symfony
diff --git a/‎src/Symfony/Bundle/FrameworkBundle/Controller/AbstractController.php
Copy file name to clipboardExpand all lines: src/Symfony/Bundle/FrameworkBundle/Controller/AbstractController.php
+2Lines changed: 2 additions & 0 deletions b/‎src/Symfony/Bundle/FrameworkBundle/Controller/AbstractController.php
Copy file name to clipboardExpand all lines: src/Symfony/Bundle/FrameworkBundle/Controller/AbstractController.php
+2Lines changed: 2 additions & 0 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Resources/views/Collector/security.html.twig
Copy file name to clipboardExpand all lines: src/Symfony/Bundle/SecurityBundle/Resources/views/Collector/security.html.twig
+5-4Lines changed: 5 additions & 4 deletions b/‎src/Symfony/Bundle/SecurityBundle/Resources/views/Collector/security.html.twig
Copy file name to clipboardExpand all lines: src/Symfony/Bundle/SecurityBundle/Resources/views/Collector/security.html.twig
+5-4Lines changed: 5 additions & 4 deletions
diff --git a/‎src/Symfony/Component/Security/Core/Authorization/AccessDecision.php
Copy file name to clipboard
+52Lines changed: 52 additions & 0 deletions b/‎src/Symfony/Component/Security/Core/Authorization/AccessDecision.php
Copy file name to clipboard
+52Lines changed: 52 additions & 0 deletions
diff --git a/‎src/Symfony/Component/Security/Core/Authorization/AccessDecisionManager.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Authorization/AccessDecisionManager.php
+42-22Lines changed: 42 additions & 22 deletions b/‎src/Symfony/Component/Security/Core/Authorization/AccessDecisionManager.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Authorization/AccessDecisionManager.php
+42-22Lines changed: 42 additions & 22 deletions
diff --git a/‎src/Symfony/Component/Security/Core/Authorization/AccessDecisionManagerInterface.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Authorization/AccessDecisionManagerInterface.php
+1-1Lines changed: 1 addition & 1 deletion b/‎src/Symfony/Component/Security/Core/Authorization/AccessDecisionManagerInterface.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Authorization/AccessDecisionManagerInterface.php
+1-1Lines changed: 1 addition & 1 deletion
diff --git a/‎src/Symfony/Component/Security/Core/Authorization/AuthorizationChecker.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Authorization/AuthorizationChecker.php
+8-1Lines changed: 8 additions & 1 deletion b/‎src/Symfony/Component/Security/Core/Authorization/AuthorizationChecker.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Authorization/AuthorizationChecker.php
+8-1Lines changed: 8 additions & 1 deletion
diff --git a/‎src/Symfony/Component/Security/Core/Authorization/TraceableAccessDecisionManager.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Authorization/TraceableAccessDecisionManager.php
+4-3Lines changed: 4 additions & 3 deletions b/‎src/Symfony/Component/Security/Core/Authorization/TraceableAccessDecisionManager.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Authorization/TraceableAccessDecisionManager.php
+4-3Lines changed: 4 additions & 3 deletions
diff --git a/‎src/Symfony/Component/Security/Core/Authorization/Voter/AccessTrait.php
Copy file name to clipboard
+38Lines changed: 38 additions & 0 deletions b/‎src/Symfony/Component/Security/Core/Authorization/Voter/AccessTrait.php
Copy file name to clipboard
+38Lines changed: 38 additions & 0 deletions
diff --git a/‎src/Symfony/Component/Security/Core/Authorization/Voter/ExplainedVoterInterface.php
Copy file name to clipboard
+19Lines changed: 19 additions & 0 deletions b/‎src/Symfony/Component/Security/Core/Authorization/Voter/ExplainedVoterInterface.php
Copy file name to clipboard
+19Lines changed: 19 additions & 0 deletions
diff --git a/‎src/Symfony/Component/Security/Core/Authorization/Voter/ExplainedVoterTrait.php
Copy file name to clipboard
+30Lines changed: 30 additions & 0 deletions b/‎src/Symfony/Component/Security/Core/Authorization/Voter/ExplainedVoterTrait.php
Copy file name to clipboard
+30Lines changed: 30 additions & 0 deletions
diff --git a/‎src/Symfony/Component/Security/Core/Authorization/Voter/TraceableVoter.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Authorization/Voter/TraceableVoter.php
+2-2Lines changed: 2 additions & 2 deletions b/‎src/Symfony/Component/Security/Core/Authorization/Voter/TraceableVoter.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Authorization/Voter/TraceableVoter.php
+2-2Lines changed: 2 additions & 2 deletions
@@ -37,6 +37,7 @@
 use Symfony\Component\Routing\RouterInterface;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
 use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
+use Symfony\Component\Security\Core\Authorization\Voter\Vote;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Csrf\CsrfToken;
@@ -232,6 +233,7 @@ protected function denyAccessUnlessGranted($attributes, $subject = null, string
             $exception = $this->createAccessDeniedException($message);
             $exception->setAttributes($attributes);
             $exception->setSubject($subject);
+            $exception->setAccessDecision($this->container->get('security.authorization_checker')->getLastAccessDecision());
 
