Skip to content

[Security] Use expression for #[IsGranted()] subject #17513

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Mar 24, 2023
Merged

[Security] Use expression for #[IsGranted()] subject #17513

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 64 additions & 0 deletions security/expressions.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ and ``#[IsGranted()]`` attribute also accept an
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
use Symfony\Component\ExpressionLanguage\Expression;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Security\Http\Attribute\IsGranted;

class MyController extends AbstractController
{
Expand Down Expand Up @@ -130,6 +131,69 @@ Additionally, you have access to a number of functions inside the expression:
true if the user has actually logged in during this session (i.e. is
full-fledged).

In case of the ``#[IsGranted()]`` attribute, the subject can also be an
:class:`Symfony\\Component\\ExpressionLanguage\\Expression` object::

// src/Controller/MyController.php
namespace App\Controller;

use App\Entity\Post;
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
use Symfony\Component\ExpressionLanguage\Expression;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Security\Http\Attribute\IsGranted;

class MyController extends AbstractController
{
#[IsGranted(
attribute: new Expression('user === subject'),
subject: new Expression('args["post"].getAuthor()'),
)]
public function index(Post $post): Response
{
// ...
}
}

In this example, we fetch the author of the post and use it as the subject. If the subject matches
the current user, then access will be granted.

The subject may also be an array where the key can be used as an alias for the result of an expression::

#[IsGranted(
attribute: new Expression('user === subject["author"] and subject["post"].isPublished()'),
subject: [
'author' => new Expression('args["post"].getAuthor()'),
'post',
],
)]
public function index(Post $post): Response
{
// ...
}

Here, access will be granted if the author matches the current user
and the post's ``isPublished()`` method returns ``true``.

You can also use the current request as the subject::

#[IsGranted(
attribute: '...',
subject: new Expression('request'),
)]
public function index(): Response
{
// ...
}

Inside the subject's expression, you have access to two variables:

``request``
The :ref:`Symfony Request <component-http-foundation-request>` object that
represents the current request.
``args``
An array of controller arguments that are passed to the controller.

Learn more
----------

Expand Down