Skip to content

feat(symfony): isGranted before provider #7500

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(symfony): isGranted before provider #7500

wants to merge 1 commit into from
+219 −26

Conversation

@soyuka
Copy link
Member

@soyuka soyuka commented Oct 31, 2025
edited
Loading

Q A
Branch? main
Tickets Closes #7093
License MIT
Doc PR TBD 
#[ApiResource(
    operations: [
        new Get(uriTemplate: 'is_granted_test_call_provider/{id}', uriVariables: ['id'], security: 'is_granted("ROLE_ADMIN")', provider: [self::class, 'provideShouldNotBeCalled']),
    ]
)]
class IsGrantedTest
{
    private ?int $id = null;

    public function getId(): ?int
    {
        return $this->id;
    }

    public static function provideShouldNotBeCalled(Operation $operation, array $uriVariables = [], array $context = [])
    {
        throw new \RuntimeException('provider should not get called');
    }
}

@soyuka soyuka force-pushed the isgranted branch 4 times, most recently from db77ad4 to 75e24e9 Compare October 31, 2025 15:21
dunglas
dunglas reviewed Oct 31, 2025
View reviewed changes
@soyuka soyuka force-pushed the isgranted branch 5 times, most recently from 7da1eef to f13daf2 Compare November 3, 2025 10:21
dunglas
dunglas requested changes Nov 3, 2025
View reviewed changes
src/Symfony/Security/State/AccessCheckerProvider.php
public function provide(Operation $operation, array $uriVariables = [], array $context = []): object|array|null
{
switch ($this->event) {
case 'post_denormalize':
Copy link
Member

@dunglas dunglas Nov 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: maybe move these constants to an @internal class constants, so we can reference them in the XML files?

src/Symfony/Security/State/AccessCheckerProvider.php
];
}

if ('pre_read' === $this->event && $this->resourceAccessChecker instanceof ObjectVariableCheckerInterface && $this->resourceAccessChecker->usesObjectVariable($isGranted, $resourceAccessCheckerContext)) {
Copy link
Member

@dunglas dunglas Nov 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if ('pre_read' === $this->event && $this->resourceAccessChecker instanceof ObjectVariableCheckerInterface && $this->resourceAccessChecker->usesObjectVariable($isGranted, $resourceAccessCheckerContext)) {
if ($preRead && $this->resourceAccessChecker instanceof ObjectVariableCheckerInterface && $this->resourceAccessChecker->usesObjectVariable($isGranted, $resourceAccessCheckerContext)) {

Copy link
Member

@dunglas dunglas Nov 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, there is likely a missing test, because the missing use statement hasn't been caught.

Copy link
Member Author

@soyuka soyuka Nov 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it did fail on behat :)

PingusPepan
PingusPepan reviewed Nov 4, 2025
View reviewed changes
tests/Fixtures/TestBundle/ApiResource/IsGrantedTestResource.php

#[ApiResource(
operations: [
new Get(uriTemplate: 'is_granted_tests/{id}', security: 'is_granted("ROLE_ADMIN")', uriVariables: ['id'], provider: [self::class, 'provide']),
Copy link

@PingusPepan PingusPepan Nov 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the test really working? Because I expected object in the expression where provider is called before security check

Copy link
Member Author

@soyuka soyuka Nov 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes this test is working, when no object is present in the security check it'll be called before the provider. If object is present it'll be called after.

Copy link

@PingusPepan PingusPepan Nov 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay, that's on me then. I expected the test to work a little bit differently and I was looking for tests both with and without object in security to see that it behaves correctly in all cases

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dunglas dunglas dunglas requested changes

+1 more reviewer

@PingusPepan PingusPepan PingusPepan left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Providers are executed before any security check

3 participants

@soyuka @dunglas @PingusPepan