Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

[Security] AllowExpression asAccessDeniedException attribute#46986

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Closed

Conversation

@HypeMC
Copy link
Member

@HypeMCHypeMC commentedJul 19, 2022
edited
Loading

QA
Branch?4.4
Bug fix?yes
New feature?no
Deprecations?no
Tickets-
LicenseMIT
Doc PR-

Currently theAccessDeniedException::setAttributes() method accepts a string or an array. However, there are several ways the method could receivean instance ofExpression as well, eg:

$this->denyAccessUnlessGranted(newExpression('"ROLE_ADMIN" in role_names'))

On Symfony 5.4 or lower there are no type hints so the object gets cast to an array:

/**
* @param array|string $attributes
*/
publicfunctionsetAttributes($attributes)
{
$this->attributes = (array)$attributes;
}

array(1) {  ["*expression"]=>  string(15) "some expression"}

On 6.0 or higher, because of the added type hints, it gets cast into a string instead.

publicfunctionsetAttributes(array|string$attributes)
{
$this->attributes = (array)$attributes;
}

@derrabus
Copy link
Member

$this->denyAccessUnlessGranted(new Expression('"ROLE_ADMIN" in role_names'))
  • Question 1: Where did you get that piece of code from? Does the documentation say that expressions are allowed here? Or did it just happen to work for you?
  • Question 2: Isn't this the same as$this->denyAccessUnlessGranted('ROLE_ADMIN')? 🤔

@HypeMC
Copy link
MemberAuthor

@derrabus

  • Question 1: Where did you get that piece of code from? Does the documentation say that expressions are allowed here? Or did it just happen to work for you?

Yes, this is taken from the docs, seehttps://symfony.com/doc/4.4/security/expressions.html

  • Question 2: Isn't this the same as$this->denyAccessUnlessGranted('ROLE_ADMIN')? thinking

Well yes, but this is just a simple example. The point is that an instance ofExpression can be used (with a more complex expression).

@derrabus
Copy link
Member

Yes, this is taken from the docs

Amazing. I didn't know about this feature. 😮

HypeMC reacted with laugh emoji

@nicolas-grekas
Copy link
Member

As discussed on#46978, this change looks wrong to me.
Instead, we should consider that the argument is Expression is auto-cast to string, which is the case since 6.0.
We could emulate this behavior in 4.4/5.4 but is it needed? Aka does this cause real-world issues?
If not, let's close.

@HypeMC
Copy link
MemberAuthor

@nicolas-grekas Since no one has ever reported this issue, let's close.

@HypeMCHypeMC closed thisAug 1, 2022
@HypeMCHypeMC deleted the accessdeniedexception-expression branchAugust 1, 2022 08:36
@HypeMCHypeMC restored the accessdeniedexception-expression branchMarch 11, 2023 14:50
@HypeMCHypeMC deleted the accessdeniedexception-expression branchMarch 11, 2023 14:51
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment

Reviewers

@wouterjwouterjAwaiting requested review from wouterjwouterj is a code owner

@chalasrchalasrAwaiting requested review from chalasrchalasr is a code owner

Assignees

No one assigned

Projects

None yet

Milestone

4.4

Development

Successfully merging this pull request may close these issues.

4 participants

@HypeMC@derrabus@nicolas-grekas@carsonbot
[8]ページ先頭
©2009-2025 Movatter.jp