[Security] AbstractVoter should not abstain when object == null #16556
Comments
|
I agree with you, but this logic was added when this voter was created d3bafc6#diff-c46e9d9da2a0b7aa68e78b8e58369481R61 and changing behavior can be a BC-break. |
|
@Koc Yes, I saw this diff. But I don't understand why. And this Logic prevents me to use the |
|
@lyrixx your use case makes sense and in fact when I looked up the original PR, I've found that somebody has already encountered this issue here, I'm not sure if any action was taken though /cc @weaverryan |
|
@lyrixx it was an oversight in the original AbstractVoter. So yes, it's a bug, but it needs to be fixed while keeping BC. I think there's another issue about this, where I suggested renaming this to AbstractObjectVoter and creating some other new abstract class with the desired functionality. So I think it's valid - someone should work on it for a future release. |
…r" (nicolas-grekas, lyrixx) This PR was merged into the 2.8 branch. Discussion ---------- [Security] Deprecate "AbstractVoter" in favor of "Voter" | Q | A | ------------- | --- | Bug fix? | yes | New feature? | yes | BC breaks? | no | Deprecations? | yes | Tests pass? | yes | Fixed tickets | #16556, #16558, #16554 | License | MIT | Doc PR | - Commits ------- fd8b87c [Security] Deprecate "AbstractVoter" in favor of "Voter" d3c6d93 [Security] Revert changes made between 2.7 and 2.8-beta
I was migrating our voters to use the
AbstractVoterand I notice something strange.In 2.7 and in 2.8, if nothing is passed for the
objectargument, the voter votesACCESS_ABSTAIN.IMHO, this is wrong. For example, If a voter votes for
POST_CREATE, I may have no$objectparameters. and so the abstract voter should let the voter decide.What do you think?
ping @inoryy @weaverryan @wouterj @Koc
The text was updated successfully, but these errors were encountered: