symfony
diff --git a/‎src/Symfony/Bundle/SecurityBundle/CHANGELOG.md
Lines changed: 1 addition & 0 deletions b/‎src/Symfony/Bundle/SecurityBundle/CHANGELOG.md
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/DataCollector/SecurityDataCollector.php
Lines changed: 23 additions & 1 deletion b/‎src/Symfony/Bundle/SecurityBundle/DataCollector/SecurityDataCollector.php
Lines changed: 23 additions & 1 deletion
diff --git a/‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/Compiler/AddSecurityVotersPass.php
Lines changed: 17 additions & 1 deletion b/‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/Compiler/AddSecurityVotersPass.php
Lines changed: 17 additions & 1 deletion
diff --git a/‎src/Symfony/Bundle/SecurityBundle/EventListener/VoteListener.php
Lines changed: 48 additions & 0 deletions b/‎src/Symfony/Bundle/SecurityBundle/EventListener/VoteListener.php
Lines changed: 48 additions & 0 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Resources/config/security_debug.xml
Lines changed: 5 additions & 0 deletions b/‎src/Symfony/Bundle/SecurityBundle/Resources/config/security_debug.xml
Lines changed: 5 additions & 0 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Resources/views/Collector/security.html.twig
Lines changed: 35 additions & 1 deletion b/‎src/Symfony/Bundle/SecurityBundle/Resources/views/Collector/security.html.twig
Lines changed: 35 additions & 1 deletion
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Tests/DataCollector/SecurityDataCollectorTest.php
Lines changed: 136 additions & 0 deletions b/‎src/Symfony/Bundle/SecurityBundle/Tests/DataCollector/SecurityDataCollectorTest.php
Lines changed: 136 additions & 0 deletions
@@ -16,6 +16,7 @@ CHANGELOG
  * Deprecated the `simple_form` and `simple_preauth` authentication listeners, use Guard instead.
  * Deprecated the `SimpleFormFactory` and `SimplePreAuthenticationFactory` classes, use Guard instead.
  * Added `port` in access_control
+ * Added individual voter decisions to the profiler
 
 4.1.0
 -----
 
@@ -20,6 +20,7 @@
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
 use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
 use Symfony\Component\Security\Core\Authorization\TraceableAccessDecisionManager;
+use Symfony\Component\Security\Core\Authorization\Voter\TraceableVoter;
 use Symfony\Component\Security\Core\Role\Role;
 use Symfony\Component\Security\Core\Role\RoleHierarchyInterface;
 use Symfony\Component\Security\Core\Role\SwitchUserRole;
@@ -136,12 +137,33 @@ public function collect(Request $request, Response $response, \Exception $except
 
         // collect voters and access decision manager information
         if ($this->accessDecisionManager instanceof TraceableAccessDecisionManager) {
-            $this->data['access_decision_log'] = $this->accessDecisionManager->getDecisionLog();
             $this->data['voter_strategy'] = $this->accessDecisionManager->getStrategy();
 
             foreach ($this->accessDecisionManager->getVoters() as $voter) {
+                if ($voter instanceof TraceableVoter) {
+                    $voter = $voter->getDecoratedVoter();
+                }
+
                 $this->data['voters'][] = $this->hasVarDumper ? new ClassStub(\get_class($voter)) : \get_class($voter);
             }
+
+            // collect voter details
+            $decisionLog = $this->accessDecisionManager->getDecisionLog();
+            foreach ($decisionLog as $key => $log) {
+                $decisionLog[$key]['voter_details'] = array();
+                foreach ($log['voterDetails'] as $voterDetail) {
+                    $voterClass = \get_class($voterDetail['voter']);
+                    $classData = $this->hasVarDumper ? new ClassStub($voterClass) : $voterClass;
+                    $decisionLog[$key]['voter_details'][] = array(
+                        'class' => $classData,
+                        'attributes' => $voterDetail['attributes'], // Only displayed for unanimous strategy
+                        'vote' => $voterDetail['vote'],
+                    );
+                }
+                unset($decisionLog[$key]['voterDetails']);
+            }
+
+            $this->data['access_decision_log'] = $decisionLog;
         } else {
             $this->data['access_decision_log'] = array();
             $this->data['voter_strategy'] = 'unknown';
 
@@ -16,6 +16,8 @@
 use Symfony\Component\DependencyInjection\Compiler\PriorityTaggedServiceTrait;
 use Symfony\Component\DependencyInjection\ContainerBuilder;
 use Symfony\Component\DependencyInjection\Exception\LogicException;
+use Symfony\Component\DependencyInjection\Reference;
+use Symfony\Component\Security\Core\Authorization\Voter\TraceableVoter;
 use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
 