             throw $exception;
         }
 
@@ -346,16 +346,17 @@
                                             <td class="font-normal text-small">attribute {{ voter_detail['attributes'][0] }}</td>
                                             {% endif %}
                                             <td class="font-normal text-small">
-                                                {% if voter_detail['vote'] == constant('Symfony\\Component\\Security\\Core\\Authorization\\Voter\\VoterInterface::ACCESS_GRANTED') %}
+                                                {% if voter_detail['vote'].access == constant('Symfony\\Component\\Security\\Core\\Authorization\\Voter\\VoterInterface::ACCESS_GRANTED') %}
                                                     ACCESS GRANTED
-                                                {% elseif voter_detail['vote'] == constant('Symfony\\Component\\Security\\Core\\Authorization\\Voter\\VoterInterface::ACCESS_ABSTAIN') %}
+                                                {% elseif voter_detail['vote'].access == constant('Symfony\\Component\\Security\\Core\\Authorization\\Voter\\VoterInterface::ACCESS_ABSTAIN') %}
                                                     ACCESS ABSTAIN
-                                                {% elseif voter_detail['vote'] == constant('Symfony\\Component\\Security\\Core\\Authorization\\Voter\\VoterInterface::ACCESS_DENIED') %}
+                                                {% elseif voter_detail['vote'].access == constant('Symfony\\Component\\Security\\Core\\Authorization\\Voter\\VoterInterface::ACCESS_DENIED') %}
                                                     ACCESS DENIED
                                                 {% else %}
-                                                    unknown ({{ voter_detail['vote'] }})
+                                                    unknown ({{ voter_detail['vote'].access }})
                                                 {% endif %}
                                             </td>
+                                            <td class="font-normal text-small">{{ voter_detail['vote'].reason }}</td>
                                         </tr>
                                     {% endfor %}
                                     </tbody>
 
@@ -0,0 +1,52 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Authorization;
+
+use Symfony\Component\Security\Core\Authorization\Voter\AccessTrait;
+use Symfony\Component\Security\Core\Authorization\Voter\Vote;
+use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
+
+class AccessDecision
+{
+    use AccessTrait;
+
+    /** @var Vote[] */
+    private $votes;
+
+    private function __construct(int $access, array $votes = [])
+    {
+        $this->access = $access;
+        $this->votes = $votes;
+    }
+
+    public static function createGranted(array $votes = []): self
+    {
+        return new self(VoterInterface::ACCESS_GRANTED, $votes);
+    }
+
+    public static function createDenied(array $votes = []): self
+    {
+        return new self(VoterInterface::ACCESS_DENIED, $votes);
+    }
+
+    /**
+     * @return Vote[]
+     */
+    public function getVotes(int $access = null): array
+    {
+        if (null === $access) {
+            return $this->votes;
+        }
+
+        return array_filter($this->votes, function (Vote $vote) use ($access) { return $vote->getAccess() === $access; });
+    }
+}
@@ -12,6 +12,7 @@
 namespace Symfony\Component\Security\Core\Authorization;
 
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authorization\Voter\Vote;
 use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
 use Symfony\Component\Security\Core\Exception\InvalidArgumentException;
 
