symfony · yellow1912 · Sep 23, 2021 · Sep 23, 2021 · Sep 23, 2021 · Sep 23, 2021
diff --git a/src/Symfony/Bundle/FrameworkBundle/Controller/AbstractController.php b/src/Symfony/Bundle/FrameworkBundle/Controller/AbstractController.php
@@ -38,6 +38,7 @@
 use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
 use Symfony\Component\Routing\RouterInterface;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
+use Symfony\Component\Security\Core\Authorization\AccessDecision;
 use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 use Symfony\Component\Security\Core\User\UserInterface;
@@ -237,10 +238,22 @@ protected function isGranted($attribute, $subject = null): bool
      */
     protected function denyAccessUnlessGranted($attribute, $subject = null, string $message = 'Access Denied.'): void
     {
-        if (!$this->isGranted($attribute, $subject)) {
+        if (!$this->container->has('security.authorization_checker')) {
+            throw new \LogicException('The SecurityBundle is not registered in your application. Try running "composer require symfony/security-bundle".');
+        }
+
+        $checker = $this->container->get('security.authorization_checker');
+        if (method_exists($checker, 'getDecision')) {
+            $decision = $checker->getDecision($attribute, $subject);
+        } else {
+            $decision = $checker->isGranted($attribute, $subject) ? AccessDecision::createGranted() : AccessDecision::createDenied();
+        }
+
+        if (!$decision->isGranted()) {
             $exception = $this->createAccessDeniedException($message);
             $exception->setAttributes($attribute);
             $exception->setSubject($subject);
+            $exception->setAccessDecision($decision);
 
             throw $exception;
         }
@@ -411,7 +424,7 @@ protected function getUser()
             return null;
         }
 
-        // @deprecated since 5.4, $user will always be a UserInterface instance
+        // @deprecated since Symfony 5.4, $user will always be a UserInterface instance
         if (!\is_object($user = $token->getUser())) {
             // e.g. anonymous authentication
             return null;

@@ -36,7 +36,7 @@ public function __construct(TraceableAccessDecisionManager $traceableAccessDecis
      */
     public function onVoterVote(VoteEvent $event)
     {
-        $this->traceableAccessDecisionManager->addVoterVote($event->getVoter(), $event->getAttributes(), $event->getVote());
+        $this->traceableAccessDecisionManager->addVoterVote($event->getVoter(), $event->getAttributes(), $event->getVoteDecision());
     }
 
     public static function getSubscribedEvents(): array

@@ -14,6 +14,7 @@
 use PHPUnit\Framework\TestCase;
 use Symfony\Bundle\SecurityBundle\EventListener\VoteListener;
 use Symfony\Component\Security\Core\Authorization\TraceableAccessDecisionManager;
+use Symfony\Component\Security\Core\Authorization\Voter\Vote;
 use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
 use Symfony\Component\Security\Core\Event\VoteEvent;
 
@@ -29,10 +30,33 @@ public function testOnVoterVote()
             ->setMethods(['addVoterVote'])
             ->getMock();
 
+        $vote = Vote::createGranted();
         $traceableAccessDecisionManager
             ->expects($this->once())
             ->method('addVoterVote')
-            ->with($voter, ['myattr1', 'myattr2'], VoterInterface::ACCESS_GRANTED);
+            ->with($voter, ['myattr1', 'myattr2'], $vote);
+
+        $sut = new VoteListener($traceableAccessDecisionManager);
+        $sut->onVoterVote(new VoteEvent($voter, 'mysubject', ['myattr1', 'myattr2'], $vote));
+    }
+
+    /**
+     * @group legacy
+     */
+    public function testOnVoterVoteLegacy()
+    {
+        $voter = $this->createMock(VoterInterface::class);
+
+        $traceableAccessDecisionManager = $this
+            ->getMockBuilder(TraceableAccessDecisionManager::class)
+            ->disableOriginalConstructor()
+            ->setMethods(['addVoterVote'])
+            ->getMock();
+
+        $traceableAccessDecisionManager
+            ->expects($this->once())
+            ->method('addVoterVote')
+            ->with($voter, ['myattr1', 'myattr2'], Vote::createGranted());
 
         $sut = new VoteListener($traceableAccessDecisionManager);
         $sut->onVoterVote(new VoteEvent($voter, 'mysubject', ['myattr1', 'myattr2'], VoterInterface::ACCESS_GRANTED));

@@ -0,0 +1,118 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Authorization;
+
+use Symfony\Component\Security\Core\Authorization\Voter\Vote;
+use Symfony\Component\Security\Core\Authorization\Voter\Voter;
+use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
+
+/**
+ * An AccessDecision is returned by an AccessDecisionManager and contains the access verdict and all the related votes.
+ *
+ * @author Dany Maillard <danymaillard93b@gmail.com>
+ */
+final class AccessDecision
+{
+    /** @var int One of the VoterInterface::ACCESS_* constants */
+    private $access;
+
+    /** @var Vote[] */
+    private $votes = [];
+
+    /**
+     * @param int    $access One of the VoterInterface::ACCESS_* constants
+     * @param Vote[] $votes
+     */
+    private function __construct(int $access, array $votes = [])
+    {
+        $this->access = $access;
+        $this->votes = $votes;
+    }
+
+    public function getAccess(): int
+    {
+        return $this->access;
+    }
+
+    public function isGranted(): bool
+    {
+        return VoterInterface::ACCESS_GRANTED === $this->access;
+    }
+
+    public function isAbstain(): bool
+    {
+        return VoterInterface::ACCESS_ABSTAIN === $this->access;
+    }
+
+    public function isDenied(): bool
+    {
+        return VoterInterface::ACCESS_DENIED === $this->access;
+    }
+
+    /**
+     * @param Vote[] $votes
+     */
+    public static function createGranted(array $votes = []): self
+    {
+        return new self(VoterInterface::ACCESS_GRANTED, $votes);
+    }
+
+    /**
+     * @param Vote[] $votes
+     */
+    public static function createDenied(array $votes = []): self
+    {
+        return new self(VoterInterface::ACCESS_DENIED, $votes);
+    }
+
+    /**
+     * @return Vote[]
+     */
+    public function getVotes(): array
+    {
+        return $this->votes;
+    }
+
+    /**
+     * @return Vote[]
+     */
+    public function getGrantedVotes(): array
+    {
+        return $this->getVotesByAccess(Voter::ACCESS_GRANTED);
+    }
+
+    /**
+     * @return Vote[]
+     */
+    public function getAbstainedVotes(): array
+    {
+        return $this->getVotesByAccess(Voter::ACCESS_ABSTAIN);
+    }
+
+    /**
+     * @return Vote[]
+     */
+    public function getDeniedVotes(): array
+    {
+        return $this->getVotesByAccess(Voter::ACCESS_DENIED);
+    }
+
+    /**
+     * @return Vote[]
+     */
+    private function getVotesByAccess(int $access): array
+    {
+        return array_filter($this->votes, static function (Vote $vote) use ($access): bool {
+            return $vote->getAccess() === $access;
+        });
+    }
+}