[Security] Fix defining multiple roles per access_control rule

chalasr · chalasr · commit 338b3dfd9f20 · 2019-11-09T09:18:51.000+01:00
diff --git a/src/Symfony/Component/Security/Http/Firewall/AccessListener.php b/src/Symfony/Component/Security/Http/Firewall/AccessListener.php
@@ -68,7 +68,14 @@ public function __invoke(RequestEvent $event)
             $this->tokenStorage->setToken($token);
         }
 
-        if (!$this->accessDecisionManager->decide($token, $attributes, $request)) {
+        $granted = false;
+        foreach ($attributes as $key => $value) {
+            if ($this->accessDecisionManager->decide($token, [$key => $value], $request)) {
+                $granted = true;
+            }
+        }
+
+        if (!$granted) {
             $exception = new AccessDeniedException();
             $exception->setAttributes($attributes);
             $exception->setSubject($request);
