From 96afff6a058deb9ea9d36fab3b1741ea9502943b Mon Sep 17 00:00:00 2001
From: WouterJ <waldio.webdesign@gmail.com>
Date: Wed, 4 Nov 2015 14:58:00 +0100
Subject: [PATCH] [SecurityBundle] Fix disabling of RoleHierarchyVoter when
 passing empty hierarchy

---
 .../DependencyInjection/SecurityExtension.php |  2 +-
 .../SecurityExtensionTest.php                 | 27 +++++++++++++++++++
 .../Voter/RoleHierarchyVoterTest.php          | 15 +++++++++++
 3 files changed, 43 insertions(+), 1 deletion(-)

diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
index 68bbbc4fd3..5f45b1f794 100644
--- a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
+++ b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
@@ -168,7 +168,7 @@ class SecurityExtension extends Extension
      */
     private function createRoleHierarchy($config, ContainerBuilder $container)
     {
-        if (!isset($config['role_hierarchy'])) {
+        if (!isset($config['role_hierarchy']) || 0 === count($config['role_hierarchy'])) {
             $container->removeDefinition('security.access.role_hierarchy_voter');
 
             return;
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/SecurityExtensionTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/SecurityExtensionTest.php
index 4dd33020c5..859f5b4e2d 100644
--- a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/SecurityExtensionTest.php
+++ b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/SecurityExtensionTest.php
@@ -94,6 +94,33 @@ class SecurityExtensionTest extends \PHPUnit_Framework_TestCase
         $container->compile();
     }
 
+    public function testDisableRoleHierarchyVoter()
+    {
+        $container = $this->getRawContainer();
+
+        $container->loadFromExtension('security', array(
+            'providers' => array(
+                'default' => array('id' => 'foo'),
+            ),
+
+            'role_hierarchy' => null,
+
+            'firewalls' => array(
+                'some_firewall' => array(
+                    'pattern' => '/.*',
+                    'http_basic' => null,
+                ),
+            ),
+        ));
+
+        $container->compile();
+
+        $admDefinition = $container->getDefinition('security.access.decision_manager');
+        $registeredVoters = array_map('strval', $admDefinition->getArgument(0));
+
+        $this->assertNotContains('security.access.role_hierarchy_voter', $registeredVoters);
+    }
+
     protected function getRawContainer()
     {
         $container = new ContainerBuilder();
diff --git a/src/Symfony/Component/Security/Core/Tests/Authorization/Voter/RoleHierarchyVoterTest.php b/src/Symfony/Component/Security/Core/Tests/Authorization/Voter/RoleHierarchyVoterTest.php
index c50ecf38c5..4b03bacd78 100644
--- a/src/Symfony/Component/Security/Core/Tests/Authorization/Voter/RoleHierarchyVoterTest.php
+++ b/src/Symfony/Component/Security/Core/Tests/Authorization/Voter/RoleHierarchyVoterTest.php
@@ -33,4 +33,19 @@ class RoleHierarchyVoterTest extends RoleVoterTest
             array(array('ROLE_FOO'), array('ROLE_FOOBAR'), VoterInterface::ACCESS_GRANTED),
         ));
     }
+
+    /**
+     * @dataProvider getVoteWithEmptyHierarchyTests
+     */
+    public function testVoteWithEmptyHierarchy($roles, $attributes, $expected)
+    {
+        $voter = new RoleHierarchyVoter(new RoleHierarchy(array()));
+
+        $this->assertSame($expected, $voter->vote($this->getToken($roles), null, $attributes));
+    }
+
+    public function getVoteWithEmptyHierarchyTests()
+    {
+        return parent::getVoteTests();
+    }
 }