Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Use the is_granted expression to keep consistency with php example above #4282

Closed
wants to merge 2 commits into from
Closed

[Security] Use the is_granted expression to keep consistency with php example above #4282

wants to merge 2 commits into from

Conversation

tyx
Copy link
Contributor

@tyx tyx commented Oct 1, 2014

Q A
Doc fix? yes
New docs? no
Applies to 2.4
Fixed tickets -

As has_role expression only check for roles (simple in_array) without calling the AccessDecisionManager, it does not do the same job that
$this->get('security.context')->isGranted('ROLE_ADMIN') used in the php example just above.

It is quiete confusing.

@tyx
Use the is_granted expression to keep consistency with php example …
a309c60 
…above

As `has_role` only check for roles without calling the voter, it does not do the same job that
`$this->get('security.context')->isGranted('ROLE_ADMIN')`

So it is quiete confusing.
@stof
Copy link
Member

stof commented Oct 2, 2014

Nope, it does not a a simple in_array check. It still supports the role hierarchy. So the vote for roles is still the same.

However, it is true that is_granted should be used in case you want to trigger your custom voters for other attributes

@tyx
Copy link
Contributor Author

tyx commented Oct 2, 2014

I guess you're right. I read the code on branch 2.5:
https://github.com/symfony/symfony/blob/2.5/src/Symfony/Component/Security/Core/Authorization/ExpressionLanguage.php

I just see on master, it looks to be changed.

Indeed my point was about the custom voters not called.

@wouterj
Copy link
Member

wouterj commented Oct 2, 2014

I'm 👍 thanks @tyx !

@weaverryan
Copy link
Member

is_granted comes from SensioFrameworkExtraBundle, but since that's shipped with the SE, I'm totally ok with using it - but I wanted to make that point.

If we are going to use is_granted (which I also like more, if only because we already understand what it means), then we should use it everyone in this doc - we have has_role in 2 other places in this doc. We should also add is_granted to the function reference near the bottom of this section: https://github.com/symfony/symfony-docs/blob/master/book/security.rst#complex-access-controls-with-expressions

So:

  1. Question: Are we cool with using is_granted even though it's in SensioFWEBundle? I am ok with this

  2. If so, @tyx can you change the other 2 has_role references to is_granted in this chapter and also add a reference line (above has_role) for is_granted in the section I linked above?

Thanks!

@stof
Copy link
Member

stof commented Oct 3, 2014

Question: Are we cool with using is_granted even though it's in SensioFWEBundle? I am ok with this

Given that this place is documenting the FrameworkExtraBundle annotation, it is fine

f so, @tyx can you change the other 2 has_role references to is_granted in this chapter and also add a reference line (above has_role) for is_granted in the section I linked above?

This is wrong. is_granted is available only in the @Security annotation, not in expressions handled by the SecurityVoter. So these other usages cannot be changed

@weaverryan
Copy link
Member

@stof Ah, thanks for those details! Could we make is_granted available for all? I want to increase the consistency - from an outsider's perspective (i.e. someone not thinking about the implementation), it seems confusing that there is a difference between using security expressions in @Security versus using them in another security context.

@stof
Copy link
Member

stof commented Oct 4, 2014

@weaverryan no we cannot. A voter cannot have access to the full authentication system. It is a circular dependency.

@tyx
Copy link
Contributor Author

tyx commented Oct 4, 2014

So what about the changes @weaverryan asked ? Should I only add mention about is_granted in the complex-access-controls-with-expressions part ?

@weaverryan
Copy link
Member

Yes, I think we should, and I think we should use it where we can.

I don't understand yet why it can't also be made to work under access_control, but I admit I'm totally ignorant to the implementation :). I have homework to look into that further.

@tyx if I'm being unclear or if you have any questions, let me know!

@stof
Copy link
Member

stof commented Oct 5, 2014

@weaverryan this is because the access_control uses the security system. Expression used there at evaluated by a voter, which then cannot have access to the full AuthorizationManager given that it would create a circular dependency.
On the other hand, the expression of the @Security annotation is not evaluated by the ExpressionVoter but by the SecurityListener of the bundle. Given that it is evaluated outside the authorization system, it can depend on this system

@tyx
Copy link
Contributor Author

tyx commented Oct 6, 2014

I updated the PR with is_granted mention.

Let me know if there is another modification needed.

xabbuh
xabbuh reviewed Oct 6, 2014
View reviewed changes
book/security.rst
@@ -1786,6 +1786,8 @@ Additionally, you have access to a number of functions inside the expression:
see below;
* ``has_role``: Checks to see if the user has the given role - equivalent
to an expression like ``'ROLE_ADMIN' in roles``.
* ``is_granted``: Similar to the php code like `$securityContext->isGranted('ROLE_USER')`.
Unlike `has_role` expression, `is_granted` will call your custom voters if defined.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You'll have to indent this line by two spaces to make it part of the list item.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done !

@tyx tyx force-pushed the fix/make-same-code-that-php-example branch from 81d44ca to f96aca8 Compare October 6, 2014 18:59
wouterj
wouterj reviewed Oct 31, 2014
View reviewed changes
book/security.rst
@@ -1786,6 +1786,8 @@ Additionally, you have access to a number of functions inside the expression:
see below;
* ``has_role``: Checks to see if the user has the given role - equivalent
to an expression like ``'ROLE_ADMIN' in roles``.
* ``is_granted``: Similar to the php code like `$securityContext->isGranted('ROLE_USER')`.
Unlike `has_role` expression, `is_granted` will call your custom voters if defined.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would add something like "(this can ony be used in the @Security annotation)" at the end of this item, to warn users and avoid confusion.

@wouterj
Copy link
Member

wouterj commented Feb 19, 2015

As this article has been revisited in #4606 , removing this section and code example, I'm going to close this PR.

However, I would still like to thank @tyx for creating this PR as this was missing from this article.

@wouterj wouterj closed this Feb 19, 2015
@dmaicher dmaicher mentioned this pull request Jun 6, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Status: Needs Work
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@tyx @stof @wouterj @weaverryan @xabbuh