UserValueResolver and SecurityUserValueResolver improvement #26971
Conversation
…lass implementing UserInterface
…solve class implementing UserInterface
…solve class implementing UserInterface
| @@ -40,7 +40,7 @@ public function __construct(TokenStorageInterface $tokenStorage) | |||
| public function supports(Request $request, ArgumentMetadata $argument) | |||
| { | |||
| // only security user implementations are supported | |||
| if (UserInterface::class !== $argument->getType()) { | |||
| if (!$argument->getType() || !$this->implementsCorrectInterface($argument->getType())) { | |||
There was a problem hiding this comment.
Should be in Symfony\Component\Security\Http\Controller\UserValueResolver instead (see deprecation notice above)
There was a problem hiding this comment.
Deprecated classes are frozen until they are suppressed, it should not get new features.
| */ | ||
| private function implementsCorrectInterface($type) | ||
| { | ||
| return UserInterface::class === $type || array_key_exists(UserInterface::class, class_implements($type)); |
There was a problem hiding this comment.
Let's inline this logic in the calling condition
There was a problem hiding this comment.
isn't this what is_a() or is_subclass_of() does?
|
Discussion why this feature wasn't introduced when initially adding the resolver: #18510 (comment) |
|
@iltar thanks for the link. I agree that it may collide with the ParamConverter. On the other hand I still think the UserValueResolver should support classes implementing the UserInterface. Few quick ideas:
|
|
I agree with @davidkmenta here, the param converters are executed before the value resolver so the concern highlighted in #18510 (comment) shouldn't be a problem. Forcing users to type they controller arguments with |
|
@davidkmenta @jvasseur If you type-hint an entity, it will actually try to inject that entity based on the request, which will fail, because there's no way of fetching it. This is because the parameter converters are triggered first.
If people use it as quick way to get their current user object, why not provide a (by the SecurityBundle) configurable AVR that can return a given object based on the current |
|
@iltar didn't think of that since I tend do disable the automatic conversion. We need to think of the future of the future of param converters (sensiolabs/SensioFrameworkExtraBundle#436 ?) maybe it's time to deprecate them and introduce configurable argument resolvers, this would allow us to have a configurable security user resolver. |
|
Yes, something has to be done about the parameter converters, but I'm not sure what and I don't have much time myself 😢 Regarding the current AVR, what if we add an additional interface to the interface DomainUserProviderInterface
{
// would return your entity for example, names to be discussed
public function convertToDomainUser(UserInterface $user);
}# follows the basic configuration
security
providers:
hostnet:
id: App\Security\Authentication\CustomerPortal\UserProviderThis would make it possible for the AVR to resolve the security user to a domain user. If you implement the interface on your user provider, it will simply be "enabled" for whatever has that user. We have the firewall information available, so perhaps it's not even hard to find the user provider. |
|
So I guess this PR can be closed for now :) |
|
TBH I do not follow why this was closed because of bundle that it's not inside symfony.. Personally I do not use Sensio bundles... :( I believe that this is a problem of sensio bundle that should either decorate the user AVR or overwrite it. |
|
Symfony needs a generic controller configuration system that works similar to the idea behind the annotations from that bundle (but configurable without annotations as well). When this is done, AVR can fully replace the parameter converters and it won't be an issue anymore. The issue arises because a lot of developers do use the |
UserValueResolver and SecurityUserValueResolver should also resolve class implementing UserInterface.