 /**
@@ -41,13 +43,27 @@ public function process(ContainerBuilder $container)
             throw new LogicException('No security voters found. You need to tag at least one with "security.voter".');
         }
 
+        $debug = $container->getParameter('kernel.debug');
+
         foreach ($voters as $voter) {
-            $definition = $container->getDefinition((string) $voter);
+            $voterServiceId = (string) $voter;
+            $definition = $container->getDefinition($voterServiceId);
+
             $class = $container->getParameterBag()->resolveValue($definition->getClass());
 
             if (!is_a($class, VoterInterface::class, true)) {
                 throw new LogicException(sprintf('%s must implement the %s when used as a voter.', $class, VoterInterface::class));
             }
+
+            if ($debug) {
+                // Decorate original voters with TraceableVoter
+                $debugVoterServiceId = '.debug.security.voter.'.$voterServiceId;
+                $container
+                    ->register($debugVoterServiceId, TraceableVoter::class)
+                    ->setDecoratedService($voterServiceId)
+                    ->addArgument(new Reference($debugVoterServiceId.'.inner'))
+                    ->addArgument(new Reference('event_dispatcher'));
+            }
         }
 
         $adm = $container->getDefinition('security.access.decision_manager');
 
@@ -0,0 +1,48 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bundle\SecurityBundle\EventListener;
+
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Component\Security\Core\Authorization\TraceableAccessDecisionManager;
+use Symfony\Component\Security\Core\Event\VoteEvent;
+
+/**
+ * Listen to vote events from access decision manager.
+ *
+ * @author Laurent VOULLEMIER <laurent.voullemier@gmail.com>
+ *
+ * @internal
+ */
+class VoteListener implements EventSubscriberInterface
+{
+    private $traceableAccessDecisionManager;
+
+    public function __construct(TraceableAccessDecisionManager $traceableAccessDecisionManager)
+    {
+        $this->traceableAccessDecisionManager = $traceableAccessDecisionManager;
+    }
+
+    /**
+     * Event dispatched by a voter during access manager decision.
+     *
+     * @param VoteEvent $event event with voter data
+     */
+    public function onVoterVote(VoteEvent $event)
+    {
+        $this->traceableAccessDecisionManager->addVoterVote($event->getVoter(), $event->getAttributes(), $event->getVote());
+    }
+
+    public static function getSubscribedEvents()
+    {
+        return array('debug.security.authorization.vote' => 'onVoterVote');
+    }
+}
@@ -11,6 +11,11 @@
             <argument type="service" id="debug.security.access.decision_manager.inner" />
         </service>
 
+        <service id="debug.security.voter.vote_listener" class="Symfony\Bundle\SecurityBundle\EventListener\VoteListener">
+            <tag name="kernel.event_subscriber" />
+            <argument type="service" id="debug.security.access.decision_manager" />
+        </service>
+
         <service id="debug.security.firewall" class="Symfony\Bundle\SecurityBundle\Debug\TraceableFirewallListener">
             <tag name="kernel.event_subscriber" />
             <argument type="service" id="security.firewall.map" />
 
@@ -307,7 +307,7 @@
 
             <tbody>
                 {% for decision in collector.accessDecisionLog %}
-                    <tr>
+                    <tr class="voter_result">
                         <td class="font-normal text-small text-muted nowrap">{{ loop.index }}</td>
                         <td class="font-normal">
                             {{ decision.result
@@ -331,6 +331,40 @@
                         </td>
                         <td>{{ profiler_dump(decision.seek('object')) }}</td>
                     </tr>
+                    <tr class="voter_details">
+                        <td></td>
+                        <td colspan="3">
+                        {% if decision.voter_details is not empty %}
+                            {% set voter_details_id = 'voter-details-' ~ loop.index %}
+                            <div id="{{ voter_details_id }}" class="sf-toggle-content sf-toggle-hidden">
+                                <table>
+                                   <tbody>
+                                    {% for voter_detail in decision.voter_details %}
+                                        <tr>
+                                            <td class="font-normal">{{ profiler_dump(voter_detail['class']) }}</td>
+                                            {% if collector.voterStrategy == constant('Symfony\\Component\\Security\\Core\\Authorization\\AccessDecisionManager::STRATEGY_UNANIMOUS') %}
+                                            <td class="font-normal text-small">attribute {{ voter_detail['attributes'][0] }}</td>
+                                            {% endif %}
+                                            <td class="font-normal text-small">
+                                                {% if voter_detail['vote'] == constant('Symfony\\Component\\Security\\Core\\Authorization\\Voter\\VoterInterface::ACCESS_GRANTED') %}
+                                                    ACCESS GRANTED
+                                                {% elseif voter_detail['vote'] == constant('Symfony\\Component\\Security\\Core\\Authorization\\Voter\\VoterInterface::ACCESS_ABSTAIN') %}
+                                                    ACCESS ABSTAIN
+                                                {% elseif voter_detail['vote'] == constant('Symfony\\Component\\Security\\Core\\Authorization\\Voter\\VoterInterface::ACCESS_DENIED') %}
+                                                    ACCESS DENIED
+                                                {% else %}
+                                                    unknown ({{ voter_detail['vote'] }})
+                                                {% endif %}
+                                            </td>
+                                        </tr>
+                                    {% endfor %}
+                                    </tbody>
+                                </table>
+                            </div>
+                            <a class="btn btn-link text-small sf-toggle" data-toggle-selector="#{{ voter_details_id }}" data-toggle-alt-content="Hide voter details">Show voter details</a>
+                        {% endif %}
+                        </td>
+                    </tr>
                 {% endfor %}
             </tbody>
         </table>
 
@@ -17,10 +17,15 @@
 use Symfony\Bundle\SecurityBundle\Security\FirewallConfig;
 use Symfony\Bundle\SecurityBundle\Security\FirewallMap;
 use Symfony\Component\EventDispatcher\EventDispatcher;
+use Symfony\Component\EventDispatcher\EventDispatcherInterface;
 use Symfony\Component\HttpKernel\Event\GetResponseEvent;
 use Symfony\Component\HttpKernel\HttpKernelInterface;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;
 use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
+use Symfony\Component\Security\Core\Authorization\AccessDecisionManager;
+use Symfony\Component\Security\Core\Authorization\TraceableAccessDecisionManager;
+use Symfony\Component\Security\Core\Authorization\Voter\TraceableVoter;
+use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
 use Symfony\Component\Security\Core\Role\Role;
 use Symfony\Component\Security\Core\Role\RoleHierarchy;
 use Symfony\Component\Security\Core\Role\SwitchUserRole;
@@ -221,6 +226,137 @@ public function testGetListeners()
         $this->addToAssertionCount(1);
     }
 