@@ -72,26 +73,27 @@ public function decide(TokenInterface $token, array $attributes, $object = null)
      * If all voters abstained from voting, the decision will be based on the
      * allowIfAllAbstainDecisions property value (defaults to false).
      */
-    private function decideAffirmative(TokenInterface $token, array $attributes, $object = null): bool
+    private function decideAffirmative(TokenInterface $token, array $attributes, $object = null): AccessDecision
     {
+        $votes = [];
         $deny = 0;
         foreach ($this->voters as $voter) {
-            $result = $voter->vote($token, $object, $attributes);
+            $votes[] = $vote = $this->vote($voter, $token, $object, $attributes);
 
-            if (VoterInterface::ACCESS_GRANTED === $result) {
-                return true;
+            if ($vote->isGranted()) {
+                return AccessDecision::createGranted($votes);
             }
 
-            if (VoterInterface::ACCESS_DENIED === $result) {
+            if ($vote->isDenied()) {
                 ++$deny;
             }
         }
 
         if ($deny > 0) {
-            return false;
+            return AccessDecision::createDenied($votes);
         }
 
-        return $this->allowIfAllAbstainDecisions;
+        return $this->decideIfAllAbstainDecisions();
     }
 
     /**
@@ -108,33 +110,37 @@ private function decideAffirmative(TokenInterface $token, array $attributes, $ob
      * If all voters abstained from voting, the decision will be based on the
      * allowIfAllAbstainDecisions property value (defaults to false).
      */
-    private function decideConsensus(TokenInterface $token, array $attributes, $object = null): bool
+    private function decideConsensus(TokenInterface $token, array $attributes, $object = null): AccessDecision
     {
+        $votes = [];
         $grant = 0;
         $deny = 0;
         foreach ($this->voters as $voter) {
-            $result = $voter->vote($token, $object, $attributes);
+            $votes[] = $vote = $this->vote($voter, $token, $object, $attributes);
 
-            if (VoterInterface::ACCESS_GRANTED === $result) {
+            if ($vote->isGranted()) {
                 ++$grant;
-            } elseif (VoterInterface::ACCESS_DENIED === $result) {
+            } elseif ($vote->isDenied()) {
                 ++$deny;
             }
         }
 
         if ($grant > $deny) {
-            return true;
+            return AccessDecision::createGranted($votes);
         }
 
         if ($deny > $grant) {
-            return false;
+            return AccessDecision::createDenied($votes);
         }
 
         if ($grant > 0) {
-            return $this->allowIfEqualGrantedDeniedDecisions;
+            return $this->allowIfEqualGrantedDeniedDecisions
+                ? AccessDecision::createGranted()
+                : AccessDecision::createDenied()
+            ;
         }
 
-        return $this->allowIfAllAbstainDecisions;
+        return $this->decideIfAllAbstainDecisions();
     }
 
     /**
@@ -143,29 +149,30 @@ private function decideConsensus(TokenInterface $token, array $attributes, $obje
      * If all voters abstained from voting, the decision will be based on the
      * allowIfAllAbstainDecisions property value (defaults to false).
      */
-    private function decideUnanimous(TokenInterface $token, array $attributes, $object = null): bool
+    private function decideUnanimous(TokenInterface $token, array $attributes, $object = null): AccessDecision
     {
+        $votes = [];
         $grant = 0;
         foreach ($this->voters as $voter) {
             foreach ($attributes as $attribute) {
-                $result = $voter->vote($token, $object, [$attribute]);
+                $votes[] = $vote = $this->vote($voter, $token, $object, [$attribute]);
 
-                if (VoterInterface::ACCESS_DENIED === $result) {
-                    return false;
+                if ($vote->isDenied()) {
+                    return AccessDecision::createDenied($votes);
                 }
 
-                if (VoterInterface::ACCESS_GRANTED === $result) {
+                if ($vote->isGranted()) {
                     ++$grant;
                 }
             }
         }
 
         // no deny votes
         if ($grant > 0) {
-            return true;
+            return AccessDecision::createGranted($votes);
         }
 
-        return $this->allowIfAllAbstainDecisions;
+        return $this->decideIfAllAbstainDecisions();
     }
 
