Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feature #33584 [Security] Deprecate isGranted()/decide() on more than…
… one attribute (wouterj) This PR was squashed before being merged into the 4.4 branch (closes #33584). Discussion ---------- [Security] Deprecate isGranted()/decide() on more than one attribute | Q | A | ------------- | --- | Branch? | 4.4 | Bug fix? | no | New feature? | no | Deprecations? | yes | Tickets | - | License | MIT | Doc PR | tbd While I expect it not be used much, it is currently possible to call `isGranted()` on more than one attribute: ```php if ($this->authorizationChecker->isGranted(['ROLE_USER', 'ROLE_ADMIN'])) { // ... } ``` Supporting this includes a couple of problems/questions: - It is not clear whether this is `OR` or `AND`; - In fact, this is left over to the voter to decide upon. So it can vary for each voter and writers of new voters need to consider this (otherwise, you get issues like Leaseweb/LswSecureControllerBundle#4 ); - It promotes to vote over roles instead of actions. I think we can do better. In the past, we've created all tooling for this to be self-explaining and easier: ```php // ExpressionLanguage component (also includes other functions, like `is_granted('EDIT')`) if ($this->authorizationChecker->isGranted("has_role('ROLE_USER') or has_role('ROLE_ADMIN')")) { // ... } // calling it multiple times in PHP (may reduce performance) if ($this->authorizationChecker->isGranted('ROLE_USER') || $this->authorizationChecker->isGranted('ROLE_ADMIN') ) { // ... } // or by using Role Hierarchy, if a user really wants to vote on roles ``` This PR deprecates passing more than one attribute to `isGranted()` and `decide()` to remove this confusing bit in Security usage. Backwards compatiblity help --- I need some help in how to approach changing the `VoterInterface::vote(TokenInterface $token, $subject, array $attributes)` method in a backwards compatible way. Removing `array` breaks all Voters, so does changing it to `string` and removed the parameter all together. Commits ------- c64b0be [Security] Deprecate isGranted()/decide() on more than one attribute
- Loading branch information