8000 Added access decision strategy to respect voter priority by aschempp · Pull Request #34548 · symfony/symfony · GitHub
[go: up one dir, main page]
Skip to content

Added access decision strategy to respect voter priority #34548

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Dec 18, 2019
Merged

Added access decision strategy to respect voter priority #34548

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions src/Symfony/Bundle/SecurityBundle/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,11 @@
CHANGELOG
=========

5.1.0
-----

* Added security configuration for priority-based access decision strategy

5.0.0
-----

Expand Down
17 changes: 16 additions & 1 deletion src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,7 @@ public function getConfigTreeBuilder()
->addDefaultsIfNotSet()
->children()
->enumNode('strategy')
->values([AccessDecisionManager::STRATEGY_AFFIRMATIVE, AccessDecisionManager::STRATEGY_CONSENSUS, AccessDecisionManager::STRATEGY_UNANIMOUS])
->values($this->getAccessDecisionStrategies())
->end()
->scalarNode('service')->end()
->booleanNode('allow_if_all_abstain')->defaultFalse()->end()
Expand Down Expand Up @@ -386,4 +386,19 @@ private function addEncodersSection(ArrayNodeDefinition $rootNode)
->end()
;
}

private function getAccessDecisionStrategies()
{
$strategies = [
AccessDecisionManager::STRATEGY_AFFIRMATIVE,
AccessDecisionManager::STRATEGY_CONSENSUS,
AccessDecisionManager::STRATEGY_UNANIMOUS,
];

if (\defined(AccessDecisionManager::class.'::STRATEGY_PRIORITY')) {
$strategies[] = AccessDecisionManager::STRATEGY_PRIORITY;
}

return $strategies;
}
}
5 changes: 5 additions & 0 deletions src/Symfony/Component/Security/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,11 @@
CHANGELOG
=========

5.1.0
-----

* Added access decision strategy to override access decisions by voter service priority

5.0.0
-----

Expand Down
25 changes: 25 additions & 0 deletions src/Symfony/Component/Security/Core/Authorization/AccessDecisionManager.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ class AccessDecisionManager implements AccessDecisionManagerInterface
const STRATEGY_AFFIRMATIVE = 'affirmative';
const STRATEGY_CONSENSUS = 'consensus';
const STRATEGY_UNANIMOUS = 'unanimous';
const STRATEGY_PRIORITY = 'priority';

private $voters;
private $strategy;
Expand Down Expand Up @@ -181,4 +182,28 @@ private function decideUnanimous(TokenInterface $token, array $attributes, $obje

return $this->allowIfAllAbstainDecisions;
}

/**
* Grant or deny access depending on the first voter that does not abstain.
* The priority of voters can be used to overrule a decision.
*
* If all voters abstained from voting, the decision will be based on the
* allowIfAllAbstainDecisions property value (defaults to false).
*/
private function decidePriority(TokenInterface $token, array $attributes, $object = null)
{
foreach ($this->voters as $voter) {
$result = $voter->vote($token, $object, $attributes);

if (VoterInterface::ACCESS_GRANTED === $result) {
return true;
}

if (VoterInterface::ACCESS_DENIED === $result) {
return false;
}
}

return $this->allowIfAllAbstainDecisions;
}
}
25 changes: 25 additions & 0 deletions src/Symfony/Component/Security/Core/Tests/Authorization/AccessDecisionManagerTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,31 @@ public function getStrategyTests()

[AccessDecisionManager::STRATEGY_UNANIMOUS, $this->getVoters(0, 0, 2), false, true, false],
[AccessDecisionManager::STRATEGY_UNANIMOUS, $this->getVoters(0, 0, 2), true, true, true],

// priority
[AccessDecisionManager::STRATEGY_PRIORITY, [
$this->getVoter(VoterInterface::ACCESS_ABSTAIN),
$this->getVoter(VoterInterface::ACCESS_GRANTED),
$this->getVoter(VoterInterface::ACCESS_DENIED),
$this->getVoter(VoterInterface::ACCESS_DENIED),
], true, true, true],

[AccessDecisionManager::STRATEGY_PRIORITY, [
$this->getVoter(VoterInterface::ACCESS_ABSTAIN),
$this->getVoter(VoterInterface::ACCESS_DENIED),
$this->getVoter(VoterInterface::ACCESS_GRANTED),
$this->getVoter(VoterInterface::ACCESS_GRANTED),
], true, true, false],

[AccessDecisionManager::STRATEGY_PRIORITY, [
$this->getVoter(VoterInterface::ACCESS_ABSTAIN),
$this->getVoter(VoterInterface::ACCESS_ABSTAIN),
], false, true, false],

[AccessDecisionManager::STRATEGY_PRIORITY, [
$this->getVoter(VoterInterface::ACCESS_ABSTAIN),
$this->getVoter(VoterInterface::ACCESS_ABSTAIN),
], true, true, true],
];
}

Expand Down
0