Skip to content

[Security] Add $methods support to #[IsGranted] to restrict access by HTTP method #61359

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: 7.4
Choose a base branch
from
Open

[Security] Add $methods support to #[IsGranted] to restrict access by HTTP method #61359

wants to merge 1 commit into from
+96 −5

Conversation

santysisi
Copy link
Contributor

@santysisi santysisi commented Aug 7, 2025
edited
Loading

Q A
Branch? 7.4
Bug fix? no
New feature? yes
Deprecations? no
Issues no
License MIT

Description

This PR adds support for restricting #[IsGranted] validation to specific HTTP methods via a new $methods argument.

What's New

You can now define access control per HTTP method directly in the #[IsGranted] attribute. This allows greater flexibility when securing controller actions that handle multiple HTTP verbs.

#[IsGranted('ROLE_ADMIN', methods: ['GET', 'POST'])]
public function someAction() {}

#[IsGranted('ROLE_ADMIN', methods: 'POST')]
public function otherAction() {}
  • If the current request method does not match, the attribute is ignored.
  • If the method matches, the usual access check logic runs as expected.

This change aligns #[IsGranted] more closely with other HTTP-aware attributes like:

  • #[IsCsrfTokenValid]
  • #[IsSignatureValid] (currently under review)

@santysisi santysisi requested a review from chalasr as a code owner August 7, 2025 22:11
@carsonbot carsonbot added this to the 7.4 milestone Aug 7, 2025
santysisi
santysisi commented Aug 7, 2025
View reviewed changes
src/Symfony/Component/Security/Http/Attribute/IsGranted.php
Comment on lines +30 to +35
* @param string|Expression|\Closure(IsGrantedContext, mixed $subject):bool $attribute The attribute that will be checked against a given authentication token and optional subject
* @param array|string|Expression|\Closure(array<string,mixed>, Request):mixed|null $subject An optional subject - e.g. the current object being voted on
* @param string|null $message A custom message when access is not granted
* @param int|null $statusCode If set, will throw HttpKernel's HttpException with the given $statusCode; if null, Security\Core's AccessDeniedException will be used
* @param int|null $exceptionCode If set, will add the exception code to thrown exception
* @param string[]|string $methods HTTP methods to apply validation to. Empty array means all methods are allowed
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When I ran php-cs-fixer, it automatically updated the PHPDoc blocks.
If it's preferred to handle those changes in a separate PR, just let me know 🙏

@santysisi
Copy link
Contributor Author

This is not a bug fix.
My mistake I made when filling out the table.
Apologies for the confusion.

@santysisi santysisi force-pushed the feature/isgranted-methods-support branch from 66c7bd5 to 4cc3417 Compare August 8, 2025 22:17
@santysisi santysisi force-pushed the feature/isgranted-methods-support branch from 4cc3417 to 739e36e Compare August 17, 2025 00:05
nicolas-grekas
nicolas-grekas reviewed Aug 19, 2025
View reviewed changes
src/Symfony/Component/Security/Http/EventListener/IsGrantedAttributeListener.php
Comment on lines +50 to +51
$methods = array_map('strtoupper', $attribute->methods);
if ($methods && !\in_array($request->getMethod(), $methods, true)) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
$methods = array_map('strtoupper', $attribute->methods);
if ($methods && !\in_array($request->getMethod(), $methods, true)) {
if ($attribute->methods && !\in_array($request->getMethod(), array_map('strtoupper', $attribute->methods), true)) {

stof
stof reviewed Aug 19, 2025
View reviewed changes
src/Symfony/Component/Security/Http/Attribute/IsGranted.php
@@ -24,19 +24,24 @@
#[\Attribute(\Attribute::IS_REPEATABLE | \Attribute::TARGET_CLASS | \Attribute::TARGET_METHOD | \Attribute::TARGET_FUNCTION)]
final class IsGranted
{
public readonly array $methods;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should have @var string[] to document the exact type (especially as this is a public API)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stof stof stof left review comments

@nicolas-grekas nicolas-grekas nicolas-grekas approved these changes

@chalasr chalasr Awaiting requested review from chalasr chalasr is a code owner

Assignees
No one assigned
Labels
Feature Security Status: Reviewed
Projects
None yet
Milestone
7.4
Development

Successfully merging this pull request may close these issues.
4 participants
@santysisi @nicolas-grekas @stof @carsonbot