8000 [Security] Clarification on use of multiple roles within access_control · Issue #8355 · symfony/symfony-docs · GitHub
[go: up one dir, main page]
Skip to content

[Security] Clarification on use of multiple roles within access_control #8355

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
graemechapman opened this issue Sep 6, 2017 · 5 comments
Closed

[Security] Clarification on use of multiple roles within access_control #8355

graemechapman opened this issue Sep 6, 2017 · 5 comments
Labels
hasPR A Pull Request has already been submitted for this issue. Security
Milestone
2.8

Comments

@graemechapman
Copy link

The access_control documentation does not mention behaviour when restricting access by multiple roles.

The comment If the user does not have the given role(s), then access is denied seems to suggest that multiple roles should be possible and that, when defined with multiple roles, access is denied unless the user has ALL of the specified roles.

In practice though, the result of this is dependent upon the access decision manager strategy. It is unclear if this is intended but undocumented behaviour, or an issue that needs to be raised in Symfony.

The response to a related issue from 2013 (#3290) suggests that multiple roles will be handled with OR logic, but this does not seem to be the case, and I can't find anything in the documentation to confirm this.
@javiereguiluz
Copy link
Member

Maybe @chalasr, who knows Symfony Security really well, can help us here. Thanks!

@javiereguiluz javiereguiluz added this to the 2.8 milestone May 28, 2018
@chalasr
Copy link
Member
chalasr commented May 28, 2018

When setting multiple roles in an access_control rule with the default access_decision_manager strategy (affirmative), the authenticated user must fulfil at least one role of the list in order to be authorized, it's a OR condition.
If you change the access_decision_manager strategy to unanimous, then the user must fulfil all roles of the list defined in the rule, meaning that it's a AND.

I agree that this could be made more explicit in the access_control documentation.

@javiereguiluz javiereguiluz added hasPR A Pull Request has already been submitted for this issue. and removed Waiting feedback labels May 28, 2018
@javiereguiluz javiereguiluz mentioned this issue May 28, 2018
Merged
@javiereguiluz
Copy link
Member

@chalasr that's a perfect explanation!! Thanks for your help. We're trying to improve this here: #9844.

javiereguiluz added a commit that referenced this issue May 29, 2018
@javiereguiluz
minor #9844 Better explain the use of multiple roles in access_contro…
72181cc 
…l (javiereguiluz)

This PR was merged into the 2.8 branch.

Discussion
----------

Better explain the use of multiple roles in access_control

This fixes #8355.

Commits
-------

8e5a4ee Better explain the use of multiple roles in access_control
@javiereguiluz
Copy link
Member
< 8AD7 /tbody>

Fixed by #9844.

@graemechapman
Copy link
Author

@chalasr @javiereguiluz Thanks for the clarification!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
hasPR A Pull Request has already been submitted for this issue. Security
Projects
None yet
Milestone
2.8
Development

No branches or pull requests
3 participants
@javiereguiluz @chalasr @graemechapman
0