Skip to content

[Security] Add $methods support to #[IsGranted] to restrict access by HTTP method #61359

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 20, 2025
Merged

[Security] Add $methods support to #[IsGranted] to restrict access by HTTP method #61359

merged 1 commit into from
Aug 20, 2025
+96 −5

Conversation

santysisi
Copy link
Contributor

@santysisi santysisi commented Aug 7, 2025
edited
Loading

Q A
Branch? 7.4
Bug fix? no
New feature? yes
Deprecations? no
Issues no
License MIT

Description

This PR adds support for restricting #[IsGranted] validation to specific HTTP methods via a new $methods argument.

What's New

You can now define access control per HTTP method directly in the #[IsGranted] attribute. This allows greater flexibility when securing controller actions that handle multiple HTTP verbs.

#[IsGranted('ROLE_ADMIN', methods: ['GET', 'POST'])]
public function someAction() {}

#[IsGranted('ROLE_ADMIN', methods: 'POST')]
public function otherAction() {}
  • If the current request method does not match, the attribute is ignored.
  • If the method matches, the usual access check logic runs as expected.

This change aligns #[IsGranted] more closely with other HTTP-aware attributes like:

  • #[IsCsrfTokenValid]
  • #[IsSignatureValid] (currently under review)

@santysisi santysisi requested a review from chalasr as a code owner August 7, 2025 22:11
@carsonbot carsonbot added this to the 7.4 milestone Aug 7, 2025
@santysisi
Copy link
Contributor Author

This is not a bug fix.
My mistake I made when filling out the table.
Apologies for the confusion.

@santysisi santysisi force-pushed the feature/isgranted-methods-support branch from 66c7bd5 to 4cc3417 Compare August 8, 2025 22:17
@santysisi santysisi force-pushed the feature/isgranted-methods-support branch from 4cc3417 to 739e36e Compare August 17, 2025 00:05
nicolas-grekas
nicolas-grekas reviewed Aug 19, 2025
View reviewed changes
src/Symfony/Component/Security/Http/EventListener/IsGrantedAttributeListener.php Outdated
Comment on lines 50 to 51
$methods = array_map('strtoupper', $attribute->methods);
if ($methods && !\in_array($request->getMethod(), $methods, true)) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
$methods = array_map('strtoupper', $attribute->methods);
if ($methods && !\in_array($request->getMethod(), $methods, true)) {
if ($attribute->methods && !\in_array($request->getMethod(), array_map('strtoupper', $attribute->methods), true)) {

@santysisi santysisi force-pushed the feature/isgranted-methods-support branch from 739e36e to 128a973 Compare August 19, 2025 23:16
@santysisi santysisi force-pushed the feature/isgranted-methods-support branch from 128a973 to 68f0fca Compare August 19, 2025 23:22
@santysisi
Copy link
Contributor Author

Hi 👋 Thanks to both of you for the suggestions!
I made the changes 😄

@fabpot
Copy link
Member

fabpot commented Aug 20, 2025

Thank you @santysisi.

@fabpot fabpot merged commit 0d47620 into symfony:7.4 Aug 20, 2025
4 of 12 checks passed
@fabpot fabpot mentioned this pull request Aug 20, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stof stof stof left review comments

@fabpot fabpot fabpot approved these changes

@nicolas-grekas nicolas-grekas nicolas-grekas approved these changes

@chalasr chalasr Awaiting requested review from chalasr chalasr is a code owner

Assignees
No one assigned
Labels
Feature Security Status: Reviewed
Projects
None yet
Milestone
7.4
Development

Successfully merging this pull request may close these issues.
5 participants
@santysisi @fabpot @nicolas-grekas @stof @carsonbot