New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[IsGranted] allow IsGranted put on a method to override one put on class #54676
Comments
This would be a huge BC break as projects might rely on the fact that all Controllers cannot override |
@stof yes you have very valid concerns, what do you think about adding a dedicated attribute like |
I'm not very fond of that idea either, mostly because of the complexity it adds to our codebase. I mean, you could also move the one action that needs a different behavior to a separate controller, right? |
thanks for your comment @derrabus, yes you are right, moving the few methods which need different config out to their own controller works fine and yes i can imagine the codecomplexity this feature would add (if it would be so easy i might even had made a pull request for it) my perspective on this feature is more security related: it's about not to have to add an feel free to close as wont-fix, i fully understand that. |
We had a similar use-case where some devs forgot to add annotations/attributes to classes. For ADRs like this, we used to have a CI job running in place. You may take a look at PHPArkitect (or simple shell scripts). And as always: tests should cover unauthorized access; that way you can't forget a route. |
Closing then (#54676 (comment)) :) |
Description
if you put the
IsGranted
attribute on a class requireingROLE_API
for example and you want to only make some exceptions on method level requireing onlyPUBLIC_ACCESS
this is currently not possible. you have to remove the attribute from the class and add to each method.it would be nice to have
IsGranted
behave more likeRoute
where putting it on a class cooperates with putting it on a method.i assume the procesing order of the method attributes has to go before the processing of the class attribute to honor the "first match firewall principle".
the code below leads currently to "Full authentication is required to access this resource."
sidenote: also overriding a permission defined in
security.yaml
would be useful. so it would be possible to define global rules insecurity.yaml
and override them on controller method level.Example
The text was updated successfully, but these errors were encountered: