[Security] Make AccessDecisionStrategy extensible. And add highestnotabstainedvoter strategy #15295
Conversation
e28edf1 to
52042eb
Compare
| $strategy = $this->getStrategy($this->strategy); | ||
| $strategy->setVoters($this->voters); | ||
| $strategy->setAllowIfAllAbstainDecisions($this->allowIfAllAbstainDecisions); | ||
| $strategy->setAllowIfEqualGrantedDeniedDecisions($this->allowIfEqualGrantedDeniedDecisions); |
There was a problem hiding this comment.
I'm not sure this is the desired way, why set it every decision? Why not just do it when building the container?
|
Actually, each strategy is just a different implementation of the So I suggest refactoring this as 3 separate implementations, and having the existing class being a proxy class instantiating the right implementation in its constructor and then delegating decision calls. |
|
Yes, I like the idea of getting rid of the StrategyInterface. I'm working on it. |
| foreach ($this->voters as $voter) { | ||
| if ($voter->supportsAttribute($attribute)) { | ||
| return true; | ||
| if(!array_key_exists($strategyName,$this->strategies)) |
|
I like the idea of making this extendable, so a big thanks for starting this! I've left some comments, most of them are really debatable things so if you don't agree with them, don't hesitate to comment instead of apply the change :) Status: Needs Work |
16bee34 to
74142ac
Compare
|
Hi, one of the tests is failing in travis and I've got no idea why. Can anyone help me? |
|
Afaik, it's failing because this tests installs 3.0-dev. In 3.0-dev, the new constrant in the Security component does not exists, so there is an error. After this PR is merged, it will be merged into master/3.0-dev as well. This means that after merging, the tests should pass. |
| /** | ||
| * {@inheritdoc} | ||
| */ | ||
| public function setVoters(array $voters) |
There was a problem hiding this comment.
there should be not setter here. this should be a constructor argument
There was a problem hiding this comment.
ah no sorry, we have a setter currently
HighestNotAbstainedVoterStrategy has been added. Also this commit makes access decision strategy extensible.
…ccess decision strategies
74142ac to
c62e0bc
Compare
c62e0bc to
5d5f4ef
Compare
| use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface; | ||
|
|
||
| /** | ||
| * Grants access depending on the first not abstained voter decission. |
There was a problem hiding this comment.
by the way, the class is called Highest ... and here we mention first ... Should we change HighestNotAbstainedVoterAccessDecisionManager by FirstNotAbstainedVoterAccessDecisionManager ?
There was a problem hiding this comment.
Yes, I like the idea of calling it FirstNotAbstainedVoterAccessDecisionManager maybe it makes it clearer on what it does.
|
@solilokiam Can you rebase this one on current master and submit a new PR? As master is going to be 3.1, deprecated feature have been removed and this should make this PR easier. |
|
@solilokiam Are you still interested in finishing this one? |
|
Closing as there is no more activity here. Feel free to reopen with a new version of the patch that applies on current master. |
…ss decision manager service (xabbuh) This PR was merged into the 3.4 branch. Discussion ---------- [Security] make it possible to configure a custom access decision manager service | Q | A | | --- | --- | | Branch? | 3.4 | | Bug fix? | no | | New feature? | yes | | BC breaks? | no | | Deprecations? | no | | Tests pass? | yes | | Fixed tickets | #942, #14049, #15295, #16828, #16843, | | License | MIT | | Doc PR | TODO | These changes will make it possible to let users define their own voting strategies without the need for custom compiler passes that replace the built-in `AccessDecisionManager` (see linked issues in the PR table for some use cases). Commits ------- e0913a2 add option to define the access decision manager
This PR adds a new access decision strategy, called highest not abstained voter. The main idea of the voter is documented on issue #14049 .
At the same time the PR tries to make access decision strategy extensible. The way it's done is via any service that implements the newly created
AccessDecisionManagerInterfaceand has the tagsecurity.access_strategy