[RFC] Show voter information in the security profiler panel #17856

javiereguiluz · 2016-02-19T15:24:56Z

Problem

The security panel is not very useful because it provides little information:

Solution

Could we show at least the information about the voters that granted/rejected access? A quick-and-dirty mockup of the idea:

Questions:

Can this information be obtained in a reliable manner for any Symfony application?
Could we get inspiration from this bundle for implementing this feature? https://github.com/egulias/SecurityDebugCommandBundle
Do you miss any other important information in this panel?

Thanks!

stof · 2016-02-19T15:31:37Z

About what would you display the votes ? There can be many decisions being taken during a page load.

javiereguiluz · 2016-02-19T15:37:46Z

@stof all of them then.

javiereguiluz · 2016-02-19T15:42:27Z

Sorry for the short answer. I just wonder if there is a reliable way to show what's going on regarding the security voters during a page load? (even for cases like the one you commented). Security is the most critical thing in an app and I feel that the profiler doesn't help users as much as it could.

stof · 2016-02-19T15:53:14Z

@javiereguiluz displaying votes being done would require building a custom AccessDecisionManager to log decisions being made. This is quite easy to do (build a decorating implementation and wrap the service in debug mode)
Registering the vote of each voter for each decision is harder to implement (especially to correlate them with the decision)

linaori · 2016-02-19T15:55:03Z

What about a voter handling N attributes? Something else that could be interesting, would be to display which attributes have been voted on and what the result was:

Result	Attribute	Source
Granted	CAN_SEE_FOO	some/template/file.html.twig:50
Denied	CAN_SEE_BAR	SomeController:SomeAction:23
Granted	IS_AUTHENTICATED_ANONYMOUSLY	access_control
Denied	IS_AUTHENTICATED_FULLY	SomeController:SomeAction Annotation

Can easily be achieved via a backtrace in a decorator around the AuthorizationChecker using the AuthorizationCheckerInterface which will have no performance loss in prod.

In theory you can also automatically decorate voters and map their result and class. I think this feature would be more useful as the presented doesn't give me any useful information. Sure, I know which voter gave me a certain result, but that doesn't tell me where it happened and for what it happened.

javiereguiluz · 2016-02-19T15:56:05Z

@iltar 👍 very nice! I like your idea.

javiereguiluz · 2016-02-22T15:06:39Z

@iltar @stof in #17887 I'm trying to implement your ideas. @iltar I have no idea about how to get the Source information of your table. Any clue? Thanks!

linaori · 2016-02-22T15:22:06Z

@javiereguiluz this is a bit more complicated. In case of @Security annotations, you'd want to hook in on the SecurityListener in the SFWEB, for the access_control in the AccessListener and for the template I'm not entirely sure. However, for the template you should be able to somehow get the template source line numbers as this is also available when debugging.

Sadly my experience ends here. A generic solution could be to decorate the AccessDecisionManager, but then a lot of stack traces would be meaningless :(

anacona16 · 2016-02-22T17:19:54Z

+1. I do not know how much is complicated, but it would be very useful.

TomasVotruba · 2016-02-24T23:29:57Z

👍 Very nice

robfrawley · 2016-02-28T17:28:31Z

Related, and touching on a few ideas that would be helpful for the purpose of this issue: #17892.

…eguiluz) This PR was squashed before being merged into the 3.1-dev branch (closes #17887). Discussion ---------- Show more information in the security profiler | Q | A | ------------- | --- | Bug fix? | no | New feature? | yes | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #17856 | License | MIT | Doc PR | - This is an early prototype to explore the feature of displaying more information in the security panel. Example: ![profiler_security](https://cloud.githubusercontent.com/assets/73419/13221929/0235fc46-d97e-11e5-981a-249b7148f3a6.png) Commits ------- b12152d Show more information in the security profiler

tristanbes · 2016-03-07T17:21:18Z

👍 Very useful when debugging voters, was wondering myself why it wasn't already here last week.

…(javiereguiluz) This PR was squashed before being merged into the 3.1-dev branch (closes symfony#17887). Discussion ---------- Show more information in the security profiler | Q | A | ------------- | --- | Bug fix? | no | New feature? | yes | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | symfony#17856 | License | MIT | Doc PR | - This is an early prototype to explore the feature of displaying more information in the security panel. Example: ![profiler_security](https://cloud.githubusercontent.com/assets/73419/13221929/0235fc46-d97e-11e5-981a-249b7148f3a6.png) Commits ------- b12152d Show more information in the security profiler

javiereguiluz added Security Feature WebProfilerBundle labels Feb 19, 2016

javiereguiluz mentioned this issue Feb 22, 2016

Show more information in the security profiler #17887

Closed

fabpot closed this as completed Mar 4, 2016

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

[RFC] Show voter information in the security profiler panel #17856

[RFC] Show voter information in the security profiler panel #17856

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

[RFC] Show voter information in the security profiler panel #17856

[RFC] Show voter information in the security profiler panel #17856

Comments

Problem

Solution

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!