feature #59150 [Security] Allow using a callable with #[IsGranted] (alexandre-daubois)

nicolas-grekas · nicolas-grekas · commit ab6c611d0ac0 · 2025-02-18T10:48:41.000+01:00
This PR was merged into the 7.3 branch. Discussion ---------- [Security] Allow using a callable with `#[IsGranted]` | Q | A | ------------- | --- | Branch? | 7.3 | Bug fix? | no | New feature? | yes | Deprecations? | no | Issues | - | License | MIT Thanks to [the latest RFC](https://wiki.php.net/rfc/closures_in_const_expr) that successfully passed for the next version of PHP, closures are now allowed in attributes. Symfony could leverage this at multiple places, especially where the ExpressionLanguage is currently used. What's nice is that, compared to expressions, closures can benefit from typing, autocomplete, etc. Way better for the DX. This PR propose to leverage this new feature in `#[IsGranted]`, which would allow to write such code: ```php use Symfony\Component\HttpFoundation\JsonResponse; use Symfony\Component\HttpKernel\Attribute\AsController; use Symfony\Component\Security\Core\Authorization\IsGrantedPayload; use Symfony\Component\Security\Http\Attribute\IsGranted; #[AsController] class BlogPostViewController { #[IsGranted(static function ($token, $subject, $accessDecisionManager, $trustResolver): bool { if ($subject->isPublished()) { // published, everybody can see it return false; } if ($subject->getAuthor() === $token->getUser() || $accessDecisionManager->decide($token, 'edit', $subject) ) { // the author can see it return true; } // or any admin of the app return $accessDecisionManager->decide($token, ['ROLE_ADMIN']); }, subject: static function (array $arguments, Request $request) { return $arguments['post']; })] public function __invoke(BlogPost $post): JsonResponse { return new JsonResponse(); } } ``` Commits ------- 9c31038 [Security] Allow using a callable with `#[IsGranted]`
diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/security.php b/src/Symfony/Bundle/SecurityBundle/Resources/config/security.php
@@ -34,6 +34,7 @@
 use Symfony\Component\Security\Core\Authorization\UserAuthorizationChecker;
 use Symfony\Component\Security\Core\Authorization\UserAuthorizationCheckerInterface;
 use Symfony\Component\Security\Core\Authorization\Voter\AuthenticatedVoter;
+use Symfony\Component\Security\Core\Authorization\Voter\ClosureVoter;
 use Symfony\Component\Security\Core\Authorization\Voter\ExpressionVoter;
 use Symfony\Component\Security\Core\Authorization\Voter\RoleHierarchyVoter;
 use Symfony\Component\Security\Core\Authorization\Voter\RoleVoter;
@@ -171,6 +172,13 @@
             ])
             ->tag('security.voter', ['priority' => 245])
 
