symfony
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Resources/config/security.xml
Lines changed: 1 addition & 0 deletions b/‎src/Symfony/Bundle/SecurityBundle/Resources/config/security.xml
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/composer.json
Lines changed: 1 addition & 1 deletion b/‎src/Symfony/Bundle/SecurityBundle/composer.json
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/Symfony/Component/Security/Core/Authorization/ExpressionLanguageProvider.php
Lines changed: 8 additions & 0 deletions b/‎src/Symfony/Component/Security/Core/Authorization/ExpressionLanguageProvider.php
Lines changed: 8 additions & 0 deletions
diff --git a/‎src/Symfony/Component/Security/Core/Authorization/Voter/ExpressionVoter.php
Lines changed: 18 additions & 1 deletion b/‎src/Symfony/Component/Security/Core/Authorization/Voter/ExpressionVoter.php
Lines changed: 18 additions & 1 deletion
diff --git a/‎src/Symfony/Component/Security/Core/Tests/Authorization/ExpressionLanguageTest.php
Lines changed: 56 additions & 0 deletions b/‎src/Symfony/Component/Security/Core/Tests/Authorization/ExpressionLanguageTest.php
Lines changed: 56 additions & 0 deletions
@@ -136,6 +136,7 @@
         <service id="security.access.expression_voter" class="%security.access.expression_voter.class%" public="false">
             <argument type="service" id="security.expression_language" />
             <argument type="service" id="security.authentication.trust_resolver" />
+            <argument type="service" id="security.authorization_checker" />
             <argument type="service" id="security.role_hierarchy" on-invalid="null" />
             <tag name="security.voter" priority="245" />
         </service>
 
@@ -18,7 +18,7 @@
     "require": {
         "php": ">=5.3.9",
         "ext-xml": "*",
-        "symfony/security": "^2.8.45|^3.4.15",
+        "symfony/security": "^2.8.48|^3.4.19",
         "symfony/security-acl": "~2.7|~3.0.0",
         "symfony/http-kernel": "~2.7|~3.0.0",
         "symfony/polyfill-php70": "~1.0"
 
@@ -49,8 +49,16 @@ public function getFunctions()
             }),
 
             new ExpressionFunction('has_role', function ($role) {
+                if (isset($variables['auth_checker'])) {
+                    return sprintf('$token && $auth_checker->isGranted(%s)', $role);
+                }
+
                 return sprintf('in_array(%s, $roles)', $role);
             }, function (array $variables, $role) {
+                if (isset($variables['auth_checker'])) {
+                    return $variables['token'] && $variables['auth_checker']->isGranted($role);
+                }
+
                 return \in_array($role, $variables['roles']);
             }),
         );
 
@@ -16,6 +16,7 @@
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverInterface;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
 use Symfony\Component\Security\Core\Authorization\ExpressionLanguage;
 use Symfony\Component\Security\Core\Role\RoleHierarchyInterface;
 
@@ -28,13 +29,25 @@ class ExpressionVoter implements VoterInterface
 {
     private $expressionLanguage;
     private $trustResolver;
+    private $authChecker;
     private $roleHierarchy;
 
-    public function __construct(ExpressionLanguage $expressionLanguage, AuthenticationTrustResolverInterface $trustResolver, RoleHierarchyInterface $roleHierarchy = null)
+    /**
+     * @param AuthorizationCheckerInterface $authChecker
+     */
+    public function __construct(ExpressionLanguage $expressionLanguage, AuthenticationTrustResolverInterface $trustResolver, $authChecker = null, RoleHierarchyInterface $roleHierarchy = null)
     {
+        if ($authChecker instanceof $roleHierarchy) {
+            $roleHierarchy = $authChecker;
+            $authChecker = null;
+        } elseif (n
B41A
ull !== $authChecker && !$authChecker instanceof AuthorizationCheckerInterface) {
+            throw new \InvalidArgumentException(sprintf('Argument 3 passed to %s() must be an instance of Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface or null, %s given.', __METHOD__, is_object($authChecker) ? get_class($authChecker) : gettype($authChecker)));
+        }
+
         $this->expressionLanguage = $expressionLanguage;
         $this->trustResolver = $trustResolver;
         $this->roleHierarchy = $roleHierarchy;
+        $this->authChecker = $authChecker;
     }
 
     public function addExpressionLanguageProvider(ExpressionFunctionProviderInterface $provider)
@@ -107,6 +120,10 @@ private function getVariables(TokenInterface $token, $object)
             $variables['request'] = $object;
         }
 