+    public function providerCollectDecisionLog(): \Generator
+    {
+        $voter1 = $this->getMockBuilder(VoterInterface::class)->getMockForAbstractClass();
+        $voter2 = $this->getMockBuilder(VoterInterface::class)->getMockForAbstractClass();
+
+        $eventDispatcher = $this->getMockBuilder(EventDispatcherInterface::class)->getMockForAbstractClass();
+        $decoratedVoter1 = new TraceableVoter($voter1, $eventDispatcher);
+        $decoratedVoter2 = new TraceableVoter($voter2, $eventDispatcher);
+
+        yield array(
+            AccessDecisionManager::STRATEGY_AFFIRMATIVE,
+            array(array(
+                'attributes' => array('view'),
+                'object' => new \stdClass(),
+                'result' => true,
+                'voterDetails' => array(
+                    array('voter' => $voter1, 'attributes' => array('view'), 'vote' => VoterInterface::ACCESS_ABSTAIN),
+                    array('voter' => $voter2, 'attributes' => array('view'), 'vote' => VoterInterface::ACCESS_ABSTAIN),
+                ),
+            )),
+            array($decoratedVoter1, $decoratedVoter1),
+            array(\get_class($voter1), \get_class($voter2)),
+            array(array(
+                'attributes' => array('view'),
+                'object' => new \stdClass(),
+                'result' => true,
+                'voter_details' => array(
+                    array('class' => \get_class($voter1), 'attributes' => array('view'), 'vote' => VoterInterface::ACCESS_ABSTAIN),
+                    array('class' => \get_class($voter2), 'attributes' => array('view'), 'vote' => VoterInterface::ACCESS_ABSTAIN),
+                ),
+            )),
+        );
+
+        yield array(
+            AccessDecisionManager::STRATEGY_UNANIMOUS,
+            array(
+                array(
+                    'attributes' => array('view', 'edit'),
+                    'object' => new \stdClass(),
+                    'result' => false,
+                    'voterDetails' => array(
+                        array('voter' => $voter1, 'attributes' => array('view'), 'vote' => VoterInterface::ACCESS_DENIED),
+                        array('voter' => $voter1, 'attributes' => array('edit'), 'vote' => VoterInterface::ACCESS_DENIED),
+                        array('voter' => $voter2, 'attributes' => array('view'), 'vote' => VoterInterface::ACCESS_GRANTED),
+                        array('voter' => $voter2, 'attributes' => array('edit'), 'vote' => VoterInterface::ACCESS_GRANTED),
+                    ),
+                ),
+                array(
+                    'attributes' => array('update'),
+                    'object' => new \stdClass(),
+                    'result' => true,
+                    'voterDetails' => array(
+                        array('voter' => $voter1, 'attributes' => array(&#
F438
39;update'), 'vote' => VoterInterface::ACCESS_GRANTED),
+                        array('voter' => $voter2, 'attributes' => array('update'), 'vote' => VoterInterface::ACCESS_GRANTED),
+                    ),
+                ),
+            ),
+            array($decoratedVoter1, $decoratedVoter1),
+            array(\get_class($voter1), \get_class($voter2)),
+            array(
+                array(
+                    'attributes' => array('view', 'edit'),
+                    'object' => new \stdClass(),
+                    'result' => false,
+                    'voter_details' => array(
+                        array('class' => \get_class($voter1), 'attributes' => array('view'), 'vote' => VoterInterface::ACCESS_DENIED),
+                        array('class' => \get_class($voter1), 'attributes' => array('edit'), 'vote' => VoterInterface::ACCESS_DENIED),
+                        array('class' => \get_class($voter2), 'attributes' => array('view'), 'vote' => VoterInterface::ACCESS_GRANTED),
+                        array('class' => \get_class($voter2), 'attributes' => array('edit'), 'vote' => VoterInterface::ACCESS_GRANTED),
+                    ),
+                ),
+                array(
+                    'attributes' => array('update'),
+                    'object' => new \stdClass(),
+                    'result' => true,
+                    'voter_details' => array(
+                        array('class' => \get_class($voter1), 'attributes' => array('update'), 'vote' => VoterInterface::ACCESS_GRANTED),
+                        array('class' => \get_class($voter2), 'attributes' => array('update'), 'vote' => VoterInterface::ACCESS_GRANTED),
+                    ),
+                ),
+            ),
+        );
+    }
+
+    /**
+     * Test the returned data when AccessDecisionManager is a TraceableAccessDecisionManager.
+     *
+     * @param string $strategy             strategy returned by the AccessDecisionManager
+     * @param array  $voters               voters returned by AccessDecisionManager
+     * @param array  $decisionLog          log of the votes and final decisions from AccessDecisionManager
+     * @param array  $expectedVoterClasses expected voter classes returned by the collector
+     * @param array  $expectedDecisionLog  expected decision log returned by the collector
+     *
+     * @dataProvider providerCollectDecisionLog
+     */
+    public function testCollectDecisionLog(string $strategy, array $decisionLog, array $voters, array $expectedVoterClasses, array $expectedDecisionLog): void
+    {
+        $accessDecisionManager = $this
+            ->getMockBuilder(TraceableAccessDecisionManager::class)
+            ->disableOriginalConstructor()
+            ->setMethods(array('getStrategy', 'getVoters', 'getDecisionLog'))
+            ->getMock();
+
+        $accessDecisionManager
+            ->expects($this->any())
+            ->method('getStrategy')
+            ->willReturn($strategy);
+
+        $accessDecisionManager
+            ->expects($this->any())
+            ->method('getVoters')
+            ->willReturn($voters);
+
+        $accessDecisionManager
+            ->expects($this->any())
+            ->method('getDecisionLog')
+            ->willReturn($decisionLog);
+
+        $dataCollector = new SecurityDataCollector(null, null, null, $accessDecisionManager);
+        $dataCollector->collect($this->getRequest(), $this->getResponse());
+
+        $this->assertEquals($dataCollector->getAccessDecisionLog(), $expectedDecisionLog, 'Wrong value returned by getAccessDecisionLog');
+
+        $this->assertSame(
+            array_map(function ($classStub) { return (string) $classStub; }, $dataCollector->getVoters()),
+            $expectedVoterClasses,
+            'Wrong value returned by getVoters'
+        );
+        $this->assertSame($dataCollector->getVoterStrategy(), $strategy, 'Wrong value returned by getVoterStrategy');
+    }
+
     public function provideRoles()
     {
         return array(