[Security][TwigBridge] Add access_decision() and access_decision_for_user()

florentdestremau · nicolas-grekas · commit 1aead1474453 · 2025-09-03T13:36:52.000+02:00
diff --git a/src/Symfony/Bridge/Twig/CHANGELOG.md b/src/Symfony/Bridge/Twig/CHANGELOG.md
@@ -1,6 +1,11 @@
 CHANGELOG
 =========
 
+7.4
+---
+
+ * Add `access_decision()` and `access_decision_for_user()` Twig functions
+
 7.3
 ---
 
diff --git a/src/Symfony/Bridge/Twig/Extension/SecurityExtension.php b/src/Symfony/Bridge/Twig/Extension/SecurityExtension.php
@@ -55,6 +55,18 @@ public function isGranted(mixed $role, mixed $object = null, ?string $field = nu
         }
     }
 
+    public function getAccessDecision(mixed $role, mixed $object = null, ?string $field = null): AccessDecision
+    {
+        if (!class_exists(AccessDecision::class)) {
+            throw new \LogicException(\sprintf('Using the "access_decision()" function requires symfony/security-core >= 7.3. Try running "composer %s symfony/security-core".', $this->securityChecker ? 'update' : 'require'));
+        }
+
+        $accessDecision = new AccessDecision();
+        $this->isGranted($role, $object, $field, $accessDecision);
+
+        return $accessDecision;
+    }
+
     public function isGrantedForUser(UserInterface $user, mixed $attribute, mixed $subject = null, ?string $field = null, ?AccessDecision $accessDecision = null): bool
     {
         if (null === $this->securityChecker) {
@@ -80,6 +92,18 @@ public function isGrantedForUser(UserInterface $user, mixed $attribute, mixed $s
         }
     }
 
+    public function getAccessDecisionForUser(UserInterface $user, mixed $attribute, mixed $subject = null, ?string $field = null): AccessDecision
+    {
+        if (!class_exists(AccessDecision::class)) {
+            throw new \LogicException(\sprintf('Using the "access_decision_for_user()" function requires symfony/security-core >= 7.3. Try running "composer %s symfony/security-core".', $this->securityChecker ? 'bump' : 'require'));
+        }
+
+        $accessDecision = new AccessDecision();
+        $this->isGrantedForUser($user, $attribute, $subject, $field, $accessDecision);
+
+        return $accessDecision;
+    }
+
     public function getImpersonateExitUrl(?string $exitTo = null): string
     {
         if (null === $this->impersonateUrlGenerator) {
@@ -120,6 +144,7 @@ public function getFunctions(): array
     {
         $functions = [
             new TwigFunction('is_granted', $this->isGranted(...)),
+            new TwigFunction('access_decision', $this->getAccessDecision(...)),
             new TwigFunction('impersonation_exit_url', $this->getImpersonateExitUrl(...)),
             new TwigFunction('impersonation_exit_path', $this->getImpersonateExitPath(...)),
             new TwigFunction('impersonation_url', $this->getImpersonateUrl(...)),
@@ -128,6 +153,7 @@ public function getFunctions(): array
 
         if ($this->securityChecker instanceof UserAuthorizationCheckerInterface) {
             $functions[] = new TwigFunction('is_granted_for_user', $this->isGrantedForUser(...));
+            $functions[] = new TwigFunction('access_decision_for_user', $this->getAccessDecisionForUser(...));
         }
 
         return $functions;
diff --git a/src/Symfony/Bridge/Twig/Tests/Extension/SecurityExtensionTest.php b/src/Symfony/Bridge/Twig/Tests/Extension/SecurityExtensionTest.php
@@ -30,7 +30,7 @@ public static function setUpBeforeClass(): void
 
     protected function tearDown(): void
     {
-        ClassExistsMock::withMockedClasses([FieldVote::class => true]);
+        ClassExistsMock::withMockedClasses([FieldVote::class => true, AccessDecision::class => true]);
     }
 
     #[DataProvider('provideObjectFieldAclCases')]
@@ -115,6 +115,122 @@ public function testIsGrantedForUserThrowsWhenFieldNotNullAndFieldVoteClassDoesN
         $securityExtension->isGrantedForUser($this->createMock(UserInterface::class), 'ROLE', 'object', 'bar');
     }
 