     /**
@@ -191,4 +198,17 @@ private function decidePriority(TokenInterface $token, array $attributes, $objec
 
         return $this->allowIfAllAbstainDecisions;
     }
+
+    private function decideIfAllAbstainDecisions(): AccessDecision
+    {
+        return $this->allowIfAllAbstainDecisions
+            ? AccessDecision::createGranted()
+            : AccessDecision::createDenied()
+        ;
+    }
+
+    private function vote(VoterInterface $voter, TokenInterface $token, $subject, array $attributes): Vote
+    {
+        return is_int($vote = $voter->vote($token, $subject, $attributes)) ? Vote::create($vote) : $vote;
+    }
 }
@@ -26,7 +26,7 @@ interface AccessDecisionManagerInterface
      * @param array  $attributes An array of attributes associated with the method being invoked
      * @param object $object     The object to secure
      *
-     * @return bool true if the access is granted, false otherwise
+     * @return bool|AccessDecision true if the access is granted, false otherwise
      */
     public function decide(TokenInterface $token, array $attributes, $object = null);
 }
@@ -29,6 +29,8 @@ class AuthorizationChecker implements AuthorizationCheckerInterface
     private $accessDecisionManager;
     private $authenticationManager;
     private $alwaysAuthenticate;
+    /** @var AccessDecision */
+    private $lastAccessDecision;
 
     public function __construct(TokenStorageInterface $tokenStorage, AuthenticationManagerInterface $authenticationManager, AccessDecisionManagerInterface $accessDecisionManager, bool $alwaysAuthenticate = false)
     {
@@ -53,6 +55,11 @@ final public function isGranted($attribute, $subject = null): bool
             $this->tokenStorage->setToken($token = $this->authenticationManager->authenticate($token));
         }
 
-        return $this->accessDecisionManager->decide($token, [$attribute], $subject);
+        return ($this->lastAccessDecision = $this->accessDecisionManager->decide($token, [$attribute], $subject))->isGranted();
+    }
+
+    public function getLastAccessDecision(): AccessDecision
+    {
+        return $this->lastAccessDecision;
     }
 }
@@ -12,6 +12,7 @@
 namespace Symfony\Component\Security\Core\Authorization;
 
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authorization\Voter\Vote;
 use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
 
 /**
@@ -48,7 +49,7 @@ public function __construct(AccessDecisionManagerInterface $manager)
     /**
      * {@inheritdoc}
      */
-    public function decide(TokenInterface $token, array $attributes, $object = null): bool
+    public function decide(TokenInterface $token, array $attributes, $object = null)
     {
         $currentDecisionLog = [
             'attributes' => $attributes,
@@ -71,9 +72,9 @@ public function decide(TokenInterface $token, array $attributes, $object = null)
      * Adds voter vote and class to the voter details.
      *
      * @param array $attributes attributes used for the vote
-     * @param int   $vote       vote of the voter
+     * @param Vote  $vote       vote of the voter
      */
-    public function addVoterVote(VoterInterface $voter, array $attributes, int $vote)
+    public function addVoterVote(VoterInterface $voter, array $attributes, Vote $vote)
     {
         $currentLogIndex = \count($this->currentLog) - 1;
         $this->currentLog[$currentLogIndex]['voterDetails'][] = [
 
@@ -0,0 +1,38 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Authorization\Voter;
+
+trait AccessTrait
+{
+    /** @var int */
+    private $access;
+
+    public function getAccess(): int
+    {
+        return $this->access;
+    }
+
+    public function isGranted(): bool
+    {
+        return VoterInterface::ACCESS_GRANTED === $this->access;
+    }
+
+    public function isAbstain(): bool
+    {
+        return VoterInterface::ACCESS_ABSTAIN === $this->access;
+    }
+
+    public function isDenied(): bool
+    {
+        return VoterInterface::ACCESS_DENIED === $this->access;
+    }
+}
@@ -0,0 +1,19 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Authorization\Voter;
+
+interface ExplainedVoterInterface
+{
+    public function grant(string $reason = '', array $parameters = []): Vote;
+    public function abstain(string $reason = '', array $parameters = []): Vote;
+    public function deny(string $reason = '', array $parameters = []): Vote;
+}
@@ -0,0 +1,30 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Authorization\Voter;
+
+trait ExplainedVoterTrait
+{
+    public function grant(string $reason = '', array $parameters = []): Vote
+    {
+        return Vote::createGranted($reason, $parameters);
+    }
+
+    public function abstain(string $reason = '', array $parameters = []): Vote
+    {
+        return Vote::createAbstrain($reason, $parameters);
+    }
+
+    public function deny(string $reason = '', array $parameters = []): Vote
+    {
+        return Vote::createDenied($reason, $parameters);
+    }
+}
@@ -33,9 +33,9 @@ public function __construct(VoterInterface $voter, EventDispatcherInterface $eve
         $this->eventDispatcher = $eventDispatcher;
     }
 
-    public function vote(TokenInterface $token, $subject, array $attributes): int
+    public function vote(TokenInterface $token, $subject, array $attributes)
     {
-        $result = $this->voter->vote($token, $subject, $attributes);
+        $result = is_int($vote = $this->voter->vote($token, $subject, $attributes)) ? Vote::create($vote) : $vote;
 
         $this->eventDispatcher->dispatch(new VoteEvent($this->voter, $subject, $attributes, $result), 'debug.security.authorization.vote');
Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@ interface AccessDecisionManagerInterface`
`26`	`26`	`* @param array $attributes An array of attributes associated with the method being invoked`
`27`	`27`	`* @param object $object The object to secure`
`28`	`28`	`*`
`29`		`- * @return bool true if the access is granted, false otherwise`
	`29`	`+ * @return bool\|AccessDecision true if the access is granted, false otherwise`
`30`	`30`	`*/`
`31`	`31`	`public function decide(TokenInterface $token, array $attributes, $object = null);`
`32`	`32`	`}`
Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,8 @@ class AuthorizationChecker implements AuthorizationCheckerInterface`
`29`	`29`	`private $accessDecisionManager;`
`30`	`30`	`private $authenticationManager;`
`31`	`31`	`private $alwaysAuthenticate;`
	`32`	`+ /** @var AccessDecision */`
	`33`	`+ private $lastAccessDecision;`
`32`	`34`
`33`	`35`	`public function __construct(TokenStorageInterface $tokenStorage, AuthenticationManagerInterface $authenticationManager, AccessDecisionManagerInterface $accessDecisionManager, bool $alwaysAuthenticate = false)`
`34`	`36`	`{`
`@@ -53,6 +55,11 @@ final public function isGranted($attribute, $subject = null): bool`
`53`	`55`	`$this->tokenStorage->setToken($token = $this->authenticationManager->authenticate($token));`
`54`	`56`	`}`
`55`	`57`
`56`		`- return $this->accessDecisionManager->decide($token, [$attribute], $subject);`
	`58`	`+ return ($this->lastAccessDecision = $this->accessDecisionManager->decide($token, [$attribute], $subject))->isGranted();`
	`59`	`+ }`
	`60`	`+`
	`61`	`+ public function getLastAccessDecision(): AccessDecision`
	`62`	`+ {`
	`63`	`+ return $this->lastAccessDecision;`
`57`	`64`	`}`
`58`	`65`	`}`
Original file line number	Diff line number	Diff line change
`@@ -33,9 +33,9 @@ public function __construct(VoterInterface $voter, EventDispatcherInterface $eve`
`33`	`33`	`$this->eventDispatcher = $eventDispatcher;`
`34`	`34`	`}`
`35`	`35`
`36`		`- public function vote(TokenInterface $token, $subject, array $attributes): int`
	`36`	`+ public function vote(TokenInterface $token, $subject, array $attributes)`
`37`	`37`	`{`
`38`		`- $result = $this->voter->vote($token, $subject, $attributes);`
	`38`	`+ $result = is_int($vote = $this->voter->vote($token, $subject, $attributes)) ? Vote::create($vote) : $vote;`
`39`	`39`
`40`	`40`	`$this->eventDispatcher->dispatch(new VoteEvent($this->voter, $subject, $attributes, $result), 'debug.security.authorization.vote');`
`41`	`41`