Simpler roles check in AuthorizationVoters #20748
Comments
|
Isn't the real issue we have to solve "simply" that we need to find out why in your case you get the (not expected) circular reference exception? |
|
I ran away from the circular reference issue by just playing with the token roles and then being annoyed by it not handing me all available roles for that login/user. I guess this is two issues in one and the circular reference was more a digression in this issue, but it may as well be a bug. I reintroduced the decisionManager to my voter (by pure cut&paste from the docs) and then it's back. I would guess the reason this does not bomb in the dev environment is that there it's the DebugAccessDecisionManager. ./bin/console --env=prod -v cache:clear Exception trace: |
|
@xabbuh the whole issue here is that people need the access decision manager/authorization checker to see if a certain implicit role is present. This means that every As roles are part of the authentication and not authorization (used to identify), I don't see why the role hierarchy should be calculated doing authorization instead of authentication. My suggestion would be to calculate this during login and store it in the token. |
|
Well, it would fix what I was asking for in this issue :=) The bug was really a digression I should have dropped. (But it was the reason I felt the need of all roles from the token.) Maybe it's better to split this into two, this one with the original subject, aka "All roles (on that user) in $token->getRoles()" and a new issue with "Circular reference detected for service "security.access.decision_manager"," |
|
@thomasez I agree with you. So for your second issue it would be wonderful if could come up with a fork of the Symfony Standard Edition containing the changes that are necessary to reproduce your issue. |
|
ping @thomasez Any news here? :) |
|
Started on it, got slabbed with alot of work. I'll see what I can do. |
|
There it is. composer update && ./bin/console --env=prod -v cache:clear Should be enough. No need to create a database. |
|
Hmm, I removed jms/security-extra-bundle and the issue goes away. I presume this can be dropped as a symfony bug and rather report this on the specific bundle. |
|
Closing it as per @thomasez comments. @iltar if you think we should do what you proposed in #20748 (comment) please create a new issue. Thanks! |
Using Symfony 3.2 with FosUserBundle and needing to check the roles in a voter I followed the instructions in the documentation. http://symfony.com/doc/master/security/voters.html#checking-for-roles-inside-a-voter
Warming up the cache in the dev environment workes and the voter seems to work aswell.
In "prod" on the other hand, I get this one:
Checking roles from inside a voter could be a lot simpler with just checking them against the token instead of having to inject the decisionManager.
But this isn't that easy as long as we use a role hierarchy. Checking against each of the roles in the hierarchy is a hack I would like not to add.
Could it be possible to add access to the calculated ("expanded"?) hierarchy from the token? This could be done in the login process to avoid having to calculate each time.
The text was updated successfully, but these errors were encountered: