[Security][SecurityBundle] User authorization checker #48142
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This comment was marked as outdated.
This comment was marked as outdated.
OskarStark
reviewed
Nov 8, 2022
...ony/Component/Security/Core/Tests/Authentication/Token/UserAuthorizationCheckerTokenTest.php
Outdated
Show resolved
Hide resolved
derrabus
requested changes
Nov 8, 2022
src/Symfony/Component/Security/Core/Authentication/Token/UserAuthorizationCheckerToken.php
Outdated
Show resolved
Hide resolved
src/Symfony/Component/Security/Core/Authentication/Token/UserAuthorizationCheckerToken.php
Outdated
Show resolved
Hide resolved
src/Symfony/Component/Security/Core/Authorization/UserAuthorizationChecker.php
Outdated
Show resolved
Hide resolved
src/Symfony/Component/Security/Core/Tests/Authorization/UserAuthorizationCheckerTest.php
Outdated
Show resolved
Hide resolved
src/Symfony/Component/Security/Core/Tests/Authorization/UserAuthorizationCheckerTest.php
Show resolved
Hide resolved
src/Symfony/Component/Security/Core/Tests/Authorization/UserAuthorizationCheckerTest.php
Outdated
Show resolved
Hide resolved
src/Symfony/Component/Security/Core/Tests/Authorization/UserAuthorizationCheckerTest.php
Outdated
Show resolved
Hide resolved
src/Symfony/Component/Security/Core/Tests/Authorization/UserAuthorizationCheckerTest.php
Outdated
Show resolved
Hide resolved
src/Symfony/Component/Security/Core/Tests/Authorization/UserAuthorizationCheckerTest.php
Outdated
Show resolved
Hide resolved
src/Symfony/Component/Security/Core/Authorization/UserAuthorizationChecker.php
Outdated
Show resolved
Hide resolved
derrabus
reviewed
Nov 8, 2022
src/Symfony/Bundle/SecurityBundle/Resources/config/security.php
Outdated
Show resolved
Hide resolved
stof
reviewed
Nov 8, 2022
| || AuthenticatedVoter::IS_AUTHENTICATED === $attribute | ||
| || AuthenticatedVoter::IS_IMPERSONATOR === $attribute | ||
| || AuthenticatedVoter::IS_REMEMBERED === $attribute) { | ||
| throw new InvalidArgumentException(sprintf('"%s" cannot decide on attribute "%s" as it requires checking the session. Use "%s" instead.', self::class, $attribute, AuthorizationCheckerInterface::class)); |
There was a problem hiding this comment.
This check should probably be done in the AuthenticatedVoter when passing it a UserAuthorizationCheckerToken instead of making a special case here (which would not work if a custom voter uses a delegated check on the authentication level as part of their logic, as this would pass the UserAuthorizationCheckerToken to the AuthenticatedVoter without going through this UserAuthorizationChecker)
There was a problem hiding this comment.
Next push will include the voter abstaining if the token is marked with the interface. I feel like it's probably still useful to know if you're using the checker improperly, rather than getting unexpected results. Any concerns with leaving this check in as well?
There was a problem hiding this comment.
I'm not sure abstaining is always the right answer either though (the final decision won't ever be an abstain)
There was a problem hiding this comment.
True, I guess technically since the token is internal, it really shouldn't get this far. I'm good with moving the exception into the voter.
| @@ -79,6 +79,15 @@ public function isGranted(mixed $attributes, mixed $subject = null): bool | |||
| ->isGranted($attributes, $subject); | |||
| } | |||
|
|
|||
| /** | |||
| * Checks if the attributes are granted against the user and optionally supplied subject. | |||
There was a problem hiding this comment.
this should explicitly document the differences with isGranted() IMO, to make its limitation clear
There was a problem hiding this comment.
Updated, is this what you were looking for?
src/Symfony/Component/Security/Core/Authentication/Token/UserAuthorizationCheckerToken.php
Outdated
Show resolved
Hide resolved
8c0fc43 to
60d5d92
Compare
derrabus
reviewed
Nov 8, 2022
src/Symfony/Component/Security/Core/Authorization/UserAuthorizationChecker.php
Outdated
Show resolved
Hide resolved
HeahDude
reviewed
Nov 12, 2022
src/Symfony/Bundle/SecurityBundle/Resources/config/security.php
Outdated
Show resolved
Hide resolved
c36163a to
d28b35e
Compare
|
This would be a great feature. What is missing to this PR @natewiebe13 @derrabus @stof ? |
Another round of reviews, I suppose. I'd very much like to see this feature shipped as well. |
94noni
approved these changes
Jul 23, 2024
jeremyjaouen
approved these changes
Aug 12, 2024
8742756 to
260927f
Compare
|
Rebased for 7.3 🤞 |
stof
approved these changes
Dec 7, 2024
derrabus
approved these changes
Dec 7, 2024
260927f to
3979093
Compare
3979093 to
096bfaa
Compare
|
It took time, but here we go, this is in now. Thank you very much @natewiebe13. |
fabpot
added a commit
that referenced
this pull request
Dec 9, 2024
…rvice façade (derrabus) This PR was merged into the 7.3 branch. Discussion ---------- Remove ServiceSubscriberInterface implementation from Service façade | Q | A | ------------- | --- | Branch? | 7.3 | Bug fix? | no | New feature? | no | Deprecations? | no | Issues | Follow-up to #48142 | License | MIT #48142 added a `ServiceSubscriberInterface` implementation to our `Security` façade, but that implementation is never consumed. If we did that, we would fail because the `security.firewall.event_dispatcher_locator` is hinted as a generic `ServiceLocator` which we cannot autowire. This is why I'd like to remove that implementation. Commits ------- a185129 Remove ServiceSubscriberInterface implementation
smnandre
reviewed
Dec 14, 2024
| * | ||
| * This should be used over isGranted() when checking permissions against a user that is not currently logged in or while in a CLI context. | ||
| */ | ||
| public function userIsGranted(UserInterface $user, mixed $attribute, mixed $subject = null): bool |
There was a problem hiding this comment.
👍 discussed internally, either this or isGrantedForUser()
fabpot
added a commit
that referenced
this pull request
Dec 16, 2024
…rantedForUser() (xabbuh) This PR was merged into the 7.3 branch. Discussion ---------- [Security][SecurityBundle] rename userIsGranted() to isGrantedForUser() | Q | A | ------------- | --- | Branch? | 7.3 | Bug fix? | no | New feature? | no | Deprecations? | no | Issues | see #48142 (comment) | License | MIT Commits ------- 278d62c rename userIsGranted() to isGrantedForUser()
chalasr
added a commit
that referenced
this pull request
Dec 22, 2024
…)` function (natewiebe13) This PR was merged into the 7.3 branch. Discussion ---------- [SecurityBundle][TwigBridge] Add `is_granted_for_user()` function | Q | A | ------------- | --- | Branch? | 7.3 | Bug fix? | no | New feature? | yes | Deprecations? | no | Issues | N/A | License | MIT Twig function to accompany #48142 Commits ------- 82ff3a5 Add is_granted_for_user() function to twig
symfony-splitter
pushed a commit
to symfony/twig-bridge
that referenced
this pull request
Dec 22, 2024
…)` function (natewiebe13) This PR was merged into the 7.3 branch. Discussion ---------- [SecurityBundle][TwigBridge] Add `is_granted_for_user()` function | Q | A | ------------- | --- | Branch? | 7.3 | Bug fix? | no | New feature? | yes | Deprecations? | no | Issues | N/A | License | MIT Twig function to accompany symfony/symfony#48142 Commits ------- 82ff3a5e64f Add is_granted_for_user() function to twig
javiereguiluz
added a commit
to symfony/symfony-docs
that referenced
this pull request
Jan 3, 2025
…tion (natewiebe13) This PR was merged into the 7.3 branch. Discussion ---------- [Security] Add tip for using new isGrantedForUser() function Adds tip for using new `isGrantedForUser()` function from symfony/symfony#48142 Commits ------- c196b44 Add tip for using new isGrantedForUser() function
This was referenced Feb 17, 2025
chalasr
added a commit
that referenced
this pull request
Feb 21, 2025
…kas) This PR was merged into the 7.3 branch. Discussion ---------- [Security] Improve DX of recent additions | Q | A | ------------- | --- | Branch? | 7.3 | Bug fix? | no | New feature? | not really | Deprecations? | no | Issues | - | License | MIT This is a follow up of #48142 and #59150 which were merged recently into 7.3. Summary of the changes: - `UserAuthorizationChecker`, the implementation of the corresponding interface is merged into the existing `AuthorizationChecker`. - `AuthorizationChecker::isGranted()` is made aware of token changed by its new `isGrantedForUser()` method, so that calls to `is_granted()` nested into `is_granted_for_user()` calls will check the provided user, not the logged in one. - Replace the many arguments passed to `IsGranted`'s closures by 1. a new `IsGrantedContext` and 2. the `$subject`. This makes everything simpler, easier to discover, and more extensible. Thanks to the previous item, IsGrantedContext only needs the auth-checker, not the access-decision-manager anymore. Simpler again. - Fix to the tests, those were broken in both PRs. Commits ------- aa38eb8 [Security] Improve DX of recent additions
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
isGranted()assumes that it's checking against the currently logged in user. This provides the same functionality to check against a user during times when there isn't a session (cronjobs/commands, message queue, etc.) or for a different user than the one logged in.Having this functionality allows for removing the dependency on sessions entirely for services reducing the number of issues that come up during a project because some underlying function was session dependent.