Skip to content

[Security] Allow using expressions with the #[IsGranted] attribute #46978

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 2, 2022
Merged

[Security] Allow using expressions with the #[IsGranted] attribute #46978

merged 1 commit into from
Aug 2, 2022

Conversation

HypeMC
Copy link
Member

@HypeMC HypeMC commented Jul 18, 2022
edited
Loading

Q A
Branch? 6.2
Bug fix? no
New feature? yes
Deprecations? no
Tickets Fix #46912
License MIT
Doc PR -

Allows using the expression language with the #[IsGranted] attribute:

#[IsGranted( attribute: new Expression('"ROLE_ADMIN" in role_names or is_granted("POST_VIEW", subject)'), subject: 'post', )] public function index(Post $post) { } #[IsGranted( attribute: new Expression('user === subject'), subject: new Expression('args["post"].getAuthor()'), )] public function index(Post $post) { } #[IsGranted( attribute: new Expression('user === subject["author"] and subject["post"].isPublished()'), subject: [ 'author' => new Expression('args["post"].getAuthor()'), 'post' => 'post', ], )] public function index(Post $post) { }
@HypeMC HypeMC requested review from chalasr and wouterj as code owners July 18, 2022 16:53
@carsonbot carsonbot added this to the 6.2 milestone Jul 18, 2022
stof
stof requested changes Jul 18, 2022
View reviewed changes
stof
stof requested changes Jul 18, 2022
View reviewed changes
@HypeMC HypeMC force-pushed the improve-isgranted branch 2 times, most recently from bdd0c16 to 3957a98 Compare July 21, 2022 11:52
@HypeMC HypeMC force-pushed the improve-isgranted branch from 3957a98 to 8de7c8f Compare July 24, 2022 20:28
nicolas-grekas
nicolas-grekas reviewed Jul 28, 2022
View reviewed changes
Copy link
Member

@nicolas-grekas nicolas-grekas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

$accessDeniedException->setAttributes($attribute->attributes);

Don't we want to provide the resolved values instead? That would solve the issue with accepting Expression into AccessDeniedException and might improve debugging?
@HypeMC HypeMC force-pushed the improve-isgranted branch 2 times, most recently from 7c38656 to 3d81940 Compare July 31, 2022 14:16
@HypeMC
Copy link
Member Author

HypeMC commented Jul 31, 2022

$accessDeniedException->setAttributes($attribute->attributes);

Don't we want to provide the resolved values instead? That would solve the issue with accepting Expression into AccessDeniedException and might improve debugging?

@nicolas-grekas The problem is that the attributes expression is evaluated by the ExpressionVoter and I don't see a way to get that info with the current implementation:

symfony/src/Symfony/Component/Security/Core/Authorization/Voter/ExpressionVoter.php

Lines 67 to 74 in 9d7ff0c

$result = VoterInterface::ACCESS_DENIED;
if ($this->expressionLanguage->evaluate($attribute, $variables)) {
return VoterInterface::ACCESS_GRANTED;
}
}
return $result;

Also, if I'm not mistaking, the result of the expression is always false (or falsy) if access is denied by the voter, so I'm not sure if that would really help with debugging.
@nicolas-grekas nicolas-grekas mentioned this pull request Aug 1, 2022
Closed
@HypeMC HypeMC force-pushed the improve-isgranted branch from 3d81940 to 91dff71 Compare August 1, 2022 08:34
nicolas-grekas
nicolas-grekas approved these changes Aug 1, 2022
View reviewed changes
@HypeMC HypeMC force-pushed the improve-isgranted branch from 91dff71 to 0eb6bd8 Compare August 1, 2022 08:54
HypeMC
HypeMC commented Aug 1, 2022
View reviewed changes
@HypeMC HypeMC mentioned this pull request Aug 1, 2022
Merged
@HypeMC
Copy link
Member Author

HypeMC commented Aug 2, 2022

@nicolas-grekas Was this closed by accident or did I miss something ?
@lyrixx
Copy link
Member

lyrixx commented Aug 2, 2022

Indeed, this is a mistake because of the other PR description
@lyrixx lyrixx reopened this Aug 2, 2022
@HypeMC HypeMC force-pushed the improve-isgranted branch from 0eb6bd8 to f5cee77 Compare August 2, 2022 08:38
@nicolas-grekas
Copy link
Member

Thank you @HypeMC.
@nicolas-grekas nicolas-grekas mentioned this pull request Aug 2, 2022
Closed
@nicolas-grekas nicolas-grekas merged commit e7fbf28 into symfony:6.2 Aug 2, 2022
@HypeMC HypeMC deleted the improve-isgranted branch August 2, 2022 13:07
@fabpot fabpot mentioned this pull request Oct 24, 2022
Merged
@HypeMC HypeMC mentioned this pull request Nov 3, 2022
Merged
@HypeMC HypeMC mentioned this pull request Dec 5, 2022
Merged
fabpot added a commit to symfony/symfony-docs that referenced this pull request Mar 24, 2023
@fabpot
feature #17513 [Security] Use expression for #[IsGranted()] subject…
5292d7b 
… (HypeMC) This PR was merged into the 6.2 branch. Discussion ---------- [Security] Use expression for `#[IsGranted()]` subject symfony/symfony#46978 symfony/symfony#48080 symfony/symfony#48102 Commits ------- 9d4045f [Security] Use expression for #[IsGranted()] subject
weaverryan pushed a commit to symfony/symfony-docs that referenced this pull request Mar 28, 2023
@fabpot @weaverryan
feature #17513 [Security] Use expression for #[IsGranted()] subject…
20f41f8 
… (HypeMC) This PR was merged into the 6.2 branch. Discussion ---------- [Security] Use expression for `#[IsGranted()]` subject symfony/symfony#46978 symfony/symfony#48080 symfony/symfony#48102 Commits ------- 9d4045f [Security] Use expression for #[IsGranted()] subject
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Feature Security Status: Reviewed

7 participants

@HypeMC @lyrixx @nicolas-grekas @stof @OskarStark @derrabus @carsonbot