[Security] Rename $subject to $object

[vudaltsov]

User creates an article. User is the subject (the one who does the action) and article is the object (what action is applied to). See https://www.lexico.com/en/grammar/subjects-and-objects or any other resource on the topic.

Currently we have a wrong variable name in Security, VoterInterface and exception classes. The AccessDecisionManagerInterface is nonetheless correct.

I propose to replace $subject with $object in 4.3 and redeprecate (see #19969) AccessDeniedException::(g|s)etSubject in master.

[garak]

I'm not a native English speaker, but I can argue that "subject" is used instead of "object" in e-mail domain too (where the subject should be the sender and the object should be the title of e-mail).
So I never seen "subject" wrong here, while I agree that consistency should be targeted.

[vudaltsov]

@garak , as far as i know, the subject in the e-mail domain is a brief summary of its contents.

[vudaltsov]

The evidence for the subject/object meaning in the access control domain can be found here: https://en.wikibooks.org/wiki/Fundamentals_of_Information_Systems_Security/Access_Control_Systems

Authentication is the method of proving the subjects identity.

A subject is an active entity that requests access to a resource

Same here: https://www.eit.lth.se/fileadmin/eit/courses/eit060/lect/Lect5.pdf.
And anywhere else, can be googled easily https://www.google.com/search?q=access+control+subject.

[romaricdrigon]

I understand why you dislike subject, but object feels less precise. Plus there's possible confusion with a PHP object, I think it makes the concept less clear to newcomers.

What about resource?

[vudaltsov]

@romaricdrigon , that's a cool idea, I like it! Feels like it will resolve any problems with meaning.

[jvasseur]

I think we renamed it from object to subject to clear the confusion with the PHP object type so I'm against going back to object (resource would have the same problem since it's also a PHP type).

[vudaltsov]

@jvasseur , I would disagree that nowadays PHP developers tend to judge about variable's type by its name in the first place. We all know that variable name is a semantic attribute in the first place, not a type declaration replacement. Variable name is the meaning of the value within the given context.

I think that resource is a better option, though. resource is not so commonly used, so it should minimize the type confusion. It's really hard to imagine that when smb sees AuthorizationCheckerInterface::isGranted($attributes, $resource = null): bool; the person decides to pass an fopen result or smth like that.

[vudaltsov]

@wouterj , what do you think about this issue?

[carsonbot]

Thank you for this suggestion.
There has not been a lot of activity here for a while. Would you still like to see this feature?

[carsonbot]

Friendly ping? Should this still be open? I will close if I don't hear anything.

[carsonbot]

Hey,

I didn't hear anything so I'm going to close it. Feel free to comment if this is still relevant, I can always reopen!