+    public function testAccessDecision()
+    {
+        if (!class_exists(AccessDecision::class)) {
+            $this->markTestSkipped('This test requires symfony/security-core 7.3 or superior.');
+        }
+
+        $securityChecker = $this->createMock(AuthorizationCheckerInterface::class);
+        $securityChecker
+            ->expects($this->once())
+            ->method('isGranted')
+            ->with('ROLE', 'object', $this->isInstanceOf(AccessDecision::class))
+            ->willReturnCallback(function ($attribute, $subject, $accessDecision) {
+                $accessDecision->isGranted = true;
+
+                return true;
+            });
+
+        $securityExtension = new SecurityExtension($securityChecker);
+        $accessDecision = $securityExtension->getAccessDecision('ROLE', 'object');
+
+        $this->assertInstanceOf(AccessDecision::class, $accessDecision);
+        $this->assertTrue($accessDecision->isGranted);
+    }
+
+    public function testAccessDecisionWithField()
+    {
+        if (!class_exists(AccessDecision::class)) {
+            $this->markTestSkipped('This test requires symfony/security-core 7.3 or superior.');
+        }
+
+        $securityChecker = $this->createMock(AuthorizationCheckerInterface::class);
+        $securityChecker
+            ->expects($this->once())
+            ->method('isGranted')
+            ->with('ROLE', $this->isInstanceOf(FieldVote::class), $this->isInstanceOf(AccessDecision::class))
+            ->willReturnCallback(function ($attribute, $subject, $accessDecision) {
+                $accessDecision->isGranted = false;
+
+                return false;
+            });
+
+        $securityExtension = new SecurityExtension($securityChecker);
+        $accessDecision = $securityExtension->getAccessDecision('ROLE', 'object', 'field');
+
+        $this->assertInstanceOf(AccessDecision::class, $accessDecision);
+        $this->assertFalse($accessDecision->isGranted);
+    }
+
+    public function testAccessDecisionThrowsWhenAccessDecisionClassDoesNotExist()
+    {
+        ClassExistsMock::withMockedClasses([AccessDecision::class => false]);
+
+        $securityChecker = $this->createMock(AuthorizationCheckerInterface::class);
+
+        $this->expectException(\LogicException::class);
+        $this->expectExceptionMessage('Using the "access_decision()" function requires symfony/security-core >= 7.3. Try running "composer update symfony/security-core".');
+
+        $securityExtension = new SecurityExtension($securityChecker);
+        $securityExtension->getAccessDecision('ROLE', 'object');
+    }
+
+    public function testAccessDecisionForUser()
+    {
+        if (!interface_exists(UserAuthorizationCheckerInterface::class) || !class_exists(AccessDecision::class)) {
+            $this->markTestSkipped('This test requires symfony/security-core 7.3 or superior.');
+        }
+
+        $user = $this->createMock(UserInterface::class);
+        $securityChecker = $this->createMockAuthorizationChecker();
+
+        $securityExtension = new SecurityExtension($securityChecker);
+        $accessDecision = $securityExtension->getAccessDecisionForUser($user, 'ROLE', 'object');
+
+        $this->assertInstanceOf(AccessDecision::class, $accessDecision);
+        $this->assertTrue($accessDecision->isGranted);
+        $this->assertSame($user, $securityChecker->user);
+        $this->assertSame('ROLE', $securityChecker->attribute);
+        $this->assertSame('object', $securityChecker->subject);
+    }
+
+    public function testAccessDecisionForUserWithField()
+    {
+        if (!interface_exists(UserAuthorizationCheckerInterface::class) || !class_exists(AccessDecision::class)) {
+            $this->markTestSkipped('This test requires symfony/security-core 7.3 or superior.');
+        }
+
+        $user = $this->createMock(UserInterface::class);
+        $securityChecker = $this->createMockAuthorizationChecker();
+
+        $securityExtension = new SecurityExtension($securityChecker);
+        $accessDecision = $securityExtension->getAccessDecisionForUser($user, 'ROLE', 'object', 'field');
+
+        $this->assertInstanceOf(AccessDecision::class, $accessDecision);
+        $this->assertTrue($accessDecision->isGranted);
+        $this->assertSame($user, $securityChecker->user);
+        $this->assertSame('ROLE', $securityChecker->attribute);
+        $this->assertEquals(new FieldVote('object', 'field'), $securityChecker->subject);
+    }
+
+    public function testAccessDecisionForUserThrowsWhenAccessDecisionClassDoesNotExist()
+    {
+        if (!interface_exists(UserAuthorizationCheckerInterface::class)) {
+            $this->markTestSkipped('This test requires symfony/security-core 7.3 or superior.');
+        }
+
+        ClassExistsMock::withMockedClasses([AccessDecision::class => false]);
+
+        $securityChecker = $this->createMockAuthorizationChecker();
+        $securityExtension = new SecurityExtension($securityChecker);
+
+        $this->expectException(\LogicException::class);
+        $this->expectExceptionMessage('Using the "access_decision_for_user()" function requires symfony/security-core >= 7.3. Try running "composer update symfony/security-core".');
+
+        $securityExtension->getAccessDecisionForUser($this->createMock(UserInterface::class), 'ROLE', 'object');
+    }
+
     private function createMockAuthorizationChecker(): AuthorizationCheckerInterface&UserAuthorizationCheckerInterface
     {
         return new class implements AuthorizationCheckerInterface, UserAuthorizationCheckerInterface {
@@ -133,6 +249,10 @@ public function isGrantedForUser(UserInterface $user, mixed $attribute, mixed $s
                 $this->attribute = $attribute;
                 $this->subject = $subject;
 
