Description
Symfony version(s) affected: tested on 5.0.10 (but from what I see in a code,
Description
Basically each voter in dev/test env is wrapped in \Symfony\Component\Security\Core\Authorization\Voter\TraceableVoter proxy. In that commit @nicolas-grekas added return type int. Because there is no "strict types" in file...all return results are type juggled to int.
In prod env, there is no such proxy so the result is not juggled into an int.
Voter Result is used in \Symfony\Component\Security\Core\Authorization\AccessDecisionManager where it is strictly compared.
How to reproduce
There are several possible solutions, and I would be happy to implement it. However, I do not know properly the "Symfony way" to contribute. So I am going to be more than happy by pointing to the correct solution:
-
Option nr . 1 Use strict types in TraceableVoter -> It will throw an error if someone's voter will return different type than boolean.
disadventages: backward-incompatible, some projects may not handle such error + I did not see using strict_types in Symfony(surprised tbh). -
Option nr . 2 Cast return from Voter in AccessDecisionManager into "int". I think it is an ugly version, but most likely to be correct here
-
Option nr. 3 remove return type declaration from vote method (after allis cause the problem). There is no such declaration in VoterInterface
-
Option nr. 4 - most elegant imho. Adding the return type declaration in VoterInterface. however in breaks backward compatibility so that solution can be introduced in 6.0 framework.
Additional context