[Symfony62] Replace Sensio Security

[wkania]

sensio-framework-extra-bundle is abandoned.
Some attributes have been implemented in Symfony 6.2 and Rector can already refactor code for them.
But, Security attribute will not be implemented in Symfony.
From what I know about Rector we can't currently make change from:

use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security;

class PostController extends Controller
{
    #[Security("is_granted('ROLE_ADMIN') and is_granted('ROLE_FRIENDLY_USER')")]
    public function index()
    {
    }
}

to:

use Symfony\Component\ExpressionLanguage\Expression;
use Symfony\Component\Security\Http\Attribute\IsGranted;

class PostController extends Controller
{
    #[IsGranted(new Expression("is_granted('ROLE_ADMIN') and is_granted('ROLE_FRIENDLY_USER')"))]
    public function index()
    {
    }
}

This require a new rule, something custom like this?

[TomasVotruba]

Yes, this will need a custom rule, to handle the expressions.

[wkania]

It will be more complex :(
When there is a second optional argument:

#[Security("is_granted('ROLE_FRIENDLY_USER', author'])")]
public function showAction(User $author): Response

#[IsGranted(attribute: new Expression("is_granted('ROLE_FRIENDLY_USER', subject['author'])"), subject: ['author'])]
public function showAction(User $author): Response

[johanadivare]

Well its good to have these 2 cases in testfixure

[pepeh]

@wkania
Why not replace

#[Security("is_granted('ROLE_FRIENDLY_USER', author'])")]
public function showAction(User $author): Response

with

#[IsGranted('ROLE_FRIENDLY_USER', 'author')]
public function showAction(User $author): Response

[wkania]

@pepeh
Yes, you are right. My example was to simple.
In my opinion, these are the valid cases and probably many more:

-------------------
#[Security("is_granted('ROLE_ADMIN')")]
#[IsGranted('ROLE_ADMIN')]

-------------------
#[Security("is_granted('ASSET_EDIT', asset)")]
#[IsGranted('ASSET_EDIT', 'asset')]

-------------------
#[Security("is_granted('ORGANIZATION_VIEW', team.getOrganization())")]
#[IsGranted(attribute: new Expression("is_granted('ORGANIZATION_VIEW', subject['team'].getOrganization())"), subject: ['team'])]
// or
#[IsGranted('ORGANIZATION_VIEW', subject: new Expression('args["team"].getOrganization()'))]

// This will throw exception
#[IsGranted('ORGANIZATION_VIEW', 'team.getOrganization')]
Error: Could not find the subject "team.getOrganization" for the #[IsGranted] attribute. Try adding a "$team.getOrganization" argument to your controller method.

-------------------
#[Security("is_granted('ROLE_ADMIN') or type == 'new'")]
#[IsGranted(attribute: new Expression("is_granted('ROLE_ADMIN') or subject['type'] == 'new'"), subject: ['type'])]

-------------------
#[Security("is_granted('ROLE_ADMIN') or asset.getOrganization() == user.getOrganization()")]
#[IsGranted(attribute: new Expression("is_granted('ROLE_ADMIN') or subject['asset'].getOrganization() == user.getOrganization()"), subject: ['asset'])]
// user is one of the special variables

Rector could skip everything with "dot", "or" and "and". Those cases are probably to complex to be refactored automatically or with easy set of conditions.

[TomasVotruba]

Looking into this...

[TomasVotruba]

I've kicked off a rule to handle this: #622

Give it a try and let me know, what are the missed cases 🙏 Thanks