8000 bug #19725 [Security] $attributes can be anything, but RoleVoter assu… · symfony/symfony@a5a91a7 · GitHub
[go: up one dir, main page]
Skip to content

Commit a5a91a7

Browse files
fabpotfabpot
committed
bug #19725 [Security] $attributes can be anything, but RoleVoter assumes strings (Jonatan Männchen)
This PR was merged into the 2.7 branch. Discussion ---------- [Security] $attributes can be anything, but RoleVoter assumes strings | Q | A | ------------- | --- | Branch? | 2.7 | Bug fix? | yes | New feature? | no | BC breaks? | yes | Deprecations? | no | Tests pass? | yes | Fixed tickets | #18042 | License | MIT | Doc PR | reference to the documentation PR, if any Commits ------- ad3ac95 bug #18042 [Security] $attributes can be anything, but RoleVoter assumes strings
2 parents d040748 + ad3ac95 commit a5a91a7

File tree

2 files changed

+12
-1
lines changed

2 files changed

+12
-1
lines changed

src/Symfony/Component/Security/Core/Authorization/Voter/RoleVoter.php

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@
1212
namespace Symfony\Component\Security\Core\Authorization\Voter;
1313

1414
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
15+
use Symfony\Component\Security\Core\Role\RoleInterface;
1516

8000 1617
/**
1718
* RoleVoter votes if any attribute starts with a given prefix.
@@ -37,7 +38,7 @@ public function __construct($prefix = 'ROLE_')
3738
*/
3839
public function supportsAttribute($attribute)
3940
{
40-
return 0 === strpos($attribute, $this->prefix);
41+
return is_string($attribute) && 0 === strpos($attribute, $this->prefix);
4142
}
4243

4344
/**
@@ -57,6 +58,10 @@ public function vote(TokenInterface $token, $object, array $attributes)
5758
$roles = $this->extractRoles($token);
5859

5960
foreach ($attributes as $attribute) {
61+
if ($attribute instanceof RoleInterface) {
62+
$attribute = $attribute->getRole();
63+
}
64+
6065
if (!$this->supportsAttribute($attribute)) {
6166
continue;
6267
}

src/Symfony/Component/Security/Core/Tests/Authorization/Voter/RoleVoterTest.php

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,12 @@ public function getVoteTests()
4343
array(array('ROLE_FOO'), array('ROLE_FOO'), VoterInterface::ACCESS_GRANTED),
4444
array(array('ROLE_FOO'), array('FOO', 'ROLE_FOO'), VoterInterface::ACCESS_GRANTED),
4545
array(array('ROLE_BAR', 'ROLE_FOO'), array('ROLE_FOO'), VoterInterface::ACCESS_GRANTED),
46+
47+
// Test mixed Types
48+
array(array(), array(array()), VoterInterface::ACCESS_ABSTAIN),
49+
array(array(), array(new \stdClass()), VoterInterface::ACCESS_ABSTAIN),
50+
array(array('ROLE_BAR'), array(new Role('ROLE_BAR')), VoterInterface::ACCESS_GRANTED),
51+
array(array('ROLE_BAR'), array(new Role('ROLE_FOO')), VoterInterface::ACCESS_DENIED),
4652
);
4753
}
4854

0 commit comments

Comments
 (0)
0