Wondering if it's worth normalizing case here so it will work whether the user is doing is_granted('create', foo) or is_granted('CREATE', foo).

That's an interesting idea. I might be +1 to this. But I think an even better solution is if the security system were able to throw a clear exception if no voters voted on an attribute. So if you did a typo (e.g. CREETE), you'd see a clear message, rather than nobody voting and access being granted/denied 100% of the time based on your voting strategy

So if all voters abstain, rather than denying access, you think an exception should be thrown? If I've understood correctly that'd be a change in the AccessDecisionManager, which I would say is outside of the scope of this..

that would be a BC break

Yea, this is exactly what I would like, but Stof is right that it would be a BC break and I agree it's also outside of the scope of this :). But yes, in a perfect world, this seems like the right behavior to me.

http://php.net/is_a is easier IMHO

I think is_a still requires the first argument to be an object (all we have here are class names).

But you don't have to use get_class on line 50 ;)

supportsClass expects a string in the VoterInterface

ah ... Did not know ;) I never like this interface. It should be tweaked in SF3.0 IMHO.

yeah, supportsClass and supportAttribute are actually never used in Symfony except by voters themselves. They should be removed from the interface in 3.0. But in the meantime, the interface should be respected

Just ran few tests:

php > var_dump(is_a('BadFunctionCallException', 'Exception', true));
bool(true)
php > var_dump(is_a('Exception', 'Exception', true));
bool(true)
php > var_dump(is_a('Foobar', 'Exception', true));
bool(false)

@weaverryan:

I think is_a still requires the first argument to be an object (all we have here are class names).

See the php doc:

allow_string

If this parameter set to FALSE, string class name as object is not allowed. This also prevents from calling autoloader if the class doesn't exist.

in 5.3.3 to 5.3.6, is_a does not trigger the autoloading when passing a string. This won't cause issue for the behavior in the voter (as the class name comes from get_class and so the class is already autoloaded) but it could for other usages of the method.

good point ;)

Why returning ACCESS_ABSTAIN so early? This avoids using is_granted(MY_ATTRIBUTE) without passing object.

Take the role checking as example: is_granted('ROLE_ADMIN') ... no object is passed. Ans this kind of implementation is not possible here.

At first glance, I would do something like if(!!$object && !$this->supportsClass(...)

You should open an issue. At first glance, I agree that this is something we overlooked!

What if $object is null? I suppose we should only bother checking supportsClass if there is an object?

Hmm, I'm conflicted on this.
The VoterInterface API/doc doesn't actually support $object to be null: https://github.com/symfony/symfony/blob/master/src/Symfony/Component/Security/Core/Authorization/Voter/VoterInterface.php#L52

But then again I know for a fact that it's possible to have non-object voters..

I suppose adding as simple check that object isn't null won't hurt

it supports it (see the RoleVoter). It is a phpdoc issue.

I would move this line below the next if check.

What's the benefit?

The benefit is to avoid needless assignment if the next if check evaluates to true.

I'd prefer increased readability over nano-optimization

It's a matter of taste. Personally, I don't see, how one would be more readable than the other.

@weaverryan or @javiereguiluz can you weight in here? I think our discussion with @rybakit has stalled due to personal preferences, so only way to move forward is via neutral position's opinion.

Symfony project always prefer code readability over micro-optimizations, so maybe we should leave the original code as is.

FWIW, the flow here is identical to the existing RoleVoter. I think we all agree that the difference is minor if anything, so I think we should keep it as it is.

Move $token->getUser() call out of the loop, as it was before?

What's the benefit of that?

As the result of $token->getUser() is not changed during the loop, I see no reason to call it on every iteration. Moreover it could be an expensive call depending on how one will implement this method.

https://github.com/symfony/symfony/blob/master/src/Symfony/Component/Security/Core/Authentication/Token/AbstractToken.php#L73-L79

https://github.com/symfony/symfony/blob/master/src/Symfony/Component/Security/Core/Authentication/Token/TokenInterface.php#L53

Nothing prevents a user from creating a custom token, like:

FooToken implements TokenInterface
{
    ...

    public function getUser()
    {
        // do a remote call here 
    }
}

@weaverryan or @javiereguiluz can you weight in here? I think our discussion with @rybakit has stalled due to personal preferences, so only way to move forward is via neutral position's opinion.

I'm really divided in this one :( Let's wait for @weaverryan to see if he has a preference for any of the two options.

I also don't have a preference, so let's leave it. The argument that @rybakit is making is valid. But someone else could make the argument that calling $token->getUser() before the if statement could in theory mean that you're calling this function even if you don't need the user (i.e. if supportsAttribute returns false for all attributes). Both are micro-optimizations, but you can't support both. Also, even though we're supporting it, you really shouldn't be calling the voter with an array of attributes - so that makes this even a little less common.

Thanks guys!

I think you shouldn't call $token->getUser() at all. Passing the token itself would allow more flexibility for end users.

Most of the time you don't need the token, so we're catering for the most common use case (most developers don't really understand - or need to understand - what a token is). But you're certainly right, and if you need access to the token, you should just skip extending this AbstractVoter and implement the vote method on your own class with whatever logic you need.

We are returning here as soon as we get a granted attribute. This will mean that any further attributes for this vote will be ignored. This could be an issue, if, for example, you have is_granted( ['VIEW', 'DELETE'], $obj) and the user has view permissions, but not delete permissions, as it will grant permission for both attributes.

May be better to negate the if and return as soon as a denied is returned.

I believe we had this conversation previously here: #11183 (diff)

The implementation here is consistent with how the core voters (e.g. RoleVoter) handles multiple attributes, which I think is the best we can do. Imo, people shouldn't pass an array of attributes, since it's not obvious how that will be handled. But if they do, we'll handle them in the same way as the core voters (and of course, you can always not use the Abstract class if you need to customize this detail).

people shouldn't pass an array of attributes

Yeah I was surprised it was supported when I looked at this before. It's quite little effort to make this support multiple attributes if we did want to, but yeah whatever really.

Haha, yea I was surprised too once upon a time :). The problem will always be whether you make the voter support "AND" logic or "OR" logic for the multiple attributes. We can't do both, but we have to do one.

all core voters are implementing OR

@weaverryan @stof so my implementation is good to go, right?

Looks good to me as is: your code looks identical to RoleVoter.

I think a string user doesn't necessary mean it is an anonymously authenticated user

That's technically true, but I've never seen a case in practice other than the anonymous user. I'd rather be a little technically incorrect here to cover the vast majority of the use-cases (and if you are authentication a user without an object, it's likely you are more advanced and understand what's going on).