symfony
diff --git a/‎Authorization/AuthorizationCheckerInterface.php
Lines changed: 1 addition & 1 deletion b/‎Authorization/AuthorizationCheckerInterface.php
Lines changed: 1 addition & 1 deletion
diff --git a/‎Authorization/Voter/ClosureVoter.php
Lines changed: 78 additions & 0 deletions b/‎Authorization/Voter/ClosureVoter.php
Lines changed: 78 additions & 0 deletions
diff --git a/‎CHANGELOG.md
Lines changed: 1 addition & 0 deletions b/‎CHANGELOG.md
Lines changed: 1 addition & 0 deletions
diff --git a/‎Tests/Authorization/Voter/ClosureVoterTest.php
Lines changed: 91 additions & 0 deletions b/‎Tests/Authorization/Voter/ClosureVoterTest.php
Lines changed: 91 additions & 0 deletions
@@ -21,7 +21,7 @@ interface AuthorizationCheckerInterface
     /**
      * Checks if the attribute is granted against the current authentication token and optionally supplied subject.
      *
-     * @param mixed               $attribute      A single attribute to vote on (can be of any type, string and instance of Expression are supported by the core)
+     * @param mixed               $attribute      A single attribute to vote on (can be of any type; strings, Expression and Closure instances are supported by the core)
      * @param AccessDecision|null $accessDecision Should be used to explain the decision
      */
     public function isGranted(mixed $attribute, mixed $subject = null/* , ?AccessDecision $accessDecision = null */): bool;
 
@@ -0,0 +1,78 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Authorization\Voter;
+
+use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverInterface;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
+use Symfony\Component\Security\Http\Attribute\IsGranted;
+
+/**
+ * This voter allows using a closure as the attribute being voted on.
+ *
+ * The following named arguments are passed to the closure:
+ *
+ * - `token`: The token being used for voting
+ * - `subject`: The subject of the vote
+ * - `accessDecisionManager`: The access decision manager
+ * - `trustResolver`: The trust resolver
+ *
+ * @see IsGranted doc for the complete closure signature.
+ *
+ * @author Alexandre Daubois <alex.daubois@gmail.com>
+ */
+final class ClosureVoter implements CacheableVoterInterface
+{
+    public function __construct(
+        private AccessDecisionManagerInterface $accessDecisionManager,
+        private AuthenticationTrustResolverInterface $trustResolver,
+    ) {
+    }
+
+    public function supportsAttribute(string $attribute): bool
+    {
+        return false;
+    }
+
+    public function supportsType(string $subjectType): bool
+    {
+        return true;
+    }
+
+    public function vote(TokenInterface $token, mixed $subject, array $attributes, ?Vote $vote = null): int
+    {
+        $vote ??= new Vote();
+        $failingClosures = [];
+        $result = VoterInterface::ACCESS_ABSTAIN;
+        foreach ($attributes as $attribute) {
+            if (!$attribute instanceof \Closure) {
+                continue;
+            }
+
+            $name = (new \ReflectionFunction($attribute))->name;
+            $result = VoterInterface::ACCESS_DENIED;
+            if ($attribute(token: $token, subject: $subject, accessDecisionManager: $this->accessDecisionManager, trustResolver: $this->trustResolver)) {
+                $vote->reasons[] = \sprintf('Closure %s returned true.', $name);
+
+                return VoterInterface::ACCESS_GRANTED;
+            }
+
+            $failingClosures[] = $name;
+        }
+
+        if ($failingClosures) {
+            $vote->reasons[] = \sprintf('Closure%s %s returned false.', 1 < \count($failingClosures) ? 's' : '', implode(', ', $failingClosures));
+        }
+
+        return $result;
+    }
+}
@@ -10,6 +10,7 @@ CHANGELOG
  * Deprecate `UserInterface::eraseCredentials()` and `TokenInterface::eraseCredentials()`,
    erase credentials e.g. using `__serialize()` instead
  * Add ability for voters to explain their vote
+ * Add support for voting on closures
 
 7.2
 ---
 
@@ -0,0 +1,91 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Tests\Authorization\Voter;
+
+use PHPUnit\Framework\TestCase;
+use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverInterface;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
+use Symfony\Component\Security\Core\Authorization\Voter\ClosureVoter;
+use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
+use Symfony\Component\Security\Core\User\UserInterface;
+
+class ClosureVoterTest extends TestCase
+{
+    private ClosureVoter $voter;
+
+    protected function setUp(): void
+    {
+        $this->voter = new ClosureVoter(
+            $this->createMock(AccessDecisionManagerInterface::class),
+            $this->createMock(AuthenticationTrustResolverInterface::class),
+        );
+    }
+
+    public function testEmptyAttributeAbstains()
+    {
+        $this->assertSame(VoterInterface::ACCESS_ABSTAIN, $this->voter->vote(
+            $this->createMock(TokenInterface::class),
+            null,
+            [])
+        );
+    }
+
+    public function testClosureReturningFalseDeniesAccess()
+    {
+        $token = $this->createMock(TokenInterface::class);
+        $token->method('getRoleNames')->willReturn([]);
+        $token->method('getUser')->willReturn($this->createMock(UserInterface::class));
+
+        $this->assertSame(VoterInterface::ACCESS_DENIED, $this->voter->vote(
+            $token,
+            null,
+            [fn (...$vars) => false]
+        ));
+    }
+
+    public function testClosureReturningTrueGrantsAccess()
+    {
+        $token = $this->createMock(TokenInterface::class);
+        $token->method('getRoleNames')->willReturn([]);
+        $token->method('getUser')->willReturn($this->createMock(UserInterface::class));
+
+        $this->assertSame(VoterInterface::ACCESS_GRANTED, $this->voter->vote(
+            $token,
+            null,
+            [fn (...$vars) => true]
+        ));
+    }
+
+    public function testArgumentsContent()
+    {
+        $token = $this->createMock(TokenInterface::class);
+        $token->method('getUser')->willReturn($this->createMock(UserInterface::class));
+
+        $outerSubject = new \stdClass();
+
+        $this->voter->vote(
+            $token,
+            $outerSubject,
+            [function (...$vars) use ($outerSubject) {
+                $this->assertInstanceOf(TokenInterface::class, $vars['token']);
+                $this->assertSame($outerSubject, $vars['subject']);
+
+                $this->assertInstanceOf(AccessDecisionManagerInterface::class, $vars['accessDecisionManager']);
+                $this->assertInstanceOf(AuthenticationTrustResolverInterface::class, $vars['trustResolver']);
+
+                return true;
+            }]
+        );
+    }
+}
Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,7 @@ interface AuthorizationCheckerInterface`
`21`	`21`	`/**`
`22`	`22`	`* Checks if the attribute is granted against the current authentication token and optionally supplied subject.`
`23`	`23`	`*`
`24`		`- * @param mixed $attribute A single attribute to vote on (can be of any type, string and instance of Expression are supported by the core)`
	`24`	`+ * @param mixed $attribute A single attribute to vote on (can be of any type; strings, Expression and Closure instances are supported by the core)`
`25`	`25`	`* @param AccessDecision\|null $accessDecision Should be used to explain the decision`
`26`	`26`	`*/`
`27`	`27`	`public function isGranted(mixed $attribute, mixed $subject = null/* , ?AccessDecision $accessDecision = null */): bool;`