symfony
diff --git a/‎UPGRADE-7.3.md
Lines changed: 1 addition & 0 deletions b/‎UPGRADE-7.3.md
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/Symfony/Bridge/Twig/Extension/SecurityExtension.php
Lines changed: 3 additions & 5 deletions b/‎src/Symfony/Bridge/Twig/Extension/SecurityExtension.php
Lines changed: 3 additions & 5 deletions
diff --git a/‎src/Symfony/Bridge/Twig/Tests/Extension/SecurityExtensionTest.php
Lines changed: 58 additions & 28 deletions b/‎src/Symfony/Bridge/Twig/Tests/Extension/SecurityExtensionTest.php
Lines changed: 58 additions & 28 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Resources/config/security.php
Lines changed: 0 additions & 9 deletions b/‎src/Symfony/Bundle/SecurityBundle/Resources/config/security.php
Lines changed: 0 additions & 9 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Resources/config/templating_twig.php
Lines changed: 0 additions & 1 deletion b/‎src/Symfony/Bundle/SecurityBundle/Resources/config/templating_twig.php
Lines changed: 0 additions & 1 deletion
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Security.php
Lines changed: 12 additions & 13 deletions b/‎src/Symfony/Bundle/SecurityBundle/Security.php
Lines changed: 12 additions & 13 deletions
diff --git a/‎src/Symfony/Component/Security/Core/Authentication/Token/UserAuthorizationCheckerToken.php
Lines changed: 0 additions & 31 deletions b/‎src/Symfony/Component/Security/Core/Authentication/Token/UserAuthorizationCheckerToken.php
Lines changed: 0 additions & 31 deletions
diff --git a/‎src/Symfony/Component/Security/Core/Authorization/AuthorizationChecker.php
Lines changed: 18 additions & 0 deletions b/‎src/Symfony/Component/Security/Core/Authorization/AuthorizationChecker.php
Lines changed: 18 additions & 0 deletions
diff --git a/‎src/Symfony/Component/Security/Core/Authorization/AuthorizationCheckerInterface.php
Lines changed: 2 additions & 0 deletions b/‎src/Symfony/Component/Security/Core/Authorization/AuthorizationCheckerInterface.php
Lines changed: 2 additions & 0 deletions
diff --git a/‎src/Symfony/Component/Security/Core/Authorization/UserAuthorizationChecker.php
Lines changed: 0 additions & 31 deletions b/‎src/Symfony/Component/Security/Core/Authorization/UserAuthorizationChecker.php
Lines changed: 0 additions & 31 deletions
@@ -16,6 +16,7 @@ Ldap
 Security
 --------
 
+ * Add `AuthorizationCheckerInterface::isGrantedForUser()` to test user authorization without relying on the session
  * Deprecate `UserInterface::eraseCredentials()` and `TokenInterface::eraseCredentials()`;
    erase credentials e.g. using `__serialize()` instead
 
 
@@ -14,7 +14,6 @@
 use Symfony\Component\Security\Acl\Voter\FieldVote;
 use Symfony\Component\Security\Core\Authorization\AccessDecision;
 use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
-use Symfony\Component\Security\Core\Authorization\UserAuthorizationCheckerInterface;
 use Symfony\Component\Security\Core\Exception\AuthenticationCredentialsNotFoundException;
 use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Http\Impersonate\ImpersonateUrlGenerator;
@@ -31,7 +30,6 @@ final class SecurityExtension extends AbstractExtension
     public function __construct(
         private ?AuthorizationCheckerInterface $securityChecker = null,
         private ?ImpersonateUrlGenerator $impersonateUrlGenerator = null,
-        private ?UserAuthorizationCheckerInterface $userSecurityChecker = null,
     ) {
     }
 