+                if ($accessDecision) {
+                    $accessDecision->isGranted = true;
+                }
+
                 return true;
             }
         };
diff --git a/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md b/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md
@@ -4,6 +4,7 @@ CHANGELOG
 7.4
 ---
 
+ * Add `Security::getAccessDecision()` and `getAccessDecisionForUser()` helpers
  * Add options to configure a cache pool and storage service for login throttling rate limiters
  * Register alias for argument for password hasher when its key is not a class name:
 
diff --git a/src/Symfony/Bundle/SecurityBundle/Security.php b/src/Symfony/Bundle/SecurityBundle/Security.php
@@ -65,6 +65,14 @@ public function isGranted(mixed $attributes, mixed $subject = null, ?AccessDecis
             ->isGranted($attributes, $subject, $accessDecision);
     }
 
+    public function getAccessDecision(mixed $attributes, mixed $subject = null): AccessDecision
+    {
+        $accessDecision = new AccessDecision();
+        $this->isGranted($attributes, $subject, $accessDecision);
+
+        return $accessDecision;
+    }
+
     /**
      * Checks if the attribute is granted against the user and optionally supplied subject.
      *
@@ -76,6 +84,14 @@ public function isGrantedForUser(UserInterface $user, mixed $attribute, mixed $s
             ->isGrantedForUser($user, $attribute, $subject, $accessDecision);
     }
 
+    public function getAccessDecisionForUser(UserInterface $user, mixed $attributes, mixed $subject = null): AccessDecision
+    {
+        $accessDecision = new AccessDecision();
+        $this->isGrantedForUser($user, $attributes, $subject, $accessDecision);
+
+        return $accessDecision;
+    }
+
     public function getToken(): ?TokenInterface
     {
         return $this->container->get('security.token_storage')->getToken();
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/SecurityTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/SecurityTest.php
@@ -25,7 +25,9 @@
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
+use Symfony\Component\Security\Core\Authorization\AccessDecision;
 use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
+use Symfony\Component\Security\Core\Authorization\UserAuthorizationCheckerInterface;
 use Symfony\Component\Security\Core\Exception\LogicException;
 use Symfony\Component\Security\Core\User\InMemoryUser;
 use Symfony\Component\Security\Core\User\UserCheckerInterface;
@@ -98,6 +100,51 @@ public function testIsGranted()
         $this->assertTrue($security->isGranted('SOME_ATTRIBUTE', 'SOME_SUBJECT'));
     }
 
+    public function testAccessDecision()
+    {
+        $authorizationChecker = $this->createMock(AuthorizationCheckerInterface::class);
+
+        $authorizationChecker->expects($this->once())
+            ->method('isGranted')
+            ->with('SOME_ATTRIBUTE', 'SOME_SUBJECT', $this->isInstanceOf(AccessDecision::class))
+            ->willReturnCallback(function ($attribute, $subject, $accessDecision) {
+                $accessDecision->isGranted = true;
+
+                return true;
+            });
+
+        $container = $this->createContainer('security.authorization_checker', $authorizationChecker);
+
+        $security = new Security($container);
+        $accessDecision = $security->getAccessDecision('SOME_ATTRIBUTE', 'SOME_SUBJECT');
+
+        $this->assertInstanceOf(AccessDecision::class, $accessDecision);
+        $this->assertTrue($accessDecision->isGranted);
+    }
+
+    public function testAccessDecisionForUser()
+    {
+        $user = new InMemoryUser('test_user', 'password');
+        $userAuthorizationChecker = $this->createMock(UserAuthorizationCheckerInterface::class);
+
+        $userAuthorizationChecker->expects($this->once())
+            ->method('isGrantedForUser')
+            ->with($user, 'SOME_ATTRIBUTE', 'SOME_SUBJECT', $this->isInstanceOf(AccessDecision::class))
+            ->willReturnCallback(function ($user, $attribute, $subject, $accessDecision) {
+                $accessDecision->isGranted = false;
+
+                return false;
+            });
+
+        $container = $this->createContainer('security.user_authorization_checker', $userAuthorizationChecker);
+
+        $security = new Security($container);
+        $accessDecision = $security->getAccessDecisionForUser($user, 'SOME_ATTRIBUTE', 'SOME_SUBJECT');
+
+        $this->assertInstanceOf(AccessDecision::class, $accessDecision);
+        $this->assertFalse($accessDecision->isGranted);
+    }
+
     #[DataProvider('getFirewallConfigTests')]
     public function testGetFirewallConfig(Request $request, ?FirewallConfig $expectedFirewallConfig)
     {