+        ->set('security.access.closure_voter', ClosureVoter::class)
+            ->args([
+                service('security.access.decision_manager'),
+                service('security.authentication.trust_resolver'),
+            ])
+            ->tag('security.voter', ['priority' => 245])
+
         ->set('security.impersonate_url_generator', ImpersonateUrlGenerator::class)
         ->args([
             service('request_stack'),
diff --git a/src/Symfony/Component/Security/Core/Authorization/AuthorizationCheckerInterface.php b/src/Symfony/Component/Security/Core/Authorization/AuthorizationCheckerInterface.php
@@ -21,7 +21,7 @@ interface AuthorizationCheckerInterface
     /**
      * Checks if the attribute is granted against the current authentication token and optionally supplied subject.
      *
-     * @param mixed               $attribute      A single attribute to vote on (can be of any type, string and instance of Expression are supported by the core)
+     * @param mixed               $attribute      A single attribute to vote on (can be of any type; strings, Expression and Closure instances are supported by the core)
      * @param AccessDecision|null $accessDecision Should be used to explain the decision
      */
     public function isGranted(mixed $attribute, mixed $subject = null/* , ?AccessDecision $accessDecision = null */): bool;
diff --git a/src/Symfony/Component/Security/Core/Authorization/Voter/ClosureVoter.php b/src/Symfony/Component/Security/Core/Authorization/Voter/ClosureVoter.php
@@ -0,0 +1,78 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Authorization\Voter;
+
+use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverInterface;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
+use Symfony\Component\Security\Http\Attribute\IsGranted;
+
+/**
+ * This voter allows using a closure as the attribute being voted on.
+ *
+ * The following named arguments are passed to the closure:
+ *
+ * - `token`: The token being used for voting
+ * - `subject`: The subject of the vote
+ * - `accessDecisionManager`: The access decision manager
+ * - `trustResolver`: The trust resolver
+ *
+ * @see IsGranted doc for the complete closure signature.
+ *
+ * @author Alexandre Daubois <alex.daubois@gmail.com>
+ */
+final class ClosureVoter implements CacheableVoterInterface
+{
+    public function __construct(
+        private AccessDecisionManagerInterface $accessDecisionManager,
+        private AuthenticationTrustResolverInterface $trustResolver,
+    ) {
+    }
+
+    public function supportsAttribute(string $attribute): bool
+    {
+        return false;
+    }
+
+    public function supportsType(string $subjectType): bool
+    {
+        return true;
+    }
+
+    public function vote(TokenInterface $token, mixed $subject, array $attributes, ?Vote $vote = null): int
+    {
+        $vote ??= new Vote();
+        $failingClosures = [];
+        $result = VoterInterface::ACCESS_ABSTAIN;
+        foreach ($attributes as $attribute) {
+            if (!$attribute instanceof \Closure) {
+                continue;
+            }
+
+            $name = (new \ReflectionFunction($attribute))->name;
+            $result = VoterInterface::ACCESS_DENIED;
+            if ($attribute(token: $token, subject: $subject, accessDecisionManager: $this->accessDecisionManager, trustResolver: $this->trustResolver)) {
+                $vote->reasons[] = \sprintf('Closure %s returned true.', $name);
+
+                return VoterInterface::ACCESS_GRANTED;
+            }
+
+            $failingClosures[] = $name;
+        }
+
+        if ($failingClosures) {
+            $vote->reasons[] = \sprintf('Closure%s %s returned false.', 1 < \count($failingClosures) ? 's' : '', implode(', ', $failingClosures));
+        }
+
+        return $result;
+    }
+}
diff --git a/src/Symfony/Component/Security/Core/CHANGELOG.md b/src/Symfony/Component/Security/Core/CHANGELOG.md
@@ -10,6 +10,7 @@ CHANGELOG
  * Deprecate `UserInterface::eraseCredentials()` and `TokenInterface::eraseCredentials()`,
    erase credentials e.g. using `__serialize()` instead
  * Add ability for voters to explain their vote
+ * Add support for voting on closures
 
 7.2
 ---
diff --git a/src/Symfony/Component/Security/Core/Tests/Authorization/Voter/ClosureVoterTest.php b/src/Symfony/Component/Security/Core/Tests/Authorization/Voter/ClosureVoterTest.php
@@ -0,0 +1,91 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Tests\Authorization\Voter;
+
+use PHPUnit\Framework\TestCase;
+use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverInterface;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
+use Symfony\Component\Security\Core\Authorization\Voter\ClosureVoter;
+use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
+use Symfony\Component\Security\Core\User\UserInterface;
+
+class ClosureVoterTest extends TestCase
+{
+    private ClosureVoter $voter;
+
+    protected function setUp(): void
+    {
+        $this->voter = new ClosureVoter(
+            $this->createMock(AccessDecisionManagerInterface::class),
+            $this->createMock(AuthenticationTrustResolverInterface::class),
+        );
+    }
+
+    public function testEmptyAttributeAbstains()
+    {
+        $this->assertSame(VoterInterface::ACCESS_ABSTAIN, $this->voter->vote(
+            $this->createMock(TokenInterface::class),
+            null,
+            [])
+        );
+    }
+
+    public function testClosureReturningFalseDeniesAccess()
+    {
+        $token = $this->createMock(TokenInterface::class);
+        $token->method('getRoleNames')->willReturn([]);
+        $token->method('getUser')->willReturn($this->createMock(UserInterface::class));
+
+        $this->assertSame(VoterInterface::ACCESS_DENIED, $this->voter->vote(
+            $token,
+            null,
+            [fn (...$vars) => false]
+        ));
+    }
+
+    public function testClosureReturningTrueGrantsAccess()
+    {
+        $token = $this->createMock(TokenInterface::class);
+        $token->method('getRoleNames')->willReturn([]);
+        $token->method('getUser')->willReturn($this->createMock(UserInterface::class));
+
+        $this->assertSame(VoterInterface::ACCESS_GRANTED, $this->voter->vote(
+            $token,
+            null,
+            [fn (...$vars) => true]
+        ));
+    }
+
+    public function testArgumentsContent()
+    {
+        $token = $this->createMock(TokenInterface::class);
+        $token->method('getRoleNames')->willReturn(['MY_ROLE', 'ANOTHER_ROLE']);
+        $token->method('getUser')->willReturn($this->createMock(UserInterface::class));
+
+        $outerSubject = new \stdClass();
+
+        $this->voter->vote(
+            $token,
+            $outerSubject,
+            [function (...$vars) use ($outerSubject) {
+                $this->assertInstanceOf(TokenInterface::class, $vars['token']);
+                $this->assertSame($outerSubject, $vars['subject']);
+
+                $this->assertInstanceOf(AccessDecisionManagerInterface::class, $vars['accessDecisionManager']);
+                $this->assertInstanceOf(AuthenticationTrustResolverInterface::class, $vars['trustResolver']);
+
+                return true;
+            }]
+        );
+    }
+}
diff --git a/src/Symfony/Component/Security/Http/Attribute/IsGranted.php b/src/Symfony/Component/Security/Http/Attribute/IsGranted.php
@@ -12,6 +12,10 @@
 namespace Symfony\Component\Security\Http\Attribute;
 
 use Symfony\Component\ExpressionLanguage\Expression;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverInterface;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
 
 /**
  * Checks if user has permission to access to some resource using security roles and voters.
@@ -24,15 +28,15 @@
 final class IsGranted
 {
     /**
-     * @param string|Expression            $attribute     The attribute that will be checked against a given authentication token and optional subject
-     * @param array|string|Expression|null $subject       An optional subject - e.g. the current object being voted on
-     * @param string|null                  $message       A custom message when access is not granted
-     * @param int|null                     $statusCode    If set, will throw HttpKernel's HttpException with the given $statusCode; if null, Security\Core's AccessDeniedException will be used
-     * @param int|null                     $exceptionCode If set, will add the exception code to thrown exception
+     * @param string|Expression|(\Closure(TokenInterface $token, mixed $subject, AccessDecisionManagerInterface $accessDecisionManager, AuthenticationTrustResolverInterface $trustResolver): bool) $attribute The attribute that will be checked against a given authentication token and optional subject
+     * @param array|string|Expression|(\Closure(array<string, mixed>, Request): mixed)|null $subject An optional subject - e.g. the current object being voted on
+     * @param string|null $message       A custom message when access is not granted
+     * @param int|null    $statusCode    If set, will throw HttpKernel's HttpException with the given $statusCode; if null, Security\Core's AccessDeniedException will be used
+     * @param int|null    $exceptionCode If set, will add the exception code to thrown exception
      */
     public function __construct(
-        public string|Expression $attribute,
-        public array|string|Expression|null $subject = null,
+        public string|Expression|\Closure $attribute,
+        public array|string|Expression|\Closure|null $subject = null,
         public ?string $message = null,
         public ?int $statusCode = null,
         public ?int $exceptionCode = null,
diff --git a/src/Symfony/Component/Security/Http/CHANGELOG.md b/src/Symfony/Component/Security/Http/CHANGELOG.md
@@ -8,6 +8,7 @@ CHANGELOG
  * Replace `$hideAccountStatusExceptions` argument with `$exposeSecurityErrors` in `AuthenticatorManager` constructor
  * Add argument `$identifierNormalizer` to `UserBadge::__construct()` to allow normalizing the identifier
  * Support hashing the hashed password using crc32c when putting the user in the session
+ * Add support for closures in `#[IsGranted]`
 
