bug #34304 [Security] Fix defining multiple roles per access_control …

…rule (chalasr) This PR was merged into the 4.4 branch. Discussion ---------- [Security] Fix defining multiple roles per access_control rule | Q | A | ------------- | --- | Branch? | 4.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | - | License | MIT | Doc PR | symfony/symfony-docs#12371 needs to be reverted #33584 deprecated passing multiple attributes to `AccessDecisionManager::decide()`, but this change must not impact `access_control` as you cannot define multiple rules with the same criteria for request matching (the first match wins). Commits ------- 338b3df [Security] Fix defining multiple roles per access_control rule
symfony · Nov 9, 2019 · 758e266 · 758e266
2 parents d688a79 + 338b3df
commit 758e266
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/src/Symfony/Component/Security/Http/Firewall/AccessListener.php b/src/Symfony/Component/Security/Http/Firewall/AccessListener.php
@@ -68,7 +68,14 @@ public function __invoke(RequestEvent $event)
             $this->tokenStorage->setToken($token);
         }
 
-        if (!$this->accessDecisionManager->decide($token, $attributes, $request)) {
+        $granted = false;
+        foreach ($attributes as $key => $value) {
+            if ($this->accessDecisionManager->decide($token, [$key => $value], $request)) {
+                $granted = true;
+            }
+        }
+
+        if (!$granted) {
             $exception = new AccessDeniedException();
             $exception->setAttributes($attributes);
             $exception->setSubject($request);