Standard RoleHierarchyVoter always return 1 #16358

sergio-ivanuzzo · 2015-10-27T20:38:47Z

I found this bug in the process of solving the problem http://stackoverflow.com/questions/33346543/symfony2-how-to-disable-default-voter

Code of method "createRoleHierarchy" in the Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php

if (!isset($config['role_hierarchy'])) {
    $container->removeDefinition('security.access.role_hierarchy_voter');
    return;
 }

not work properly, because role_hierarchy contains empty array, when I remove role_hierarchy from my config. so, isset($config['role_hierarchy']) always returns true

And according to comments at #Symfony irc channel from user dantleec1:

yeah, the Configuration class adds the key as an array: https://github.com/symfony/symfony/blob/2.3/src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php#L136
so I guess NULL resolves to an empty array

To reprocude this bug you need to add code like

var_dump(get_class($voter) . ":" . $result);

to decideConsensus or another decide method of AccessDecisionManager.

I'm use linux, have Symfony version 2.7.5, PHP 5.5.9

The text was updated successfully, but these errors were encountered:

wouterj · 2015-11-04T14:11:00Z

For disabling the role_hierarchy voter, you had to completely remove the role_hierarchy setting. I've created a pull request to also disable the voter when an empty array (or null) is passed: #16460

In that PR, I also added tests for the RoleHierarchyVoter when passing an empty hierarchy. As you can see, it just behaves like the normal RoleVoter, so I cannot reproduce the "it always returns 1" statement. Can you provide code (e.g. fork the standard edition) to reproduce this issue?

wouterj · 2015-11-04T14:12:01Z

Status: Works for me

sergio-ivanuzzo · 2015-11-19T07:19:47Z

Hello, WouterJ. Thanks for answer. The description of your pull request is what I actually meant. I'm sorry for incorrect description. This issue can be closed.

…n passing empty hierarchy (WouterJ) This PR was submitted for the 2.3 branch but it was merged into the 2.8 branch instead (closes #16460). Discussion ---------- [SecurityBundle] Fix disabling of RoleHierarchyVoter when passing empty hierarchy | Q | A | ------------- | --- | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #16358 | License | MIT | Doc PR | - * When passing `role_hierarchy: ~` in the config, the role hierarchy voter was still enabled. I've now changed this so that an empty hierarchy also results in disabling this voter. With an empty hierarchy, the voter behaves exactly the same as the RoleVoter, so no BC break is introduced here. * Added some tests for the RoleHierarchyVoter when passing an empty hierarchy. As it then behaves exactly like RoleVoter, the question is whether we shouldn't just always return ACCESS_ABSTAIN when the hierarchy is empty Commits ------- 96afff6 [SecurityBundle] Fix disabling of RoleHierarchyVoter when passing empty hierarchy

xabbuh added the SecurityBundle label Oct 27, 2015

wouterj mentioned this issue Nov 4, 2015

[SecurityBundle] Fix disabling of RoleHierarchyVoter when passing empty hierarchy #16460

Closed

carsonbot added the Status: Works for me label Nov 4, 2015

sergio-ivanuzzo closed this as completed Nov 19, 2015

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Standard RoleHierarchyVoter always return 1 #16358

Standard RoleHierarchyVoter always return 1 #16358

sergio-ivanuzzo commented Oct 27, 2015

wouterj commented Nov 4, 2015

wouterj commented Nov 4, 2015

sergio-ivanuzzo commented Nov 19, 2015

Standard RoleHierarchyVoter always return 1 #16358

Standard RoleHierarchyVoter always return 1 #16358

Comments

sergio-ivanuzzo commented Oct 27, 2015

wouterj commented Nov 4, 2015

wouterj commented Nov 4, 2015

sergio-ivanuzzo commented Nov 19, 2015