Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security] Deprecated ROLE_PREVIOUS_ADMIN #35858

Merged

Conversation

@wouterj
Copy link
Member

wouterj commented Feb 25, 2020

Q A
Branch? master
Bug fix? no
New feature? no
Deprecations? yes
Tickets n/a
License MIT
Doc PR symfony/symfony-docs#11487

ROLE_PREVIOUS_ADMIN is added to the token roles if the session is an impersonation. Since #31189 we have the IS_IMPERSONATOR attribute which can be used for the same reason. I propose to deprecate the ROLE_PREVIOUS_ADMIN:

  • This is not what roles are for (resulting in hacking this exception in AbstractToken)
  • The role isn't very descriptive
  • I don't like having 2 ways of doing exactly the same thing
  • While every application with impersonation enabled probably needs to be updated, the update is as simple as replacing ROLE_PREVIOUS_ADMIN with IS_IMPERSONATOR: find ./ -type f -exec sed -i 's/ROLE_PREVIOUS_ADMIN/IS_IMPERSONATOR/g' {} +

I'm a bit unsure on how to deprecate this role, but I think having it in RoleVoter is probably the safest (isGranted() and variants + AccessDecisionManager#decide() all use this voter to check if the token has this role).

@wouterj wouterj force-pushed the wouterj:security/deprecated-role-previous-admin branch from 7a77762 to d0bf1c1 Feb 25, 2020
@wouterj wouterj force-pushed the wouterj:security/deprecated-role-previous-admin branch from d0bf1c1 to dce55f3 Feb 25, 2020
@fabpot
fabpot approved these changes Feb 25, 2020
@fabpot

This comment has been minimized.

Copy link
Member

fabpot commented Feb 25, 2020

Thank you @wouterj.

@fabpot fabpot merged commit 82db995 into symfony:master Feb 25, 2020
3 checks passed
3 checks passed
continuous-integration/appveyor/pr AppVeyor build succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
fabbot.io Your code looks good.
Details
@wouterj wouterj deleted the wouterj:security/deprecated-role-previous-admin branch Feb 25, 2020
fabpot added a commit that referenced this pull request Feb 29, 2020
…wouterj)

This PR was merged into the 5.1-dev branch.

Discussion
----------

Added ROLE_PREVIOUS_ADMIN deprecation to UPGRADE guide

| Q             | A
| ------------- | ---
| Branch?       | master
| Bug fix?      | no
| New feature?  | no
| Deprecations? | no
| Tickets       | n/a
| License       | MIT
| Doc PR        | n/a

I forgot to update the UPGRADE guides in #35858

Commits
-------

3c8d316 Added ROLE_PREVIOUS_ADMIN deprecation to UPGRADE guide
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants
You can’t perform that action at this time.