Voters - different behavior on dev/test and production enviroment #39205
Comments
|
All voters must return an int. Why do you return something else? IMHO nothing should be fixed here |
|
I think the problem is that if you make a mistake and return something that is castable ton an int (for example |
|
Thanks for all information in the issue description, that makes it very easy to trace the exact problem here. I would propose the following solution:
Are you willing to create a PR for (1) and (2)?
There is, in the PHPdoc: As types are very new in PHP (and Symfony is still migrating to PHP types), PHPdocs are just as important for the contract as PHP types. |
|
@wouterj thx for the response. I will do exactly the way you suggested. today in the late afternoon(CET time zone). |
|
@adeptofvoltron yes, but erroring in this case would be a BC break, that why we can only deprecate it for now. |
This PR was merged into the 5.3-dev branch. Discussion ---------- [Security] Assert voter returns valid decision | Q | A | ------------- | --- | Branch? | 5.x | Bug fix? | no | New feature? | no | Deprecations? | yes | Tickets | Fix #39205 | License | MIT | Doc PR | Replace #39248 Commits ------- ffdfb4f Assert voter returns valid decision
Symfony version(s) affected: tested on 5.0.10 (but from what I see in a code,
Description
Basically each voter in dev/test env is wrapped in
\Symfony\Component\Security\Core\Authorization\Voter\TraceableVoterproxy. In that commit @nicolas-grekas added return typeint. Because there is no "strict types" in file...all return results are type juggled to int.In prod env, there is no such proxy so the result is not juggled into an int.
Voter Result is used in \Symfony\Component\Security\Core\Authorization\AccessDecisionManager where it is strictly compared.
How to reproduce
There are several possible solutions, and I would be happy to implement it. However, I do not know properly the "Symfony way" to contribute. So I am going to be more than happy by pointing to the correct solution:
Option nr . 1 Use strict types in TraceableVoter -> It will throw an error if someone's voter will return different type than boolean.
disadventages: backward-incompatible, some projects may not handle such error + I did not see using strict_types in Symfony(surprised tbh).
Option nr . 2 Cast return from Voter in AccessDecisionManager into "int". I think it is an ugly version, but most likely to be correct here
Option nr. 3 remove return type declaration from vote method (after allis cause the problem). There is no such declaration in VoterInterface
Option nr. 4 - most elegant imho. Adding the return type declaration in VoterInterface. however in breaks backward compatibility so that solution can be introduced in 6.0 framework.
Additional context
The text was updated successfully, but these errors were encountered: