[SecurityBundle] allow using custom function inside allow_if expressions #26660
Conversation
| @@ -31,6 +31,10 @@ | |||
| <tag name="cache.pool" /> | |||
| </service> | |||
|
|
|||
| <service id="cache.security_expression_language" parent="cache.system" public="false"> | |||
There was a problem hiding this comment.
public="false"
no need, that's already the default oups no sorry, having "parent", this is required!
There was a problem hiding this comment.
shouldn't this service be defined in SecurityBundle?
There was a problem hiding this comment.
Yes makes more sense 👍
And we need to require symfony/framework-bundle then to have cache.system available?
There was a problem hiding this comment.
Or we only use the cache if the parent service cache.system is available?
There was a problem hiding this comment.
framework-bundle is an implicit dep of any bundle, so no need
There was a problem hiding this comment.
and the fact that you reference cache.security_expression_language in SecurityBundle already creates this dependency anyway.
I agree about moving it to SecurityBundle
| foreach ($container->findTaggedServiceIds('security.expression_language_provider', true) as $id => $attributes) { | ||
| $definition->addMethodCall('addExpressionLanguageProvider', array(new Reference($id))); | ||
| $definition->addMethodCall('registerProvider', array(new Reference($id))); |
There was a problem hiding this comment.
This change should be applied to the 3.4 branch IMO, so that 3.4 does not trigger a deprecation warning when using the 4.1 component (registering it during the instantiation of the right service is a bugfix anyway, even though the bug was unlikely to happen before this PR because the security.expression_language was not injected anywhere else than in security.access.expression_voter by default)
There was a problem hiding this comment.
Will create a separate PR for 3.4 then 👍
There was a problem hiding this comment.
@symfony/mergers We should merge #26802 first (and propagate it to master) and then rebase this branch before merging it, so that this diff disappears.
There was a problem hiding this comment.
#26802 has now been merged up to master.
There was a problem hiding this comment.
I squashed my commits and rebased. Diff is gone now 👍
| @@ -31,6 +31,10 @@ | |||
| <tag name="cache.pool" /> | |||
| </service> | |||
|
|
|||
| <service id="cache.security_expression_language" parent="cache.system" public="false"> | |||
There was a problem hiding this comment.
and the fact that you reference cache.security_expression_language in SecurityBundle already creates this dependency anyway.
I agree about moving it to SecurityBundle
| @@ -195,5 +197,12 @@ | |||
| <argument type="service" id="security.token_storage" /> | |||
| <argument type="service" id="security.encoder_factory" /> | |||
| </service> | |||
|
|
|||
| <!-- Cache Warmers --> | |||
| <service id="security.cache_warmer.expression_cache_warmer" class="Symfony\Bundle\SecurityBundle\CacheWarmer\ExpressionCacheWarmer"> | |||
There was a problem hiding this comment.
If ExpressionLanguage is not available, this cache warmer should not be registered, because it would still try to instantiate security.expression_language.
We already have code in the DI extension removing the relevant services. This one must be added in the list (and a simpler way for maintenance could be to move all services related to ExpressionLanguage to a separate XML file, which could be loaded conditionally).
There was a problem hiding this comment.
Its done now here as well: adab5ce
If the ExpressionLanguage is not available then it fails when using allow_if. So we can safely remove the definition if there are no expressions and it should be fine?
| <!-- Cache Warmers --> | ||
| <service id="security.cache_warmer.expression_cache_warmer" class="Symfony\Bundle\SecurityBundle\CacheWarmer\ExpressionCacheWarmer"> | ||
| <tag name="kernel.cache_warmer"></tag> | ||
| <argument type="tagged" tag="security.expression"></argument> |
There was a problem hiding this comment.
instead of relying on a tag, which creates an external extension point, you could inject this in the DI extension (based on $this->expressions)
There was a problem hiding this comment.
Is this what you meant?
| @@ -136,10 +134,6 @@ private function createRoleHierarchy(array $config, ContainerBuilder $container) | |||
|
|
|||
| private function createAuthorization($config, ContainerBuilder $container) | |||
| { | |||
| if (!$config['access_control']) { | |||
There was a problem hiding this comment.
@stof is this safe to just remove? It should always be an array?
|
|
||
| <!-- Cache Warmers --> | ||
| <service id="security.cache_warmer.expression" class="Symfony\Bundle\SecurityBundle\CacheWarmer\ExpressionCacheWarmer"> | ||
| <tag name="kernel.cache_warmer"></tag> |
There was a problem hiding this comment.
would use an empty <tag /> instead of a closing one (same below for argument)
| <!-- Cache Warmers --> | ||
| <service id="security.cache_warmer.expression" class="Symfony\Bundle\SecurityBundle\CacheWarmer\ExpressionCacheWarmer"> | ||
| <tag name="kernel.cache_warmer"></tag> | ||
| <argument /> <!-- collection of expression services --> |
| @@ -37,8 +37,13 @@ public function __construct(ExpressionLanguage $expressionLanguage, Authenticati | |||
| $this->roleHierarchy = $roleHierarchy; | |||
| } | |||
|
|
|||
| /** | |||
| * @deprecated since Symfony 4.1, register the provider directly on the injected ExpressionLanguage instance instead | |||
There was a problem hiding this comment.
missing dot at EOL (same below on runtime notice)
| class ExpressionCacheWarmer implements CacheWarmerInterface | ||
| { | ||
| /** | ||
| * @var iterable|Expression[] |
There was a problem hiding this comment.
I'd suggest to move this as @param on the constructor and remove any docblock for properties
| private $expressions; | ||
|
|
||
| /** | ||
| * @va F438 r ExpressionLanguage |
There was a problem hiding this comment.
should be removed (no need to put in on the constructor)
|
Doc PR: symfony/symfony-docs#9552 @nicolas-grekas @stof final review? 😊 |
… directly (dmaicher) This PR was merged into the 3.4 branch. Discussion ---------- [Security] register custom providers on ExpressionLanguage directly | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | - | License | MIT | Doc PR | - This is a fix on 3.4 related to #26660. See the comment from @stof here: #26660 (comment) - fixes a bug where custom providers would not be registered when retrieving the `security.expression_language` instance without the `ExpressionVoter` being instantiated. - avoids deprecations on 3.4 when using the 4.1 patch in #26660 Commits ------- 3a55a86 [Security] register custom providers on ExpressionLanguage directly
|
Thank you @dmaicher. |
…low_if expressions (dmaicher) This PR was merged into the 4.1-dev branch. Discussion ---------- [SecurityBundle] allow using custom function inside allow_if expressions | Q | A | ------------- | --- | Branch? | master | Bug fix? | no | New feature? | yes | BC breaks? | no | Deprecations? | yes | Tests pass? | no | Fixed tickets | #23208 | License | MIT | Doc PR | symfony/symfony-docs#9552 This is a follow-up for #26263 As discussed there I propose to allow using custom functions as a new feature only and thus targeting `master` here. If we agree to move forward with this there are some todos: - [x] fix tests - [x] add cache warmer for allow_if expressions - [x] update documentation to mention this new feature - [x] update UPGRADE files ping @nicolas-grekas @stof Commits ------- 41552cd [SecurityBundle] allow using custom function inside allow_if expressions
…, javiereguiluz) This PR was merged into the master branch. Discussion ---------- [Security] add tip about using custom functions Since 4.1 its possible to use custom functions inside security `allow_if` expressions. See symfony/symfony#26660 Commits ------- 44708ad Reword 8a96822 [Security] add tip about using custom functions
This is a follow-up for #26263
As discussed there I propose to allow using custom functions as a new feature only and thus targeting
masterhere.If we agree to move forward with this there are some todos:
ping @nicolas-grekas @stof