8000 [Security] $attributes can be anything, but RoleVoter assumes strings · Issue #18042 · symfony/symfony · GitHub
[go: up one dir, main page]

Skip to content
[Security] $attributes can be anything, but RoleVoter assumes strings #18042
Closed
@backbone87

Description

@backbone87

There are no limitations on the $attributes voted on, but the RoleVoter assumes the attributes are strings. The ExpressionVoter for example expects Expression(s) as attributes. The only reason the RoleVoter does not warn on the "blind" strpos, is because Expression has a __toString method.
So currently, one cant use classes (Permission) as attributes that dont implement __toString.
I dont know if any other voter blindly expects string attributes -- this has to be checked.

Either the VoterInterface contract should be changed to indicate the use of "stringable" attributes or the RoleVoter needs to take non stringable attributes into account.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions

      0