8000 Added access decision strategy to respect voter priority · symfony/symfony@0b8028a · GitHub
[go: up one dir, main page]
Skip to content

Commit 0b8028a

Browse files
aschemppchalasr
aschempp
authored and
chalasr
committed
Added access decision strategy to respect voter priority
1 parent dab6732 commit 0b8028a

File tree

5 files changed

+76
-1
lines changed

5 files changed

+76
-1
lines changed

src/Symfony/Bundle/SecurityBundle/CHANGELOG.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,11 @@
11
CHANGELOG
22
=========
33

4+
5.1.0
5+
-----
6+
7+
* Added security configuration for priority-based access decision strategy
8+
49
5.0.0
510
-----
611

src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php

Lines changed: 16 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -76,7 +76,7 @@ public function getConfigTreeBuilder()
7676
->addDefaultsIfNotSet()
7777
->children()
7878
->enumNode('strategy')
79-
->values([AccessDecisionManager::STRATEGY_AFFIRMATIVE, AccessDecisionManager::STRATEGY_CONSENSUS, AccessDecisionManager::STRATEGY_UNANIMOUS])
79+
->values($this->getAccessDecisionStrategies())
8080
->end()
8181
->scalarNode('service')->end()
8282
->booleanNode('allow_if_all_abstain')->defaultFalse()->end()
@@ -386,4 +386,19 @@ private function addEncodersSection(ArrayNodeDefinition $rootNode)
386386
->end()
387387
;
388388
}
389+
390+
private function getAccessDecisionStrategies()
391+
{
392+
$strategies = [
393+
AccessDecisionManager::STRATEGY_AFFIRMATIVE,
394+
AccessDecisionManager::STRATEGY_CONSENSUS,
395+
AccessDecisionManager::STRATEGY_UNANIMOUS,
396+
];
397+
398+
if (\defined(AccessDecisionManager::class.'::STRATEGY_PRIORITY')) {
399+
$strategies[] = AccessDecisionManager::STRATEGY_PRIORITY;
400+
}
401+
402+
return $strategies;
403+
}
389404
}

src/Symfony/Component/Security/CHANGELOG.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,11 @@
11
CHANGELOG
22
=========
33

4+
5.1.0
5+
-----
6+
7+
* Added access decision strategy to override access decisions by voter service priority
8+
49
5.0.0
510
-----
611

src/Symfony/Component/Security/Core/Authorization/AccessDecisionManager.php

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,7 @@ class AccessDecisionManager implements AccessDecisionManagerInterface
2626
const STRATEGY_AFFIRMATIVE = 'affirmative';
2727
const STRATEGY_CONSENSUS = 'consensus';
2828
const STRATEGY_UNANIMOUS = 'unanimous';
29+
const STRATEGY_PRIORITY = 'priority';
2930

3031
private $voters;
3132
private $strategy;
@@ -181,4 +182,28 @@ private function decideUnanimous(TokenInterface $token, array $attributes, $obje
181182

182183
return $this->allowIfAllAbstainDecisions;
183184
}
185+
186+
/**
187+
* Grant or deny access depending on the first voter that does not abstain.
188+
* The priority of voters can be used to overrule a decision.
189+
*
190+
* If all voters abstained from voting, the decision will be based on the
191+
* allowIfAllAbstainDecisions property value (defaults to false).
192+
*/
193+
private function decidePriority(TokenInterface $token, array $attributes, $object = null)
194+
{
195+
foreach ($this->voters as $voter) {
196+
$result = $voter->vote($token, $object, $attributes);
197+
198+
if (VoterInterface::ACCESS_GRANTED === $result) {
8000 199+
return true;
200+
}
201+
202+
if (VoterInterface::ACCESS_DENIED === $result) {
203+
return false;
204+
}
205+
}
206+
207+
return $this->allowIfAllAbstainDecisions;
208+
}
184209
}

src/Symfony/Component/Security/Core/Tests/Authorization/AccessDecisionManagerTest.php

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -66,6 +66,31 @@ public function getStrategyTests()
6666

6767
[AccessDecisionManager::STRATEGY_UNANIMOUS, $this->getVoters(0, 0, 2), false, true, false],
6868
[AccessDecisionManager::STRATEGY_UNANIMOUS, $this->getVoters(0, 0, 2), true, true, true],
69+
70+
// priority
71+
[AccessDecisionManager::STRATEGY_PRIORITY, [
72+
$this->getVoter(VoterInterface::ACCESS_ABSTAIN),
73+
$this->getVoter(VoterInterface::ACCESS_GRANTED),
74+
$this->getVoter(VoterInterface::ACCESS_DENIED),
75+
$this->getVoter(VoterInterface::ACCESS_DENIED),
76+
], true, true, true],
77+
78+
[AccessDecisionManager::STRATEGY_PRIORITY, [
79+
$this->getVoter(VoterInterface::ACCESS_ABSTAIN),
80+
$this->getVoter(VoterInterface::ACCESS_DENIED),
81+
$this->getVoter(VoterInterface::ACCESS_GRANTED),
82+
$this->getVoter(VoterInterface::ACCESS_GRANTED),
83+
], true, true, false],
84+
85+
[AccessDecisionManager::STRATEGY_PRIORITY, [
86+
$this->getVoter(VoterInterface::ACCESS_ABSTAIN),
87+
$this->getVoter(VoterInterface::ACCESS_ABSTAIN),
88+
], false, true, false],
89+
90+
[AccessDecisionManager::STRATEGY_PRIORITY, [
91+
$this->getVoter(VoterInterface::ACCESS_ABSTAIN),
92+
$this->getVoter(VoterInterface::ACCESS_ABSTAIN),
93+
], true, true, true],
6994
];
7095
}
7196

0 commit comments

Comments
 (0)
0