 7.2
 ---
diff --git a/src/Symfony/Component/Security/Http/EventListener/IsGrantedAttributeListener.php b/src/Symfony/Component/Security/Http/EventListener/IsGrantedAttributeListener.php
@@ -55,6 +55,8 @@ public function onKernelControllerArguments(ControllerArgumentsEvent $event): vo
                     foreach ($subjectRef as $refKey => $ref) {
                         $subject[\is_string($refKey) ? $refKey : (string) $ref] = $this->getIsGrantedSubject($ref, $request, $arguments);
                     }
+                } elseif ($subjectRef instanceof \Closure) {
+                    $subject = $subjectRef($arguments, $request);
                 } else {
                     $subject = $this->getIsGrantedSubject($subjectRef, $request, $arguments);
                 }
@@ -69,7 +71,7 @@ public function onKernelControllerArguments(ControllerArgumentsEvent $event): vo
                 }
 
                 $e = new AccessDeniedException($message, code: $attribute->exceptionCode ?? 403);
-                $e->setAttributes($attribute->attribute);
+                $e->setAttributes([$attribute->attribute]);
                 $e->setSubject($subject);
                 $e->setAccessDecision($accessDecision);
 
diff --git a/src/Symfony/Component/Security/Http/Tests/EventListener/IsGrantedAttributeWithCallableListenerTest.php b/src/Symfony/Component/Security/Http/Tests/EventListener/IsGrantedAttributeWithCallableListenerTest.php
diff --git a/src/Symfony/Component/Security/Http/Tests/Fixtures/IsGrantedAttributeMethodsWithCallableController.php b/src/Symfony/Component/Security/Http/Tests/Fixtures/IsGrantedAttributeMethodsWithCallableController.php
diff --git a/src/Symfony/Component/Security/Http/Tests/Fixtures/IsGrantedAttributeWithCallableController.php b/src/Symfony/Component/Security/Http/Tests/Fixtures/IsGrantedAttributeWithCallableController.php

Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,7 @@ interface AuthorizationCheckerInterface`
`21`	`21`	`/**`
`22`	`22`	`* Checks if the attribute is granted against the current authentication token and optionally supplied subject.`
`23`	`23`	`*`
`24`		`- * @param mixed $attribute A single attribute to vote on (can be of any type, string and instance of Expression are supported by the core)`
	`24`	`+ * @param mixed $attribute A single attribute to vote on (can be of any type; strings, Expression and Closure instances are supported by the core)`
`25`	`25`	`* @param AccessDecision\|null $accessDecision Should be used to explain the decision`
`26`	`26`	`*/`
`27`	`27`	`public function isGranted(mixed $attribute, mixed $subject = null/* , ?AccessDecision $accessDecision = null */): bool;`
Original file line number	Diff line number	Diff line change
`@@ -55,6 +55,8 @@ public function onKernelControllerArguments(ControllerArgumentsEvent $event): vo`
`55`	`55`	`foreach ($subjectRef as $refKey => $ref) {`
`56`	`56`	`$subject[\is_string($refKey) ? $refKey : (string) $ref] = $this->getIsGrantedSubject($ref, $request, $arguments);`
`57`	`57`	`}`
	`58`	`+ } elseif ($subjectRef instanceof \Closure) {`
	`59`	`+ $subject = $subjectRef($arguments, $request);`
`58`	`60`	`} else {`
`59`	`61`	`$subject = $this->getIsGrantedSubject($subjectRef, $request, $arguments);`
`60`	`62`	`}`
`@@ -69,7 +71,7 @@ public function onKernelControllerArguments(ControllerArgumentsEvent $event): vo`
`69`	`71`	`}`
`70`	`72`
`71`	`73`	`$e = new AccessDeniedException($message, code: $attribute->exceptionCode ?? 403);`
`72`		`- $e->setAttributes($attribute->attribute);`
	`74`	`+ $e->setAttributes([$attribute->attribute]);`
`73`	`75`	`$e->setSubject($subject);`
`74`	`76`	`$e->setAccessDecision($accessDecision);`
`75`	`77`