+        if (null !== $this->authChecker) {
+            $variables['auth_checker'] = $this->authChecker;
+        }
+
         return $variables;
     }
 }
@@ -15,8 +15,12 @@
 use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolver;
 use Symfony\Component\Security\Core\Authentication\Token\AnonymousToken;
 use Symfony\Component\Security\Core\Authentication\Token\RememberMeToken;
+use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;
 use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
+use Symfony\Component\Security\Core\Authorization\AccessDecisionManager;
+use Symfony\Component\Security\Core\Authorization\AuthorizationChecker;
 use Symfony\Component\Security\Core\Authorization\ExpressionLanguage;
+use Symfony\Component\Security\Core\Authorization\Voter\RoleVoter;
 use Symfony\Component\Security\Core\User\User;
 
 class ExpressionLanguageTest extends TestCase
@@ -39,6 +43,29 @@ public function testIsAuthenticated($token, $expression, $result, array $roles =
         $this->assertEquals($result, $expressionLanguage->evaluate($expression, $context));
     }
 
+    /**
+     * @dataProvider provider
+     */
+    public function testIsAuthenticatedWithAuthorizationChecker($token, $expression, $result, array $roles = array())
+    {
+        $anonymousTokenClass = 'Symfony\\Component\\Security\\Core\\Authentication\\Token\\AnonymousToken';
+        $rememberMeTokenClass = 'Symfony\\Component\\Security\\Core\\Authentication\\Token\\RememberMeToken';
+        $expressionLanguage = new ExpressionLanguage();
+        $trustResolver = new AuthenticationTrustResolver($anonymousTokenClass, $rememberMeTokenClass);
+
+        $tokenStorage = new TokenStorage();
+        $tokenStorage->setToken($token);
+        $authorizationChecker = new AuthorizationChecker($tokenStorage, $this->getMockBuilder('Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface')->getMock(), new AccessDecisionManager(array(new RoleVoter())));
+
+        $context = array();
+        $context['auth_checker'] = $authorizationChecker;
+        $context['trust_resolver'] = $trustResolver;
+        $context['token'] = $token;
+        $context['roles'] = $roles;
+
+        $this->assertSame($result, $expressionLanguage->evaluate($expression, $context));
+    }
+
     public function provider()
     {
         $roles = array('ROLE_USER', 'ROLE_ADMIN');
@@ -77,4 +104,33 @@ public function provider()
             array($usernamePasswordToken, "has_role('ROLE_USER')", true, $roles),
         );
     }
+
+    public function testHasRoleTriggersTokenAuthentication()
+    {
+        $token = new UsernamePasswordToken('username', 'password', 'provider', array('ROLE_ADMIN'));
+        $refreshedToken = new UsernamePasswordToken('username', 'password', 'provider', array('ROLE_USER'));
+
+        $tokenStorage = new TokenStorage();
+        $tokenStorage->setToken($token);
+
+        $authenticationManager = $this->getMockBuilder('Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface')->getMock();
+        $authenticationManager->method('authenticate')->willReturn($refreshedToken);
+
+        $authorizationChecker = new AuthorizationChecker($tokenStorage, $authenticationManager, new AccessDecisionManager(array(new RoleVoter())), true);
+
+        $context = array(
+            'auth_checker' => $authorizationChecker,
+            'trust_resolver' => $this->getMockBuilder('Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverInterface')->getMock(),
+            'token' => $token,
+            'roles' => array('ROLE_ADMIN'),
+        );
+        $expressionLanguage = new ExpressionLanguage();
+
+        $this->assertFalse($expressionLanguage->evaluate('has_role("ROLE_ADMIN")', array(
+            'auth_checker' => $authorizationChecker,
+            'trust_resolver' => $this->getMockBuilder('Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverInterface')->getMock(),
+            'token' => $token,
+            'roles' => array('ROLE_ADMIN'),
+        )));
+    }
 }