
Copy link
Member

@nicolas-grekasnicolas-grekas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

👍

@nicolas-grekasnicolas-grekas modified the milestones:3.3,3.xMar 7, 2017
@xabbuhxabbuhforce-pushed theconfigurable-access-decision-strategy branch from9a8779f to1d5a5c6CompareApril 3, 2017 15:27
@nicolas-grekas
Copy link
Member

Moving to milestone as this is not a blocker for 3.3. If you don't agree, please explain why.

@nicolas-grekasnicolas-grekas modified the milestones:3.3,3.4Apr 28, 2017
@xabbuhxabbuh changed the base branch frommaster to3.4May 18, 2017 07:16
@xabbuhxabbuhforce-pushed theconfigurable-access-decision-strategy branch from1d5a5c6 toba9fd2fCompareJune 3, 2017 07:52
@xabbuh
Copy link
MemberAuthor

PR description updated to match the actual state of this PR (the idea of aVoteStrategyInterface was dropped in favour of being able to configure your ownAccessDecisionManager service).

@xabbuhxabbuh changed the title[Security] make it possible to configure the voting strategy[Security] make it possible to configure a custom access decision manager serviceJun 3, 2017
@xabbuhxabbuhforce-pushed theconfigurable-access-decision-strategy branch fromba9fd2f toe0913a2CompareJuly 3, 2017 16:47
@nicolas-grekas
Copy link
Member

ping @symfony/deciders

@nicolas-grekas
Copy link
Member

Thank you@xabbuh.

@nicolas-grekasnicolas-grekas merged commite0913a2 intosymfony:3.4Jul 12, 2017
@nicolas-grekas
Copy link
Member

Doc PR welcomed ;)

nicolas-grekas added a commit that referenced this pull requestJul 12, 2017
…ss decision manager service (xabbuh)This PR was merged into the 3.4 branch.Discussion----------[Security] make it possible to configure a custom access decision manager service| Q | A || --- | --- || Branch? | 3.4 || Bug fix? | no || New feature? | yes || BC breaks? | no || Deprecations? | no || Tests pass? | yes || Fixed tickets |#942,#14049,#15295,#16828,#16843, || License | MIT || Doc PR | TODO |These changes will make it possible to let users define their own voting strategies without the need for custom compiler passes that replace the built-in `AccessDecisionManager` (see linked issues in the PR table for some use cases).Commits-------e0913a2 add option to define the access decision manager
@xabbuhxabbuh deleted the configurable-access-decision-strategy branchJuly 12, 2017 16:19
This was referencedOct 18, 2017
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment

Reviewers

@weaverryanweaverryanweaverryan approved these changes

@nicolas-grekasnicolas-grekasnicolas-grekas approved these changes

@chalasrchalasrchalasr approved these changes

+2 more reviewers

@KocKocKoc left review comments

@HeahDudeHeahDudeHeahDude approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Projects

None yet

Milestone

3.4

Development

Successfully merging this pull request may close these issues.

9 participants

@xabbuh@fabpot@wouterj@HeahDude@nicolas-grekas@weaverryan@Koc@chalasr@carsonbot
[8]ページ先頭
©2009-2025 Movatter.jp