8000 [Security][SecurityBundle] User authorization checker by natewiebe13 · Pull Request #48142 · symfony/symfony · GitHub
[go: up one dir, main page]
Skip to content

[Security][SecurityBundle] User authorization checker #48142

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 7, 2024
Merged

[Security][SecurityBundle] User authorization checker #48142

merged 1 commit into from
Dec 7, 2024

Conversation

natewiebe13
Copy link
Contributor
@natewiebe13 natewiebe13 commented Nov 7, 2022
edited
Loading
Q A
Branch? 7.3
Bug fix? no
New feature? yes
Deprecations? no
Tickets Fix #43372
License MIT
Doc PR symfony/symfony-docs#18033

isGranted() assumes that it's checking against the currently logged in user. This provides the same functionality to check against a user during times when there isn't a session (cronjobs/commands, message queue, etc.) or for a different user than the one logged in.

Having this functionality allows for removing the dependency on sessions entirely for services reducing the number of issues that come up during a project because some underlying function was session dependent.

@carsonbot carsonbot added this to the 6.2 milestone Nov 7, 2022
@carsonbot

This comment was marked as outdated.

Sign in to view
derrabus
derrabus requested changes Nov 8, 2022
View reviewed changes
Copy link
Member
@derrabus derrabus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your PR.

@carsonbot carsonbot changed the title User authorization checker [Security][SecurityBundle] User authorization checker Nov 8, 2022
@derrabus derrabus modified the milestones: 6.2, 6.3 Nov 8, 2022
stof
stof reviewed Nov 8, 2022
View reviewed changes
src/Symfony/Component/Security/Core/Authorization/UserAuthorizationChecker.php Outdated
|| AuthenticatedVoter::IS_AUTHENTICATED === $attribute
|| AuthenticatedVoter::IS_IMPERSONATOR === $attribute
|| AuthenticatedVoter::IS_REMEMBERED === $attribute) {
throw new InvalidArgumentException(sprintf('"%s" cannot decide on attribute "%s" as it requires checking the session. Use "%s" instead.', self::class, $attribute, AuthorizationCheckerInterface::class));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This check should probably be done in the AuthenticatedVoter when passing it a UserAuthorizationCheckerToken instead of making a special case here (which would not work if a custom voter uses a delegated check on the authentication level as part of their logic, as this would pass the UserAuthorizationCheckerToken to the AuthenticatedVoter without going through this UserAuthorizationChecker)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Next push will include the voter abstaining if the token is marked with the interface. I feel like it's probably still useful to know if you're using the checker improperly, rather than getting unexpected results. Any concerns with leaving this check in as well?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure abstaining is always the right answer either though (the final decision won't ever be an abstain)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

True, I guess technically since the token is internal, it really shouldn't get this far. I'm good with moving the exception into the voter.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated

src/Symfony/Component/Security/Core/Security.php Outdated
@@ -79,6 +79,15 @@ public function isGranted(mixed $attributes, mixed $subject = null): bool
->isGranted($attributes, $subject);
}

/**
* Checks if the attributes are granted against the user and optionally supplied subject.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this should explicitly document the differences with isGranted() IMO, to make its limitation clear

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated, is this what you were looking for?

@natewiebe13 natewiebe13 requested review from derrabus and removed request for wouterj and chalasr November 8, 2022 15:56
@natewiebe13 natewiebe13 force-pushed the user-authorization-checker branch from 8c0fc43 to 60d5d92 Compare November 8, 2022 18:03
@natewiebe13 natewiebe13 requested a review from derrabus November 8, 2022 20:34
HeahDude
HeahDude reviewed Nov 12, 2022
View reviewed changes
Copy link
Contributor
@HeahDude HeahDude left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice feature, thanks!

@natewiebe13 natewiebe13 force-pushed the user-authorization-checker branch from c36163a to d28b35e Compare November 28, 2022 15:48
@natewiebe13 natewiebe13 mentioned this pull request Dec 7, 2022
Closed
@VincentLanglet
Copy link
Contributor

This would be a great feature. What is missing to this PR @natewiebe13 @derrabus @stof ?

@derrabus
Copy link
Member

What is missing to this PR

Another round of reviews, I suppose. I'd very much like to see this feature shipped as well.

@fabpot fabpot modified the milestones: 7.2, 7.3 Nov 20, 2024
@natewiebe13 natewiebe13 force-pushed the user-authorization-checker branch 2 times, most recently from 8742756 to 260927f Compare December 3, 2024 20:51
@natewiebe13
Copy link
Contributor Author

Rebased for 7.3 🤞

@derrabus derrabus force-pushed the user-authorization-checker branch from 260927f to 3979093 Compare December 7, 2024 13:34
@derrabus derrabus force-pushed the user-authorization-checker branch from 3979093 to 096bfaa Compare December 7, 2024 13:41
@derrabus
Copy link
Member
derrabus commented Dec 7, 2024

It took time, but here we go, this is in now. Thank you very much @natewiebe13.

@derrabus derrabus merged commit 4612ff2 into symfony:7.3 Dec 7, 2024
8 of 11 checks passed
@natewiebe13 natewiebe13 mentioned this pull request Dec 7, 2024
Merged
@natewiebe13 natewiebe13 deleted the user-authorization-checker branch December 7, 2024 14:12
@derrabus derrabus mentioned this pull request Dec 7, 2024
Merged
smnandre
smnandre reviewed Dec 14, 2024
View reviewed changes
src/Symfony/Bundle/SecurityBundle/Security.php
*
* This should be used over isGranted() when checking permissions against a user that is not currently logged in or while in a CLI context.
*/
public function userIsGranted(UserInterface $user, mixed $attribute, mixed $subject = null): bool
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

isUserGranted no ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 discussed internally, either this or isGrantedForUser()

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see #59214

@xabbuh xabbuh mentioned this pull request Dec 15, 2024
Merged
@natewiebe13 natewiebe13 mentioned this pull request Jan 13, 2025
Open
This was referenced Feb 17, 2025
Closed
Merged
@fabpot fabpot mentioned this pull request May 2, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kbond kbond kbond left review comments

@nicolas-grekas nicolas-grekas nicolas-grekas approved these changes

@jdreesen jdreesen jdreesen left review comments

@sstok sstok sstok left review comments

@smnandre smnandre smnandre left review comments

@mleczakm mleczakm mleczakm left review comments

@chalasr chalasr chalasr left review comments

@HeahDude HeahDude HeahDude left review comments

@stof stof stof approved these changes

@94noni 94noni 94noni approved these changes

@derrabus derrabus derrabus approved these changes

@jeremyjaouen jeremyjaouen jeremyjaouen approved these changes

@dunglas dunglas Awaiting requested review from dunglas

@jderusse jderusse Awaiting requested review from jderusse

@xabbuh xabbuh Awaiting requested review from xabbuh

@yceruto yceruto Awaiting requested review from yceruto

@OskarStark OskarStark Awaiting requested review from OskarStark

Assignees
No one assigned
Labels
Feature Security SecurityBundle Status: Reviewed
Projects
None yet
Milestone
7.3
Development

Successfully merging this pull request may close these issues.

Using isGranted() without a Session
0