Added access decision strategy to respect voter priority
This commit is contained in:
parent
dab6732f39
commit
0b8028a0ec
@ -1,6 +1,11 @@
|
|||||||
CHANGELOG
|
CHANGELOG
|
||||||
=========
|
=========
|
||||||
|
|
||||||
|
5.1.0
|
||||||
|
-----
|
||||||
|
|
||||||
|
* Added security configuration for priority-based access decision strategy
|
||||||
|
|
||||||
5.0.0
|
5.0.0
|
||||||
-----
|
-----
|
||||||
|
|
||||||
|
@ -76,7 +76,7 @@ class MainConfiguration implements ConfigurationInterface
|
|||||||
->addDefaultsIfNotSet()
|
->addDefaultsIfNotSet()
|
||||||
->children()
|
->children()
|
||||||
->enumNode('strategy')
|
->enumNode('strategy')
|
||||||
->values([AccessDecisionManager::STRATEGY_AFFIRMATIVE, AccessDecisionManager::STRATEGY_CONSENSUS, AccessDecisionManager::STRATEGY_UNANIMOUS])
|
->values($this->getAccessDecisionStrategies())
|
||||||
->end()
|
->end()
|
||||||
->scalarNode('service')->end()
|
->scalarNode('service')->end()
|
||||||
->booleanNode('allow_if_all_abstain')->defaultFalse()->end()
|
->booleanNode('allow_if_all_abstain')->defaultFalse()->end()
|
||||||
@ -386,4 +386,19 @@ class MainConfiguration implements ConfigurationInterface
|
|||||||
->end()
|
->end()
|
||||||
;
|
;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private function getAccessDecisionStrategies()
|
||||||
|
{
|
||||||
|
$strategies = [
|
||||||
|
AccessDecisionManager::STRATEGY_AFFIRMATIVE,
|
||||||
|
AccessDecisionManager::STRATEGY_CONSENSUS,
|
||||||
|
AccessDecisionManager::STRATEGY_UNANIMOUS,
|
||||||
|
];
|
||||||
|
|
||||||
|
if (\defined(AccessDecisionManager::class.'::STRATEGY_PRIORITY')) {
|
||||||
|
$strategies[] = AccessDecisionManager::STRATEGY_PRIORITY;
|
||||||
|
}
|
||||||
|
|
||||||
|
return $strategies;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
@ -1,6 +1,11 @@
|
|||||||
CHANGELOG
|
CHANGELOG
|
||||||
=========
|
=========
|
||||||
|
|
||||||
|
5.1.0
|
||||||
|
-----
|
||||||
|
|
||||||
|
* Added access decision strategy to override access decisions by voter service priority
|
||||||
|
|
||||||
5.0.0
|
5.0.0
|
||||||
-----
|
-----
|
||||||
|
|
||||||
|
@ -26,6 +26,7 @@ class AccessDecisionManager implements AccessDecisionManagerInterface
|
|||||||
const STRATEGY_AFFIRMATIVE = 'affirmative';
|
const STRATEGY_AFFIRMATIVE = 'affirmative';
|
||||||
const STRATEGY_CONSENSUS = 'consensus';
|
const STRATEGY_CONSENSUS = 'consensus';
|
||||||
const STRATEGY_UNANIMOUS = 'unanimous';
|
const STRATEGY_UNANIMOUS = 'unanimous';
|
||||||
|
const STRATEGY_PRIORITY = 'priority';
|
||||||
|
|
||||||
private $voters;
|
private $voters;
|
||||||
private $strategy;
|
private $strategy;
|
||||||
@ -181,4 +182,28 @@ class AccessDecisionManager implements AccessDecisionManagerInterface
|
|||||||
|
|
||||||
return $this->allowIfAllAbstainDecisions;
|
return $this->allowIfAllAbstainDecisions;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Grant or deny access depending on the first voter that does not abstain.
|
||||||
|
* The priority of voters can be used to overrule a decision.
|
||||||
|
*
|
||||||
|
* If all voters abstained from voting, the decision will be based on the
|
||||||
|
* allowIfAllAbstainDecisions property value (defaults to false).
|
||||||
|
*/
|
||||||
|
private function decidePriority(TokenInterface $token, array $attributes, $object = null)
|
||||||
|
{
|
||||||
|
foreach ($this->voters as $voter) {
|
||||||
|
$result = $voter->vote($token, $object, $attributes);
|
||||||
|
|
||||||
|
if (VoterInterface::ACCESS_GRANTED === $result) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (VoterInterface::ACCESS_DENIED === $result) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return $this->allowIfAllAbstainDecisions;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
@ -66,6 +66,31 @@ class AccessDecisionManagerTest extends TestCase
|
|||||||
|
|
||||||
[AccessDecisionManager::STRATEGY_UNANIMOUS, $this->getVoters(0, 0, 2), false, true, false],
|
[AccessDecisionManager::STRATEGY_UNANIMOUS, $this->getVoters(0, 0, 2), false, true, false],
|
||||||
[AccessDecisionManager::STRATEGY_UNANIMOUS, $this->getVoters(0, 0, 2), true, true, true],
|
[AccessDecisionManager::STRATEGY_UNANIMOUS, $this->getVoters(0, 0, 2), true, true, true],
|
||||||
|
|
||||||
|
// priority
|
||||||
|
[AccessDecisionManager::STRATEGY_PRIORITY, [
|
||||||
|
$this->getVoter(VoterInterface::ACCESS_ABSTAIN),
|
||||||
|
$this->getVoter(VoterInterface::ACCESS_GRANTED),
|
||||||
|
$this->getVoter(VoterInterface::ACCESS_DENIED),
|
||||||
|
$this->getVoter(VoterInterface::ACCESS_DENIED),
|
||||||
|
], true, true, true],
|
||||||
|
|
||||||
|
[AccessDecisionManager::STRATEGY_PRIORITY, [
|
||||||
|
$this->getVoter(VoterInterface::ACCESS_ABSTAIN),
|
||||||
|
$this->getVoter(VoterInterface::ACCESS_DENIED),
|
||||||
|
$this->getVoter(VoterInterface::ACCESS_GRANTED),
|
||||||
|
$this->getVoter(VoterInterface::ACCESS_GRANTED),
|
||||||
|
], true, true, false],
|
||||||
|
|
||||||
|
[AccessDecisionManager::STRATEGY_PRIORITY, [
|
||||||
|
$this->getVoter(VoterInterface::ACCESS_ABSTAIN),
|
||||||
|
$this->getVoter(VoterInterface::ACCESS_ABSTAIN),
|
||||||
|
], false, true, false],
|
||||||
|
|
||||||
|
[AccessDecisionManager::STRATEGY_PRIORITY, [
|
||||||
|
$this->getVoter(VoterInterface::ACCESS_ABSTAIN),
|
||||||
|
$this->getVoter(VoterInterface::ACCESS_ABSTAIN),
|
||||||
|
], true, true, true],
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Reference in New Issue
Block a user