[Security] Deprecate "AbstractVoter" in favor of "Voter" #16601
Conversation
lyrixx
commented
Nov 19, 2015
| Q | A |
|---|---|
| Bug fix? | yes |
| New feature? | yes |
| BC breaks? | no |
| Deprecations? | yes |
| Tests pass? | yes |
| Fixed tickets | #16556, #16558, #16554 |
| License | MIT |
| Doc PR | - |
| @@ -53,10 +53,10 @@ public function supportsClass($class); | |||
| * ACCESS_GRANTED, ACCESS_DENIED, or ACCESS_ABSTAIN. | |||
| * | |||
| * @param TokenInterface $token A TokenInterface instance | |||
| * @param object|null $object The object to secure | |||
| * @param mixed $subject The subject to secure | |||
There was a problem hiding this comment.
this is a BC break, as explained in #16600
|
I don't see any reason to deprecated AbstractVoter in favor of an abstract Voter class (which does not follow our naming conventions btw). This does not remove the BC break |
I deprecated it because I added a new "base voter". |
3c91b4d to
eeb1815
Compare
|
I reverted the change on the interface to ease integration of this PR. |
|
👍 It removes a limitation of the current AbstractVoter (the first |
| @@ -475,6 +475,8 @@ Security | |||
| } | |||
| ``` | |||
|
|
|||
| * The `AbstractVoter` is deprecated. Upgrade to `Voter` instead. | |||
|
|
|||
There was a problem hiding this comment.
If we're deprecating AbstractVoter entirely, then we don't need to talk about it at all, right? The upgrade path would be to switch to Voter and make the changes needed there, correct? If so, I think we should have one simple, before and after (before AbstractVoter after with Voter).
There was a problem hiding this comment.
If people were using AbstractVoter in 2.7, they can read how to upgrade to 2.8;
Then they could upgrade with the new Voter. Like that it's done step by step.
But I can merge all steps together.
There was a problem hiding this comment.
Or, we should maybe just revert the changes made on AbstractVoter for 2.8 entirely, but keep the deprecations. Ie remove the supports method & co. Don't you think ?
There was a problem hiding this comment.
How that? SF 2.8 is not released, how can it be à BC break to revert the changes made on 2.8?
There was a problem hiding this comment.
Because the implementation sticks on the implementation of the 2.7 version.
|
I left a few comments, but I'm "pro" this idea and I like the name. |
|
But I also think this can wait until 3.1... It's great, but I'm not sure it's important enough to stick into the release at the last second: there's too much else going on. If we do save this for 3.1, then I can update the |
|
Whoops - I meant wait until 3.1 - I updated my comment. |
eeb1815 to
b6ee425
Compare
b6ee425 to
39ade26
Compare
|
We worked together with @lyrixx on this, the PR now has two commits:
The new We can postpone this deprecation to 3.1, but it would be quite unfortunate to ask devs to update their app twice. It's late but maybe not too late to fix this limitation now. That would reduce the burden significantly on this topic. diff --git a/src/Symfony/Component/Security/Core/Authorization/Voter/AbstractVoter.php b/src/Symfony/Component/Security/Core/Authorization/Voter/AbstractVoter.php
index efa1562..5dcf787 100644
--- a/src/Symfony/Component/Security/Core/Authorization/Voter/AbstractVoter.php
+++ b/src/Symfony/Component/Security/Core/Authorization/Voter/AbstractVoter.php
@@ -11,6 +11,8 @@
namespace Symfony\Component\Security\Core\Authorization\Voter;
+@trigger_error('The '.__NAMESPACE__.'\AbstractVoter class is deprecated since version 2.8, to be removed in 3.0. Upgrade to Symfony\Component\Security\Core\Authorization\Voter\Voter instead.', E_USER_DEPRECATED);
+
use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
@@ -18,6 +20,8 @@ use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
* Abstract Voter implementation that reduces boilerplate code required to create a custom Voter.
