From 338b3dfd9f202c3c7af0f0d417365f64c317f057 Mon Sep 17 00:00:00 2001
From: Robin Chalas <robin.chalas@gmail.com>
Date: Sat, 9 Nov 2019 08:55:08 +0100
Subject: [PATCH] [Security] Fix defining multiple roles per access_control
 rule

---
 .../Component/Security/Http/Firewall/AccessListener.php  | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/Symfony/Component/Security/Http/Firewall/AccessListener.php b/src/Symfony/Component/Security/Http/Firewall/AccessListener.php
index a309ab14dd9e..9b032d844b01 100644
--- a/src/Symfony/Component/Security/Http/Firewall/AccessListener.php
+++ b/src/Symfony/Component/Security/Http/Firewall/AccessListener.php
@@ -68,7 +68,14 @@ public function __invoke(RequestEvent $event)
             $this->tokenStorage->setToken($token);
         }
 
-        if (!$this->accessDecisionManager->decide($token, $attributes, $request)) {
+        $granted = false;
+        foreach ($attributes as $key => $value) {
+            if ($this->accessDecisionManager->decide($token, [$key => $value], $request)) {
+                $granted = true;
+            }
+        }
+
+        if (!$granted) {
             $exception = new AccessDeniedException();
             $exception->setAttributes($attributes);
             $exception->setSubject($request);