8000 [Security] Docs unclear on roles property of access_control · Issue #6555 · symfony/symfony · GitHub
[go: up one dir, main page]
Skip to content

[Security] Docs unclear on roles property of access_control #6555

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
scoolen opened this issue Jan 4, 2013 · 8 comments
Closed

[Security] Docs unclear on roles property of access_control #6555

scoolen opened this issue Jan 4, 2013 · 8 comments
Labels
Security

Comments

@scoolen
Copy link
Contributor
scoolen commented Jan 4, 2013

Suppose I have the following hierarchy of roles and access control definition:

role_hierarchy:
    ROLE_FOO: ROLE_USER
    ROLE_BAR: ROLE_USER

access_control:
    - { path: "^/some/where.*", roles: [ROLE_FOO, ROLE_BAR] }

I interpret this as: "Access is granted if user has one of the roles FOO or BAR"
And that is the way it (appears) to work with the default Affermative strategy.

However with Unanimous strategy I believe it works counter-intuitive: "Access is granted if user has all of the roles FOO and BAR"

I guess I missed the s in the documentation:

The idea of a "role" is key to the authorization process. Each user is assigned a set of roles and then each resource requires one or more roles. If the user has the required roleS, access is granted. Otherwise access is denied.

Also

The process of authorization has two different sides:

  1. The user has a specific set of roles;
  2. A resource requires a specific role in order to be accessed.

Apart from declaring just ROLE_USER how would it be possible in the latter situation to grant two different roles access to the same resource?

Then, if you look at security.yml in symfony-standard it has two example entries under access_control:

#- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
#- { path: ^/_internal/secure, roles: IS_AUTHENTICATED_ANONYMOUSLY, ip: 127.0.0.1 }

This suggests _roles_ is more than just roles. The AuthenticatedVoter (in this example) and any custom voters are also called with the attributes of the roles property.
@scoolen
Copy link
Contributor Author
scoolen commented Jan 4, 2013

BTW I would be happy to update the documentation if necessary

@alexandresalome
Copy link

Strategies don't apply to roles, they are only used to aggregate votes from voters.
access_control does not rely on AccessDecisionManager.

This issue should be addressed to documentation repository https://github.com/symfony/symfony-docs

@scoolen
Copy link
Contributor Author
scoolen commented Jan 8, 2013

I am fairly certain access_control is used by firewalls in the authorization process and does trigger the AccessDecisionManager:
https://github.com/symfony/Security/blob/master/Http/Firewall/AccessListener.php#L72-74

@stof
Copy link
Member
stof commented Jan 8, 2013

@scoolen it triggers the AccesDecisionManager because it is the one doing the decision. but the strategy used by the manager has nothing to do here. The strategy decides how the decisions of the different voters are taken into account to do the final decision. It has no impact on the way the RoleVoter does its own decision (the RoleVoter always does an OR when giving several role names)

@scoolen
Copy link
Contributor Author
scoolen commented Jan 8, 2013

But that's what my issue is about. If you require two roles, which I accidentally interpreted as "either one of those roles" it appears to work (because of the looser strategy) in the default affirmative strategy, but doesn't work in unanimous mode.

I guess alexandresalome is right and my (somewhat semantic) problem is a docs issue and belongs there.

But still my question remains:

Apart from declaring just ROLE_USER how would it be possible in the latter situation to grant two different roles access to the same resource?

Thanks for the swift response btw

@stof
Copy link
Member
stof commented Jan 9, 2013

Use JMSSecurityExtraBundle which provides a very powerful expression-based voter: http://jmsyst.com/bundles/JMSSecurityExtraBundle/master/expressions

@cordoval cordoval mentioned this issue Dec 6, 2013
Closed
@cordoval
Copy link
Contributor
cordoval commented Dec 6, 2013

ping @fabpot this is good to close 👶

@fabpot
Copy link
Member
fabpot commented Dec 6, 2013

As of Symfony 2.4, expressions are built-in: http://symfony.com/blog/new-in-symfony-2-4-the-expressionlanguage-component#access-control-rules

@fabpot fabpot closed this as completed Dec 6, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@fabpot @alexandresalome @cordoval @stof @scoolen
0