Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork9.6k
[Security] Add IS_IMPERSONATOR, IS_ANONYMOUS and IS_REMEMBERED#31189
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
71f08d8 to234dc0dCompareLooks great, thanks. |
234dc0d to48d4813CompareThanks for the suggestion@chalasr! I've updated the PR. Also realized that I forgot to do the same for |
19ed26f to7b9b167CompareActually, I've decided to take another step and deprecate all |
chalasr commentedApr 20, 2019 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
|
7b9b167 to613789fCompareDidn't realize 4.3 release was soo close. I've updated the PR to 4.4 and added a documentation PR. Ready for review when 4.3 is released |
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
nicolas-grekas commentedSep 27, 2019 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
I'm not sure the new version is more clear: having role inheritance in mind, the current wording is clear to me. The new one might make me think one is authenticatednot-anonymously. |
wouterj commentedSep 27, 2019 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
Hmm, I completely forgot about this PR. Sorry! Let's see how we can continue and what we manage to get into 4.4/5.0 before the freeze:
From what I see above, people seem to agree on (1) and (3). So let's remove change (2) from this PR, to allow this to be merged? (2) seems up for debate and now I think about this, I think it's indeed a confusing change, people would maybe think that |
Moving to milestone "next", meaning for 5.1 or later. |
@wouterj I'd like that we move forward with all your PRs/issues/big plans related to security. Whenever you have time, ping me and we will see how to make it work for 5.1. |
a17ee3a to2fb0a98Compare
Yeah, the bundle requires |
28606e1 to4038d6cCompare@wouterj Bumping to |
4038d6c tofda7e0aComparewouterj commentedFeb 22, 2020 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
Thanks for the quick response. I've bumped the requirement. The tests should now pass |
status: needs review |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Looks good, thanks for finishing this
src/Symfony/Component/Security/Core/Tests/Authorization/ExpressionLanguageTest.php OutdatedShow resolvedHide resolved
Uh oh!
There was an error while loading.Please reload this page.
src/Symfony/Component/Security/Core/Authorization/ExpressionLanguageProvider.php OutdatedShow resolvedHide resolved
Uh oh!
There was an error while loading.Please reload this page.
fda7e0a to6c522a7CompareThank you@wouterj. |
…guage functions (wouterj)This PR was merged into the 5.1-dev branch.Discussion----------[Security] Use new IS_* attributes in the expression language functions| Q | A| ------------- | ---| Branch? | master| Bug fix? | no| New feature? | no| Deprecations? | no| Tickets | n/a| License | MIT| Doc PR | n/a#31189 has been merged which introduces some new attributes (`IS_ANONYMOUS` & friends). We can now modify the code behind the `is_*()` expression language functions to use these new attributes. This avoids any possibility of having them out of sync.In case you - just like me - are interested why `isGranted("IS_AUTHENTICATED_FULLY")` wasn't used before: These functions were implemented without `auth_checker` being available. The auth checker variable was introduced in 4.2 by#27305, so now we can use this.Commits-------3f0c599 Use new IS_* attributes in the expression language functions
