Skip to content

[Security] Allow Expression as AccessDeniedException attribute #46986

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

[Security] Allow Expression as AccessDeniedException attribute #46986

wants to merge 1 commit into from

Conversation

HypeMC
Copy link
Member

@HypeMC HypeMC commented Jul 19, 2022
edited
Loading

Q A
Branch? 4.4
Bug fix? yes
New feature? no
Deprecations? no
Tickets -
License MIT
Doc PR -

Currently the AccessDeniedException::setAttributes() method accepts a string or an array. However, there are several ways the method could receive an instance of Expression as well, eg:

$this->denyAccessUnlessGranted(new Expression('"ROLE_ADMIN" in role_names'))

On Symfony 5.4 or lower there are no type hints so the object gets cast to an array:

symfony/src/Symfony/Component/Security/Core/Exception/AccessDeniedException.php

Lines 37 to 43 in ee2eb1c

/**
* @param array|string $attributes
*/
public function setAttributes($attributes)
{
$this->attributes = (array) $attributes;
} 

array(1) {
  ["*expression"]=>
  string(15) "some expression"
}

On 6.0 or higher, because of the added type hints, it gets cast into a string instead.

symfony/src/Symfony/Component/Security/Core/Exception/AccessDeniedException.php

Lines 34 to 37 in c090b9a

public function setAttributes(array|string $attributes)
{
$this->attributes = (array) $attributes;
}

@HypeMC HypeMC requested review from wouterj and chalasr as code owners July 19, 2022 19:24
@carsonbot carsonbot added this to the 4.4 milestone Jul 19, 2022
@derrabus
Copy link
Member 

$this->denyAccessUnlessGranted(new Expression('"ROLE_ADMIN" in role_names'))
  • Question 1: Where did you get that piece of code from? Does the documentation say that expressions are allowed here? Or did it just happen to work for you?
  • Question 2: Isn't this the same as $this->denyAccessUnlessGranted('ROLE_ADMIN')? 🤔

@HypeMC
Copy link
Member Author

HypeMC commented Jul 20, 2022

@derrabus

  • Question 1: Where did you get that piece of code from? Does the documentation say that expressions are allowed here? Or did it just happen to work for you?

Yes, this is taken from the docs, see https://symfony.com/doc/4.4/security/expressions.html

  • Question 2: Isn't this the same as $this->denyAccessUnlessGranted('ROLE_ADMIN')? thinking

Well yes, but this is just a simple example. The point is that an instance of Expression can be used (with a more complex expression).

@derrabus
Copy link
Member

Yes, this is taken from the docs

Amazing. I didn't know about this feature. 😮

@HypeMC HypeMC mentioned this pull request Jul 25, 2022
Merged
@nicolas-grekas
Copy link
Member

As discussed on #46978, this change looks wrong to me.
Instead, we should consider that the argument is Expression is auto-cast to string, which is the case since 6.0.
We could emulate this behavior in 4.4/5.4 but is it needed? Aka does this cause real-world issues?
If not, let's close.

@HypeMC
Copy link
Member Author

HypeMC commented Aug 1, 2022

@nicolas-grekas Since no one has ever reported this issue, let's close.

@HypeMC HypeMC closed this Aug 1, 2022
@HypeMC HypeMC deleted the accessdeniedexception-expression branch August 1, 2022 08:36
@HypeMC HypeMC restored the accessdeniedexception-expression branch March 11, 2023 14:50
@HypeMC HypeMC deleted the accessdeniedexception-expression branch March 11, 2023 14:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wouterj wouterj Awaiting requested review from wouterj wouterj is a code owner

@chalasr chalasr Awaiting requested review from chalasr chalasr is a code owner

Assignees
No one assigned
Labels
Bug Security Status: Needs Review
Projects
None yet
Milestone
4.4
Development

Successfully merging this pull request may close these issues.
4 participants
@HypeMC @derrabus @nicolas-grekas @carsonbot