Skip to content

[Security] Allow using a callable with #[IsGranted] #59150

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nicolas-grekas merged 1 commit into from
Feb 18, 2025
Merged

[Security] Allow using a callable with #[IsGranted] #59150

nicolas-grekas merged 1 commit into from
Feb 18, 2025

Conversation

@alexandre-daubois
Copy link
Member

@alexandre-daubois alexandre-daubois commented Dec 10, 2024
edited
Loading

Q A
Branch? 7.3
Bug fix? no
New feature? yes
Deprecations? no
Issues -
License MIT

Thanks to the latest RFC that successfully passed for the next version of PHP, closures are now allowed in attributes. Symfony could leverage this at multiple places, especially where the ExpressionLanguage is currently used. What's nice is that, compared to expressions, closures can benefit from typing, autocomplete, etc. Way better for the DX.

This PR propose to leverage this new feature in #[IsGranted], which would allow to write such code:

use Symfony\Component\HttpFoundation\JsonResponse;
use Symfony\Component\HttpKernel\Attribute\AsController;
use Symfony\Component\Security\Core\Authorization\IsGrantedPayload;
use Symfony\Component\Security\Http\Attribute\IsGranted;

#[AsController]
class BlogPostViewController
{
    #[IsGranted(static function ($token, $subject, $accessDecisionManager, $trustResolver): bool {
        if ($subject->isPublished()) {
            // published, everybody can see it
            return false;
        }

        if ($subject->getAuthor() === $token->getUser()
            || $accessDecisionManager->decide($token, 'edit', $subject)
        ) {
            // the author can see it
            return true;
        }

        // or any admin of the app
        return $accessDecisionManager->decide($token, ['ROLE_ADMIN']);
    }, subject: static function (array $arguments, Request $request) {
        return $arguments['post'];
    })]
    public function __invoke(BlogPost $post): JsonResponse
    {
        return new JsonResponse();
    }
}

@carsonbot carsonbot added Status: Needs Review DX DX = Developer eXperience (anything that improves the experience of using Symfony) Feature Security labels Dec 10, 2024
@carsonbot carsonbot added this to the 7.3 milestone Dec 10, 2024
@carsonbot carsonbot changed the title [DX][Security] Allow using a callable with #[IsGranted] [Security] Allow using a callable with #[IsGranted] Dec 10, 2024
chalasr
chalasr reviewed Dec 10, 2024
View reviewed changes
@alexandre-daubois
Copy link
Member Author

alexandre-daubois commented Dec 11, 2024

The WIP fix on php-src works well. I updated the code (diff), it works nicely now 🙂

smnandre
smnandre reviewed Dec 14, 2024
View reviewed changes
mtarld
mtarld reviewed Dec 16, 2024
View reviewed changes
derrabus
derrabus requested changes Dec 16, 2024
View reviewed changes
@alexandre-daubois
Copy link
Member Author

alexandre-daubois commented Dec 18, 2024

Thank you for your feedbacks. I updated the PR. IsGrantedPayload was removed as well as role names. Arguments are now passed individually to the closure.

Also, I'm now using instance Closure instead of is_callable() to avoid callable strings that may be used.

@alexandre-daubois
Copy link
Member Author

alexandre-daubois commented Dec 18, 2024

Status: Needs Review

@chalasr
Copy link
Member

chalasr commented Dec 18, 2024

I think the Attribute phpdoc and future docs should mention that only static closures are supported (for now).

stof
stof requested changes Dec 18, 2024
View reviewed changes
@stof
Copy link
Member

stof commented Dec 18, 2024

@chalasr supporting static closures only is not a limitation of our code. It is a limitation of PHP attributes. If PHP supports more closures (quite unlikely though, as I don't see how they would work), the code in Symfony would not require any change to support them.

stof
stof reviewed Dec 18, 2024
View reviewed changes
@alexandre-daubois alexandre-daubois force-pushed the is-granted-callable branch 3 times, most recently from 3c1d6cd to 2dafa16 Compare December 18, 2024 13:25
nicolas-grekas
nicolas-grekas reviewed Feb 11, 2025
View reviewed changes
Copy link
Member

@nicolas-grekas nicolas-grekas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some comments to improve the DX hopefully.

@alexandre-daubois alexandre-daubois force-pushed the is-granted-callable branch 3 times, most recently from 816c445 to f3cfa81 Compare February 12, 2025 08:10
nicolas-grekas
nicolas-grekas approved these changes Feb 12, 2025
View reviewed changes
nicolas-grekas
nicolas-grekas reviewed Feb 12, 2025
View reviewed changes
nicolas-grekas
nicolas-grekas reviewed Feb 12, 2025
View reviewed changes
@alexandre-daubois alexandre-daubois force-pushed the is-granted-callable branch 2 times, most recently from 54712d5 to d4bad72 Compare February 12, 2025 09:03
@nicolas-grekas
Copy link
Member

nicolas-grekas commented Feb 12, 2025

There's one failure to check (at least on the windows build)

@nicolas-grekas
Copy link
Member

nicolas-grekas commented Feb 18, 2025

Thank you @alexandre-daubois.

@nicolas-grekas nicolas-grekas merged commit ab6c611 into symfony:7.3 Feb 18, 2025
4 of 11 checks passed
This was referenced Feb 18, 2025
Closed
Merged
chalasr added a commit that referenced this pull request Feb 21, 2025
@chalasr
feature #59805 [Security] Improve DX of recent additions (nicolas-gre…
0c7c251 
…kas)

This PR was merged into the 7.3 branch.

Discussion
----------

[Security] Improve DX of recent additions

| Q             | A
| ------------- | ---
| Branch?       | 7.3
| Bug fix?      | no
| New feature?  | not really
| Deprecations? | no
| Issues        | -
| License       | MIT

This is a follow up of #48142 and #59150 which were merged recently into 7.3.

Summary of the changes:
- `UserAuthorizationChecker`, the implementation of the corresponding interface is merged into the existing `AuthorizationChecker`.
- `AuthorizationChecker::isGranted()` is made aware of token changed by its new `isGrantedForUser()` method, so that calls to `is_granted()` nested into `is_granted_for_user()` calls will check the provided user, not the logged in one.
- Replace the many arguments passed to `IsGranted`'s closures by 1. a new `IsGrantedContext` and 2. the `$subject`. This makes everything simpler, easier to discover, and more extensible. Thanks to the previous item, IsGrantedContext only needs the auth-checker, not the access-decision-manager anymore. Simpler again.
- Fix to the tests, those were broken in both PRs.

Commits
-------

aa38eb8 [Security] Improve DX of recent additions
@fabpot fabpot mentioned this pull request May 2, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nicolas-grekas nicolas-grekas nicolas-grekas approved these changes

@stof stof stof requested changes

@mtarld mtarld mtarld left review comments

@chalasr chalasr chalasr left review comments

@derrabus derrabus derrabus requested changes

+2 more reviewers

@gharlan gharlan gharlan left review comments

@smnandre smnandre smnandre left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

DX DX = Developer eXperience (anything that improves the experience of using Symfony) Feature Security Status: Reviewed

Projects

None yet

Milestone

7.3

Development

Successfully merging this pull request may close these issues.

9 participants

@alexandre-daubois @chalasr @stof @nicolas-grekas @gharlan @smnandre @derrabus @mtarld @carsonbot