Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

[FrameworkBundle] Fix denyAccessUnlessGranted for mixed attributes #49493

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 23, 2023
Merged

[FrameworkBundle] Fix denyAccessUnlessGranted for mixed attributes #49493

merged 1 commit into from
Feb 23, 2023

Conversation

delbertooo
Copy link
Contributor

@delbertooo delbertooo commented Feb 22, 2023
edited by nicolas-grekas
Loading

Q A
Branch? 5.4
Bug fix? yes
New feature? no
Deprecations? no
Tickets -
License MIT
Doc PR -

Checking authorization against anything that isn't array|string will cause PHP errors now. The method AbstractController::denyAccessUnlessGranted() sets the given single attribute into the exception in case of denied access. The AuthorizationCheckerInterface defines that the attribute can be anything, even objects. The parameter type hint array|string of AccessDeniedException::setAttributes() want's an array of attributes (or a string for convenience).

Example

use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;

class MyCustomAttribute
{
}

class ProfileController extends AbstractController
{
    public function index(): Response
    {
        $this->denyAccessUnlessGranted(new MyCustomAttribute()); // 💥 ERROR: Symfony\Component\Security\Core\Exception\AccessDeniedException::setAttributes(): Argument #1 ($attributes) must be of type array|string, [...]

        $user = $this->getUser();

        return new Response('Well hi there '.$user->getFirstName());
    }
}

The fix

As the given attribute is a single attribute: always wrap it into an array when creating the exception, because the exception expects an array of attributes.

@carsonbot carsonbot added this to the 6.2 milestone Feb 22, 2023
@carsonbot
Copy link

Hey!

I see that this is your first PR. That is great! Welcome!

Symfony has a contribution guide which I suggest you to read.

In short:

  • Always add tests
  • Keep backward compatibility (see https://symfony.com/bc).
  • Bug fixes must be submitted against the lowest maintained branch where they apply (see https://symfony.com/releases)
  • Features and deprecations must be submitted against the 6.3 branch.

Review the GitHub status checks of your pull request and try to solve the reported issues. If some tests are failing, try to see if they are failing because of this change.

When two Symfony core team members approve this change, it will be merged and you will become an official Symfony contributor!
If this PR is merged in a lower version branch, it will be merged up to all maintained branches within a few days.

I am going to sit back now and wait for the reviews.

Cheers!

Carsonbot

@delbertooo
Copy link
Contributor Author

Can someone re-run the checks or something? I don't think this issue is caused by my code:

There was 1 failure:

1) Symfony\Component\Clock\Tests\MonotonicClockTest::testSleep
Failed asserting that 1677065608.00641 is equal to 1677065608.0064101 or is greater than 1677065608.0064101.

nicolas-grekas
nicolas-grekas reviewed Feb 23, 2023
View reviewed changes
src/Symfony/Bundle/FrameworkBundle/Tests/Controller/AbstractControllerTest.php Outdated Show resolved Hide resolved
src/Symfony/Bundle/FrameworkBundle/Tests/Controller/AbstractControllerTest.php Outdated Show resolved Hide resolved
@nicolas-grekas nicolas-grekas modified the milestones: 6.2, 5.4 Feb 23, 2023
@delbertooo @nicolas-grekas
[FrameworkBundle] Fix denyAccessUnlessGranted for mixed attributes
9ed77f3 
Fix AbstractController::denyAccessUnlessGranted() for attributes that aren't string or array. Always wrap the given single attribute into an array to not break the parameter type of AccessDeniedException#setAttributes() (which supports strings only for convenience).
@nicolas-grekas nicolas-grekas changed the base branch from 6.2 to 5.4 February 23, 2023 09:17
nicolas-grekas
nicolas-grekas approved these changes Feb 23, 2023
View reviewed changes
Copy link
Member

@nicolas-grekas nicolas-grekas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(I fixed my review comments)

@nicolas-grekas
Copy link
Member

Thank you @delbertooo.

@nicolas-grekas nicolas-grekas merged commit 111af45 into symfony:5.4 Feb 23, 2023
This was referenced Feb 28, 2023
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nicolas-grekas nicolas-grekas nicolas-grekas approved these changes

@lyrixx lyrixx Awaiting requested review from lyrixx

@yceruto yceruto Awaiting requested review from yceruto

@wouterj wouterj Awaiting requested review from wouterj

@chalasr chalasr Awaiting requested review from chalasr

@dunglas dunglas Awaiting requested review from dunglas

@OskarStark OskarStark Awaiting requested review from OskarStark

@xabbuh xabbuh Awaiting requested review from xabbuh

Assignees
No one assigned
Labels
Bug FrameworkBundle Status: Reviewed
Projects
None yet
Milestone
5.4
Development

Successfully merging this pull request may close these issues.
3 participants
@delbertooo @carsonbot @nicolas-grekas
Morty Proxy This is a proxified and sanitized view of the page, visit original site.