feature #61542 [Security] Allow subclassing #[IsGranted] (nicolas-grekas)

nicolas-grekas · nicolas-grekas · commit 92962bd4c55e · 2025-08-27T17:53:58.000+02:00
This PR was merged into the 7.4 branch. Discussion ---------- [Security] Allow subclassing `#[IsGranted]` | Q | A | ------------- | --- | Branch? | 7.4 | Bug fix? | no | New feature? | yes | Deprecations? | no | Issues | - | License | MIT Was missing from #61504 Commits ------- a64980d [Security] Allow subclassing `#[IsGranted]`
diff --git a/src/Symfony/Component/Security/Http/CHANGELOG.md b/src/Symfony/Component/Security/Http/CHANGELOG.md
@@ -8,7 +8,7 @@ CHANGELOG
  * Deprecate callable firewall listeners, extend `AbstractListener` or implement `FirewallListenerInterface` instead
  * Deprecate `AbstractListener::__invoke`
  * Add `$methods` argument to `#[IsGranted]` to restrict validation to specific HTTP methods
- * Remove `final` keyword from `#[IsGranted]` to allow implementation of custom attributes
+ * Allow subclassing `#[IsGranted]`
 
 7.3
 ---
diff --git a/src/Symfony/Component/Security/Http/EventListener/IsGrantedAttributeListener.php b/src/Symfony/Component/Security/Http/EventListener/IsGrantedAttributeListener.php
@@ -39,7 +39,14 @@ public function __construct(
 
     public function onKernelControllerArguments(ControllerArgumentsEvent $event): void
     {
-        if (!$attributes = $event->getAttributes(IsGranted::class)) {
+        $attributes = [];
+        foreach ($event->getAttributes() as $class => $attributes[]) {
+            if (!is_a($class, IsGranted::class, true)) {
+                array_pop($attributes);
+            }
+        }
+
+        if (!$attributes = array_merge(...$attributes)) {
             return;
         }
 
diff --git a/src/Symfony/Component/Security/Http/Tests/EventListener/IsGrantedAttributeListenerTest.php b/src/Symfony/Component/Security/Http/Tests/EventListener/IsGrantedAttributeListenerTest.php
@@ -29,6 +29,7 @@
 use Symfony\Component\Security\Core\Authorization\Voter\Vote;
 use Symfony\Component\Security\Core\Authorization\Voter\Voter;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
+use Symfony\Component\Security\Http\Attribute\IsGranted;
 use Symfony\Component\Security\Http\EventListener\IsGrantedAttributeListener;
 use Symfony\Component\Security\Http\Tests\Fixtures\IsGrantedAttributeController;
 use Symfony\Component\Security\Http\Tests\Fixtures\IsGrantedAttributeMethodsController;
@@ -524,4 +525,59 @@ public function testSkipsAuthorizationWhenMethodDoesNotMatchStringConstraint()
         $listener = new IsGrantedAttributeListener($authChecker);
         $listener->onKernelControllerArguments($event);
     }
+
+    public function testFiltersOnlyIsGrantedAttributesUsingInstanceof()
+    {
+        $authChecker = $this->createMock(AuthorizationCheckerInterface::class);
+        $authChecker->expects($this->once())
+            ->method('isGranted')
+            ->with('ROLE_ADMIN')
+            ->willReturn(true);
+
+        $controller = [new IsGrantedAttributeMethodsController(), 'admin'];
+        $event = new ControllerArgumentsEvent(
+            $this->createMock(HttpKernelInterface::class),
+            $controller,
+            [],
+            new Request(),
+            null
+        );
+
+        // Inject mixed attributes: one IsGranted and one unrelated object; only IsGranted should be processed
+        $event->setController($controller, [
+            IsGranted::class => [new IsGranted('ROLE_ADMIN')],
+            \stdClass::class => [new \stdClass()],
+        ]);
+
+        $listener = new IsGrantedAttributeListener($authChecker);
+        $listener->onKernelControllerArguments($event);
+    }
+
+    public function testSupportsSubclassOfIsGrantedViaInstanceof()
+    {
+        $authChecker = $this->createMock(AuthorizationCheckerInterface::class);
+        $authChecker->expects($this->once())
+            ->method('isGranted')
+            ->with('ROLE_ADMIN')
+            ->willReturn(true);
+
+        $controller = [new IsGrantedAttributeMethodsController(), 'admin'];
+        $event = new ControllerArgumentsEvent(
+            $this->createMock(HttpKernelInterface::class),
+            $controller,
+            [],
+            new Request(),
+            null
+        );
+
+        $custom = new class('ROLE_ADMIN') extends IsGranted {};
+
+        // Inject subclass instance; instanceof IsGranted should match
+        $event->setController($controller, [
+            $custom::class => [$custom],
+        ]);
+
+        $listener = new IsGrantedAttributeListener($authChecker);
+        $listener->onKernelControllerArguments($event);
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -39,7 +39,14 @@ public function __construct(`
`39`	`39`
`40`	`40`	`public function onKernelControllerArguments(ControllerArgumentsEvent $event): void`
`41`	`41`	`{`
`42`		`- if (!$attributes = $event->getAttributes(IsGranted::class)) {`
	`42`	`+ $attributes = [];`
	`43`	`+ foreach ($event->getAttributes() as $class => $attributes[]) {`
	`44`	`+ if (!is_a($class, IsGranted::class, true)) {`
	`45`	`+ array_pop($attributes);`
	`46`	`+ }`
	`47`	`+ }`
	`48`	`+`
	`49`	`+ if (!$attributes = array_merge(...$attributes)) {`
`43`	`50`	`return;`
`44`	`51`	`}`
`45`	`52`