*
* @author Roman Marint<C5><A1>enko <inoryy@gmail.com>
+ *
+ * @deprecated since version 2.8, to be removed in 3.0. Upgrade to Symfony\Component\Security\Core\Authorization\Voter\Voter instead.
*/
abstract class AbstractVoter implements VoterInterface
{
diff --git a/src/Symfony/Component/Security/Core/Authorization/Voter/VoterInterface.php b/src/Symfony/Component/Security/Core/Authorization/Voter/VoterInterface.php
index d00ff1c..7e243f9 100644
--- a/src/Symfony/Component/Security/Core/Authorization/Voter/VoterInterface.php
+++ b/src/Symfony/Component/Security/Core/Authorization/Voter/VoterInterface.php
@@ -30,6 +30,8 @@ interface VoterInterface
* @param string $attribute An attribute
*
* @return bool true if this Voter supports the attribute, false otherwise
+ *
+ * @deprecated since version 2.8, to be removed in 3.0.
*/
public function supportsAttribute($attribute);
@@ -39,6 +41,8 @@ interface VoterInterface
* @param string $class A class name
*
* @return bool true if this Voter can process the class
+ *
+ * @deprecated since version 2.8, to be removed in 3.0.
*/
public function supportsClass($class); |
39ade26 to
d3028c5
Compare
| $vote = self::ACCESS_DENIED; | ||
|
|
||
| if ($this->voteOnAttribute($attribute, $object, $token)) { | ||
| // grant access as soon as at least one voter returns a positive response |
There was a problem hiding this comment.
this should be at least one attribute. We are inside the voter here. We don't have multiple voters
| * Determines if the attribute and object are supported by this voter. | ||
| * | ||
| * @param string $attribute An attribute | ||
| * @param mixed $object The object to secure |
There was a problem hiding this comment.
this should be renamed if it is not always an object
There was a problem hiding this comment.
Well, grammatically, it's an object. But a synonym would be less confusing I agree. Here are some, any preference?
There was a problem hiding this comment.
I think subject could be used instead.
There was a problem hiding this comment.
I just updated the PR to use "matter" instead, as suggested by thesaurus.com.
There was a problem hiding this comment.
$matter is not a common term and it may be difficult to understand it. Could we call it $object and add a note in the PHPdocs saying that this can also be a non-object? By the way, how common is to pass a non-object to this argument?
There was a problem hiding this comment.
@javiereguiluz frequent enough to raise all this discussion and the related issues :)
d3028c5 to
fe48477
Compare
| * | ||
| * @return bool True if the attribute and matter are supported, false otherwise | ||
| */ | ||
| abstract protected function supports($attribute, $matter); |
There was a problem hiding this comment.
$matter is a weird word in English - usually it only refers to the scientific meaning of matter (https://en.wikipedia.org/wiki/Matter).
I liked $subject better, and I think we should hint in the docs that this is often an object:
/**
* @param mixed $subject The subject to secure (e.g. an object the user wants to access)
*/There was a problem hiding this comment.
Lets go for subject, thanks for the feedback. I used The subject to secure, e.g. an object the user wants to access or any other PHP type
fe48477 to
fd8b87c
Compare
|
Thank you all for the feedback, all comments are now resolved, votes pending :) |
|
So, IIUC, the |
|
👍 I agree - that bug was always something we wanted to fix - we should have just done it all at once (like this PR). |
|
Thank you @lyrixx. |
…r" (nicolas-grekas, lyrixx) This PR was merged into the 2.8 branch. Discussion ---------- [Security] Deprecate "AbstractVoter" in favor of "Voter" | Q | A | ------------- | --- | Bug fix? | yes | New feature? | yes | BC breaks? | no | Deprecations? | yes | Tests pass? | yes | Fixed tickets | #16556, #16558, #16554 | License | MIT | Doc PR | - Commits ------- fd8b87c [Security] Deprecate "AbstractVoter" in favor of "Voter" d3c6d93 [Security] Revert changes made between 2.7 and 2.8-beta