Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feature #31189 [Security] Add IS_IMPERSONATOR, IS_ANONYMOUS and IS_RE…
…MEMBERED (HeahDude) This PR was merged into the 5.1-dev branch. Discussion ---------- [Security] Add IS_IMPERSONATOR, IS_ANONYMOUS and IS_REMEMBERED | Q | A | ------------- | --- | Branch? | master | Bug fix? | no | New feature? | yes | BC breaks? | no | Deprecations? | yes | Tests pass? | yes | Fixed tickets | #29848 | License | MIT | Doc PR | symfony/symfony-docs#11487 This continues work of @HeahDude and finally finishes one of the code PRs I've been working on during the ⭐️ EUFOSSA Hackathon. Changes --- The PRs modifies some of the attributes used by the `AuthenticatedVoter`: * New `IS_IMPERSONATOR`, `IS_ANONYMOUS` and `IS_REMEMBERED` attributes are introduced to indicate the user either impersonated, anonymous or rembered. * <s>`IS_AUTHENTICATED_ANONYMOUSLY` actually meant "is authenticated, either anonymous or fully". As this is confusing, it is replaced by `IS_AUTHENTICATED`.</s> * <s>All `is_*()` functions in expressions are deprecated in favor of `is_granted('IS_*')`. It's not worth duplicating the `AuthenticatedVoter` logic in two places now we have shorter `IS_*` attributes</s> **Before** ```php if ($authorizationChecker->isGranted('ROLE_PREVIOUS_ADMIN')) { // ... } ``` <s> ```yaml security: # ... access_control: - { path: ^/protected, roles: 'IS_AUTHENTICATED_ANONYMOUSLY' } ``` </s> **After** ```php if ($authorizationChecker->isGranted('IS_IMPERSONATOR')) { // ... } ``` <s> ```yaml security: # ... access_control: - { path: ^/protected, roles: 'IS_AUTHENTICATED' } ``` </s> <s>Discussion --- The only thing I'm wondering is how we combine this with the `is_authenticated()` expression function: https://github.com/symfony/symfony/blob/98929dc2927c59ba3e36b5547f2eae6316aa4740/src/Symfony/Component/Security/Core/Authorization/ExpressionLanguageProvider.php#L33-L37 As you can see, the `IS_AUTHENTICATED` attribute and `is_authenticated()` expression function do not have the same meaning. Should we somehow deprecate the current behavior of `is_authenticated()` or should we find another name for `IS_AUTHENTICATED` (that would be a shame imo).</s> Commits ------- 6c522a7 Added IS_ANONYMOUS, IS_REMEMBERED, IS_IMPERSONATOR
- Loading branch information