@@ -58,8 +56,8 @@ public function isGranted(mixed $role, mixed $object = null, ?string $field = nu
 
     public function isGrantedForUser(UserInterface $user, mixed $attribute, mixed $subject = null, ?string $field = null, ?AccessDecision $accessDecision = null): bool
     {
-        if (!$this->userSecurityChecker) {
-            throw new \LogicException(\sprintf('An instance of "%s" must be provided to use "%s()".', UserAuthorizationCheckerInterface::class, __METHOD__));
+        if (null === $this->securityChecker) {
+            return false;
         }
 
         if (null !== $field) {
@@ -71,7 +69,7 @@ public function isGrantedForUser(UserInterface $user, mixed $attribute, mixed $s
         }
 
         try {
-            return $this->userSecurityChecker->isGrantedForUser($user, $attribute, $subject, $accessDecision);
+            return $this->securityChecker->isGrantedForUser($user, $attribute, $subject, $accessDecision);
         } catch (AuthenticationCredentialsNotFoundException) {
             return false;
         }
 
@@ -15,12 +15,23 @@
 use Symfony\Bridge\PhpUnit\ClassExistsMock;
 use Symfony\Bridge\Twig\Extension\SecurityExtension;
 use Symfony\Component\Security\Acl\Voter\FieldVote;
+use Symfony\Component\Security\Core\Authorization\AccessDecision;
+use Symfony\Component\Security\Core\Authorization\AuthorizationChecker;
 use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
-use Symfony\Component\Security\Core\Authorization\UserAuthorizationCheckerInterface;
 use Symfony\Component\Security\Core\User\UserInterface;
 
 class SecurityExtensionTest extends TestCase
 {
+    public static function setUpBeforeClass(): void
+    {
+        ClassExistsMock::register(SecurityExtension::class);
+    }
+
+    protected function tearDown(): void
+    {
+        ClassExistsMock::withMockedClasses([FieldVote::class => true]);
+    }
+
     /**
      * @dataProvider provideObjectFieldAclCases
      */
@@ -39,17 +50,16 @@ public function testIsGrantedCreatesFieldVoteObjectWhenFieldNotNull($object, $fi
 
     public function testIsGrantedThrowsWhenFieldNotNullAndFieldVoteClassDoesNotExist()
     {
-        if (!class_exists(UserAuthorizationCheckerInterface::class)) {
+        if (!method_exists(AuthorizationChecker::class, 'isGrantedForUser')) {
             $this->markTestSkipped('This test requires symfony/security-core 7.3 or superior.');
         }
 
         $securityChecker = $this->createMock(AuthorizationCheckerInterface::class);
 
-        ClassExistsMock::register(SecurityExtension::class);
         ClassExistsMock::withMockedClasses([FieldVote::class => false]);
 
         $this->expectException(\LogicException::class);
-        $this->expectExceptionMessageMatches('Passing a $field to the "is_granted()" function requires symfony/acl.');
+        $this->expectExceptionMessage('Passing a $field to the "is_granted()" function requires symfony/acl.');
 
         $securityExtension = new SecurityExtension($securityChecker);
         $securityExtension->isGranted('ROLE', 'object', 'bar');
@@ -60,38 +70,41 @@ public function testIsGrantedThrowsWhenFieldNotNullAndFieldVoteClassDoesNotExist
      */
     public function testIsGrantedForUserCreatesFieldVoteObjectWhenFieldNotNull($object, $field, $expectedSubject)
     {
-        if (!class_exists(UserAuthorizationCheckerInterface::class)) {
+        if (!method_exists(AuthorizationChecker::class, 'isGrantedForUser')) {
             $this->markTestSkipped('This test requires symfony/security-core 7.3 or superior.');
         }
 
         $user = $this->createMock(UserInterface::class);
-        $userSecurityChecker = $this->createMock(UserAuthorizationCheckerInterface::class);
-        $userSecurityChecker
-            ->expects($this->once())
-            ->method('isGrantedForUser')
-            ->with($user, 'ROLE', $expectedSubject)
-            ->willReturn(true);
+        $securityChecker = new class implements AuthorizationCheckerInterface {
+            public UserInterface $user;
+            public mixed $attribute;
+            public mixed $subject;
+
+            public function isGranted(mixed $attribute, mixed $subject = null, ?AccessDecision $accessDecision = null): bool
+            {
+                throw new \BadMethodCallException('This method should not be called.');
+            }
+
+            public function isGrantedForUser(UserInterface $user, mixed $attribute, mixed $subject = null, ?AccessDecision $accessDecision = null): bool
+            {
+                $this->user = $user;
+                $this->attribute = $attribute;
+                $this->subject = $subject;
+
+                return true;
+            }
+        };
 
-        $securityExtension = new SecurityExtension(null, null, $userSecurityChecker);
+        $securityExtension = new SecurityExtension($securityChecker);
         $this->assertTrue($securityExtension->isGrantedForUser($user, 'ROLE', $object, $field));
-    }
+        $this->assertSame($user, $securityChecker->user);
+        $this->assertSame('ROLE', $securityChecker->attribute);
 
-    public function testIsGrantedForUserThrowsWhenFieldNotNullAndFieldVoteClassDoesNotExist()
-    {
-        if (!class_exists(UserAuthorizationCheckerInterface::class)) {
-            $this->markTestSkipped('This test requires symfony/security-core 7.3 or superior.');
+        if (null === $field) {
+            $this->assertSame($object, $securityChecker->subject);
+        } else {
+            $this->assertEquals($expectedSubject, $securityChecker->subject);
         }
-
-        $securityChecker = $this->createMock(UserAuthorizationCheckerInterface::class);
-
-        ClassExistsMock::register(SecurityExtension::class);
-        ClassExistsMock::withMockedClasses([FieldVote::class => false]);
-
-        $this->expectException(\LogicException::class);
-        $this->expectExceptionMessageMatches('Passing a $field to the "is_granted_for_user()" function requires symfony/acl.');
-
-        $securityExtension = new SecurityExtension(null, null, $securityChecker);
-        $securityExtension->isGrantedForUser($this->createMock(UserInterface::class), 'object', 'bar');
     }
 
     public static function provideObjectFieldAclCases()
@@ -105,4 +118,21 @@ public static function provideObjectFieldAclCases()
             ['object', 'field', new FieldVote('object', 'field')],
         ];
     }
+
+    public function testIsGrantedForUserThrowsWhenFieldNotNullAndFieldVoteClassDoesNotExist()
+    {
+        if (!method_exists(AuthorizationChecker::class, 'isGrantedForUser')) {
+            $this->markTestSkipped('This test requires symfony/security-core 7.3 or superior.');
+        }
+
+        $securityChecker = $this->createMock(AuthorizationCheckerInterface::class);
+
+        ClassExistsMock::withMockedClasses([FieldVote::class => false]);
+
+        $this->expectException(\LogicException::class);
+        $this->expectExceptionMessage('Passing a $field to the "is_granted_for_user()" function requires symfony/acl.');
+
+        $securityExtension = new SecurityExtension($securityChecker);
+        $securityExtension->isGrantedForUser($this->createMock(UserInterface::class), 'ROLE', 'object', 'bar');
+    }
 }
@@ -31,8 +31,6 @@
 use Symfony\Component\Security\Core\Authorization\AuthorizationChecker;
 use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
 use Symfony\Component\Security\Core\Authorization\ExpressionLanguage;
-use Symfony\Component\Security\Core\Authorization\UserAuthorizationChecker;
-use Symfony\Component\Security\Core\Authorization\UserAuthorizationCheckerInterface;
 use Symfony\Component\Security\Core\Authorization\Voter\AuthenticatedVoter;
 use Symfony\Component\Security\Core\Authorization\Voter\ExpressionVoter;
 use Symfony\Component\Security\Core\Authorization\Voter\RoleHierarchyVoter;
@@ -69,12 +67,6 @@
             ])
         ->alias(AuthorizationCheckerInterface::class, 'security.authorization_checker')
 
-        ->set('security.user_authorization_checker', UserAuthorizationChecker::class)
-            ->args([
-                service('security.access.decision_manager'),
-            ])
-        ->alias(UserAuthorizationCheckerInterface::class, 'security.user_authorization_checker')
-
         ->set('security.token_storage', UsageTrackingTokenStorage::class)
             ->args([
                 service('security.untracked_token_storage'),
@@ -93,7 +85,6 @@
                 service_locator([
                     'security.token_storage' => service('security.token_storage'),
                     'security.authorization_checker' => service('security.authorization_checker'),
-                    'security.user_authorization_checker' => service('security.user_authorization_checker'),
                     'security.authenticator.managers_locator' => service('security.authenticator.managers_locator')->ignoreOnInvalid(),
                     'request_stack' => service('request_stack'),
                     'security.firewall.map' => service('security.firewall.map'),
 
@@ -26,7 +26,6 @@
             ->args([
                 service('security.authorization_checker')->ignoreOnInvalid(),
                 service('security.impersonate_url_generator')->ignoreOnInvalid(),
-                service('security.user_authorization_checker')->ignoreOnInvalid(),
             ])
             ->tag('twig.extension')
     ;
 
@@ -19,7 +19,6 @@
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\Authorization\AccessDecision;
 use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
-use Symfony\Component\Security\Core\Authorization\UserAuthorizationCheckerInterface;
 use Symfony\Component\Security\Core\Exception\LogicException;
 use Symfony\Component\Security\Core\Exception\LogoutException;
 use Symfony\Component\Security\Core\User\UserInterface;
@@ -39,7 +38,7 @@
  *
  * @final
  */
-class Security implements AuthorizationCheckerInterface, UserAuthorizationCheckerInterface
+class Security implements AuthorizationCheckerInterface
 {
     public function __construct(
         private readonly ContainerInterface $container,
@@ -65,6 +64,17 @@ public function isGranted(mixed $attributes, mixed $subject = null, ?AccessDecis
             ->isGranted($attributes, $subject, $accessDecision);
     }
 
+    /**
+     * Checks if the attribute is granted against the user and optionally supplied subject.
+     *
+     * This should be used over isGranted() when checking permissions against a user that is not currently logged in or while in a CLI context.
+     */
+    public function isGrantedForUser(UserInterface $user, mixed $attribute, mixed $subject = null, ?AccessDecision $accessDecision = null): bool
+    {
+        return $this->container->get('security.authorization_checker')
+            ->isGrantedForUser($user, $attribute, $subject, $accessDecision);
+    }
+
     public function getToken(): ?TokenInterface
     {
         return $this->container->get('security.token_storage')->getToken();
@@ -150,17 +160,6 @@ public function logout(bool $validateCsrfToken = true): ?Response
         return $logoutEvent->getResponse();
     }
 
-    /**
-     * Checks if the attribute is granted against the user and optionally supplied subject.
-     *
-     * This should be used over isGranted() when checking permissions against a user that is not currently logged in or while in a CLI context.
-     */
-    public function isGrantedForUser(UserInterface $user, mixed $attribute, mixed $subject = null, ?AccessDecision $accessDecision = null): bool
-    {
-        return $this->container->get('security.user_authorization_checker')
-            ->isGrantedForUser($user, $attribute, $subject, $accessDecision);
-    }
-
     private function getAuthenticator(?string $authenticatorName, string $firewallName): AuthenticatorInterface
     {
         if (!isset($this->authenticators[$firewallName])) {
 
@@ -11,8 +11,11 @@
 
 namespace Symfony\Component\Security\Core\Authorization;
 
+use Symfony\Component\Security\Core\Authentication\Token\AbstractToken;
 use Symfony\Component\Security\Core\Authentication\Token\NullToken;
+use Symfony\Component\Security\Core\Authentication\Token\OfflineTokenInterface;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
+use Symfony\Component\Security\Core\User\UserInterface;
 
 /**
  * AuthorizationChecker is the main authorization point of the Security component.
@@ -48,4 +51,19 @@ final public function isGranted(mixed $attribute, mixed $subject = null, ?Access
             array_pop($this->accessDecisionStack);
         }
     }
+
+    final public function isGrantedForUser(UserInterface $user, mixed $attribute, mixed $subject = null, ?AccessDecision $accessDecision = null): bool
+    {
+        $token = new class($user->getRoles()) extends AbstractToken implements OfflineTokenInterface {};
+        $token->setUser($user);
+
+        $accessDecision ??= end($this->accessDecisionStack) ?: new AccessDecision();
+        $this->accessDecisionStack[] = $accessDecision;
+
+        try {
+            return $accessDecision->isGranted = $this->accessDecisionManager->decide($token, [$attribute], $subject, $accessDecision);
+        } finally {
+            array_pop($this->accessDecisionStack);
+        }
+    }
 }
@@ -15,6 +15,8 @@
  * The AuthorizationCheckerInterface.
  *
  * @author Johannes M. Schmitt <schmittjoh@gmail.com>
+ *
+ * @method bool isGrantedForUser(UserInterface $user, mixed $attribute, mixed $subject = null, ?AccessDecision $accessDecision = null)
  */
 interface AuthorizationCheckerInterface
 {
Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,6 @@`
`14`	`14`	`use Symfony\Component\Security\Acl\Voter\FieldVote;`
`15`	`15`	`use Symfony\Component\Security\Core\Authorization\AccessDecision;`
`16`	`16`	`use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;`
`17`		`-use Symfony\Component\Security\Core\Authorization\UserAuthorizationCheckerInterface;`
`18`	`17`	`use Symfony\Component\Security\Core\Exception\AuthenticationCredentialsNotFoundException;`
`19`	`18`	`use Symfony\Component\Security\Core\User\UserInterface;`
`20`	`19`	`use Symfony\Component\Security\Http\Impersonate\ImpersonateUrlGenerator;`
`@@ -31,7 +30,6 @@ final class SecurityExtension extends AbstractExtension`
`31`	`30`	`public function __construct(`
`32`	`31`	`private ?AuthorizationCheckerInterface $securityChecker = null,`
`33`	`32`	`private ?ImpersonateUrlGenerator $impersonateUrlGenerator = null,`
`34`		`- private ?UserAuthorizationCheckerInterface $userSecurityChecker = null,`
`35`	`33`	`) {`
`36`	`34`	`}`
`37`	`35`
`@@ -58,8 +56,8 @@ public function isGranted(mixed $role, mixed $object = null, ?string $field = nu`
`58`	`56`
`59`	`57`	`public function isGrantedForUser(UserInterface $user, mixed $attribute, mixed $subject = null, ?string $field = null, ?AccessDecision $accessDecision = null): bool`
`60`	`58`	`{`
`61`		`- if (!$this->userSecurityChecker) {`
`62`		`- throw new \LogicException(\sprintf('An instance of "%s" must be provided to use "%s()".', UserAuthorizationCheckerInterface::class, __METHOD__));`
	`59`	`+ if (null === $this->securityChecker) {`
	`60`	`+ return false;`
`63`	`61`	`}`
`64`	`62`
`65`	`63`	`if (null !== $field) {`
`@@ -71,7 +69,7 @@ public function isGrantedForUser(UserInterface $user, mixed $attribute, mixed $s`
`71`	`69`	`}`
`72`	`70`
`73`	`71`	`try {`
`74`		`- return $this->userSecurityChecker->isGrantedForUser($user, $attribute, $subject, $accessDecision);`
	`72`	`+ return $this->securityChecker->isGrantedForUser($user, $attribute, $subject, $accessDecision);`
`75`	`73`	`} catch (AuthenticationCredentialsNotFoundException) {`
`76`	`74`	`return false;`
`77`	`75`	`}`
Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,6 @@`
`26`	`26`	`->args([`
`27`	`27`	`service('security.authorization_checker')->ignoreOnInvalid(),`
`28`	`28`	`service('security.impersonate_url_generator')->ignoreOnInvalid(),`
`29`		`- service('security.user_authorization_checker')->ignoreOnInvalid(),`
`30`	`29`	`])`
`31`	`30`	`->tag('twig.extension')`
`32`	`31`	`;`
Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,8 @@`
`15`	`15`	`* The AuthorizationCheckerInterface.`
`16`	`16`	`*`
`17`	`17`	`* @author Johannes M. Schmitt <schmittjoh@gmail.com>`
	`18`	`+ *`
	`19`	`+ * @method bool isGrantedForUser(UserInterface $user, mixed $attribute, mixed $subject = null, ?AccessDecision $accessDecision = null)`
`18`	`20`	`*/`
`19`	`21`	`interface AuthorizationCheckerInterface`
`20`	`22`	`{`