fix(security): allow multiple Security attributes when applicable

santysisi · santysisi · commit 08832fe15c05 · 2025-05-11T20:18:41.000-03:00
diff --git a/src/Symfony/Component/Security/Core/Authorization/TraceableAccessDecisionManager.php b/src/Symfony/Component/Security/Core/Authorization/TraceableAccessDecisionManager.php
@@ -54,7 +54,7 @@ public function decide(TokenInterface $token, array $attributes, mixed $object =
         $this->accessDecisionStack[] = $accessDecision;
 
         try {
-            return $accessDecision->isGranted = $this->manager->decide($token, $attributes, $object, $accessDecision);
+            return $accessDecision->isGranted = $this->manager->decide($token, $attributes, $object, $accessDecision, $allowMultipleAttributes);
         } finally {
             $this->strategy = $accessDecision->strategy;
             $currentLog = array_pop($this->currentLog);
diff --git a/src/Symfony/Component/Security/Core/Tests/Authorization/TraceableAccessDecisionManagerTest.php b/src/Symfony/Component/Security/Core/Tests/Authorization/TraceableAccessDecisionManagerTest.php
@@ -11,12 +11,14 @@
 
 namespace Symfony\Component\Security\Core\Tests\Authorization;
 
+use PHPUnit\Framework\MockObject\MockObject;
 use PHPUnit\Framework\TestCase;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\Authorization\AccessDecisionManager;
 use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
 use Symfony\Component\Security\Core\Authorization\TraceableAccessDecisionManager;
 use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
+use Symfony\Component\Security\Core\Exception\InvalidArgumentException;
 use Symfony\Component\Security\Core\Tests\Fixtures\DummyVoter;
 
 class TraceableAccessDecisionManagerTest extends TestCase
@@ -276,4 +278,48 @@ public function testCustomAccessDecisionManagerReturnsEmptyStrategy()
 
         $this->assertEquals('-', $adm->getStrategy());
     }
+
+    public function testThrowsExceptionWhenMultipleAttributesNotAllowed()
+    {
+        $accessDecisionManager = new AccessDecisionManager();
+        $traceableAccessDecisionManager = new TraceableAccessDecisionManager($accessDecisionManager);
+        /** @var TokenInterface&MockObject $tokenMock */
+        $tokenMock = $this->createMock(TokenInterface::class);
+
+        $this->expectException(InvalidArgumentException::class);
+        $traceableAccessDecisionManager->decide($tokenMock, ['attr1', 'attr2']);
+    }
+
+    /**
+     * @dataProvider allowMultipleAttributesProvider
+     */
+    public function testAllowMultipleAttributes(array $attributes, bool $allowMultipleAttributes)
+    {
+        $accessDecisionManager = new AccessDecisionManager();
+        $traceableAccessDecisionManager = new TraceableAccessDecisionManager($accessDecisionManager);
+        /** @var TokenInterface&MockObject $tokenMock */
+        $tokenMock = $this->createMock(TokenInterface::class);
+
+        $isGranted = $traceableAccessDecisionManager->decide($tokenMock, $attributes, null, null, $allowMultipleAttributes);
+
+        $this->assertFalse($isGranted);
+    }
+
+    public function allowMultipleAttributesProvider(): \Generator
+    {
+        yield [
+            ['attr1'],
+            false,
+        ];
+
+        yield [
+            ['attr1'],
+            true,
+        ];
+
+        yield [
+            ['attr1', 'attr2', 'attr3'],
+            true,
+        ];
+    }
 }