This PR was merged into the 5.1-dev branch.Discussion----------[Security] Deprecated ROLE_PREVIOUS_ADMIN| Q | A| ------------- | ---| Branch? | master| Bug fix? | no| New feature? | no| Deprecations? | yes| Tickets | n/a| License | MIT| Doc PR |symfony/symfony-docs#11487`ROLE_PREVIOUS_ADMIN` is added to the token roles if the session is an impersonation. Since#31189 we have the `IS_IMPERSONATOR` attribute which can be used for the same reason. I propose to deprecate the `ROLE_PREVIOUS_ADMIN`:* This is not what roles are for ([resulting in hacking this exception in `AbstractToken`](https://github.com/symfony/symfony/blob/5.0/src/Symfony/Component/Security/Core/Authentication/Token/AbstractToken.php#L275-L277))* The role isn't very descriptive* I don't like having 2 ways of doing exactly the same thing* While every application with impersonation enabled probably needs to be updated, the update is as simple as replacing `ROLE_PREVIOUS_ADMIN` with `IS_IMPERSONATOR`: `find ./ -type f -exec sed -i 's/ROLE_PREVIOUS_ADMIN/IS_IMPERSONATOR/g' {} +`---I'm a bit unsure on how to deprecate this role, but I think having it in `RoleVoter` is probably the safest (`isGranted()` and variants + `AccessDecisionManager#decide()` all use this voter to check if the token has this role).Commits-------dce55f3 Deprecated ROLE_PREVIOUS_ADMIN
This PR was merged into the 5.1-dev branch.Discussion----------[Security] Deprecated ROLE_PREVIOUS_ADMIN| Q | A| ------------- | ---| Branch? | master| Bug fix? | no| New feature? | no| Deprecations? | yes| Tickets | n/a| License | MIT| Doc PR |symfony/symfony-docs#11487`ROLE_PREVIOUS_ADMIN` is added to the token roles if the session is an impersonation. Sincesymfony/symfony#31189 we have the `IS_IMPERSONATOR` attribute which can be used for the same reason. I propose to deprecate the `ROLE_PREVIOUS_ADMIN`:* This is not what roles are for ([resulting in hacking this exception in `AbstractToken`](https://github.com/symfony/symfony/blob/5.0/src/Symfony/Component/Security/Core/Authentication/Token/AbstractToken.php#L275-L277))* The role isn't very descriptive* I don't like having 2 ways of doing exactly the same thing* While every application with impersonation enabled probably needs to be updated, the update is as simple as replacing `ROLE_PREVIOUS_ADMIN` with `IS_IMPERSONATOR`: `find ./ -type f -exec sed -i 's/ROLE_PREVIOUS_ADMIN/IS_IMPERSONATOR/g' {} +`---I'm a bit unsure on how to deprecate this role, but I think having it in `RoleVoter` is probably the safest (`isGranted()` and variants + `AccessDecisionManager#decide()` all use this voter to check if the token has this role).Commits-------dce55f352a Deprecated ROLE_PREVIOUS_ADMIN
…S and IS_REMEMBERED attributes (wouterj)This PR was merged into the master branch.Discussion----------[Security] Documented new IS_IMPERSONATOR, IS_ANONYMOUS and IS_REMEMBERED attributesChanges the documentation to no longer use security attributes/functions that will be deprecated insymfony/symfony#31189 . It's funny to see how the docs were also confusing about the old attributes, as wrong attributes were used.While doing these changes, I've also rewritten some parts to no longer talk about attributes as something the users have (like roles), but instead as something the user is matched against.Commits-------0e2b406 Documented new security attributes
Uh oh!
There was an error while loading.Please reload this page.
This continues work of@HeahDude and finally finishes one of the code PRs I've been working on during the ⭐️ EUFOSSA Hackathon.
Changes
The PRs modifies some of the attributes used by the
AuthenticatedVoter:IS_IMPERSONATOR,IS_ANONYMOUSandIS_REMEMBEREDattributes are introduced to indicate the user either impersonated, anonymous or rembered.IS_AUTHENTICATED_ANONYMOUSLYactually meant "is authenticated, either anonymous or fully". As this is confusing, it is replaced byIS_AUTHENTICATED.Allis_*()functions in expressions are deprecated in favor ofis_granted('IS_*'). It's not worth duplicating theAuthenticatedVoterlogic in two places now we have shorterIS_*attributesBefore
After
DiscussionThe only thing I'm wondering is how we combine this with the
is_authenticated()expression function:symfony/src/Symfony/Component/Security/Core/Authorization/ExpressionLanguageProvider.php
Lines 33 to 37 in98929dc
As you can see, theIS_AUTHENTICATEDattribute andis_authenticated()expression function do not have the same meaning. Should we somehow deprecate the current behavior ofis_authenticated()or should we find another name forIS_AUTHENTICATED(that would be a shame imo).