Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 1 addition & 3 deletions .circleci/config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -530,12 +530,10 @@ jobs:

workflows:
version: 2
lint:
lint-and-coverage:
jobs:
- php-cs-fixer
- phpstan
test-with-coverage:
jobs:
- phpunit-coverage
- behat-coverage
- phpunit-mongodb-coverage
Expand Down
5 changes: 3 additions & 2 deletions composer.json
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@
"symfony/framework-bundle": "^4.2",
"symfony/mercure-bundle": "*",
"symfony/messenger": "^4.2",
"symfony/phpunit-bridge": "^3.4.5 || ^4.0.5",
"symfony/phpunit-bridge": "^4.3",
"symfony/routing": "^3.4 || ^4.0",
"symfony/security-bundle": "^3.4 || ^4.0",
"symfony/security-core": "^3.4 || ^4.0",
Expand All @@ -82,7 +82,8 @@
},
"conflict": {
"doctrine/common": "<2.7",
"doctrine/mongodb-odm": "<2.0"
"doctrine/mongodb-odm": "<2.0",
"symfony/messenger": ">=4.3"
},
"suggest": {
"doctrine/mongodb-odm-bundle": "To support MongoDB. Only versions 4.0 and later are supported.",
Expand Down
6 changes: 6 additions & 0 deletions phpstan.neon.dist
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,12 @@ parameters:
-
message: "#Call to function method_exists\\(\\) with 'Symfony\\\\\\\\Component.+' and '(removeBindings|addRemovedBindingIds)' will always evaluate to false\\.#"
path: %currentWorkingDirectory%/tests/Bridge/Symfony/Bundle/DependencyInjection/ApiPlatformExtensionTest.php
-
message: "#Call to function method_exists\\(\\) with 'Symfony\\\\\\\\Component.+' and 'getReachableRoleNam.+' will always evaluate to false\\.#"
path: %currentWorkingDirectory%/tests/Security/EventListener/DenyAccessListenerTest.php
-
message: "#Call to function method_exists\\(\\) with 'Symfony\\\\\\\\Component.+' and 'getRoleNames' will always evaluate to false\\.#"
path: %currentWorkingDirectory%/tests/Security/EventListener/DenyAccessListenerTest.php
- "#Call to method PHPUnit\\\\Framework\\\\Assert::assertSame\\(\\) with array\\('(collection_context|item_context|subresource_context)'\\) and array<Symfony\\\\Component\\\\VarDumper\\\\Cloner\\\\Data>\\|bool\\|float\\|int\\|string\\|null will always evaluate to false\\.#"
# https://github.com/doctrine/doctrine2/pull/7298/files
- '#Strict comparison using === between null and int will always evaluate to false\.#'
Expand Down
2 changes: 1 addition & 1 deletion phpunit.xml.dist
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
<php>
<ini name="error_reporting" value="-1" />
<ini name="memory_limit" value="-1" />
<env name="SYMFONY_DEPRECATIONS_HELPER" value="weak_vendors" />
<env name="SYMFONY_DEPRECATIONS_HELPER" value="max[self]=0" />
<server name="KERNEL_DIR" value="tests/Fixtures/app/" />
<server name="KERNEL_CLASS" value="AppKernel" />
<server name="APP_ENV" value="test" />
Expand Down
2 changes: 1 addition & 1 deletion phpunit_mongodb.xml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
<php>
<ini name="error_reporting" value="-1" />
<ini name="memory_limit" value="-1" />
<env name="SYMFONY_DEPRECATIONS_HELPER" value="weak_vendors" />
<env name="SYMFONY_DEPRECATIONS_HELPER" value="max[self]=0" />
<server name="KERNEL_DIR" value="tests/Fixtures/app/" />
<server name="KERNEL_CLASS" value="AppKernel" />
<server name="APP_ENV" value="mongodb" />
Expand Down
24 changes: 19 additions & 5 deletions src/Security/ResourceAccessChecker.php
Original file line number Diff line number Diff line change
Expand Up @@ -67,17 +67,31 @@ public function isGranted(string $resourceClass, string $expression, array $extr
*/
private function getVariables(TokenInterface $token): array
{
$roles = $this->roleHierarchy ? $this->roleHierarchy->getReachableRoles($token->getRoles()) : $token->getRoles();

return [
'token' => $token,
'user' => $token->getUser(),
'roles' => array_map(function (Role $role) {
return $role->getRole();
}, $roles),
'roles' => $this->getEffectiveRoles($token),
'trust_resolver' => $this->authenticationTrustResolver,
// needed for the is_granted expression function
'auth_checker' => $this->authorizationChecker,
];
}

/**
* @return string[]
*/
private function getEffectiveRoles(TokenInterface $token): array
{
if (null === $this->roleHierarchy) {
return method_exists($token, 'getRoleNames') ? $token->getRoleNames() : array_map('strval', $token->getRoles());
}

if (method_exists($this->roleHierarchy, 'getReachableRoleNames')) {
return $this->roleHierarchy->getReachableRoleNames($token->getRoleNames());
}

return array_map(function (Role $role): string {
return $role->getRole();
}, $this->roleHierarchy->getReachableRoles($token->getRoles()));
}
}
10 changes: 6 additions & 4 deletions tests/Security/EventListener/DenyAccessListenerTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -23,10 +23,12 @@
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpKernel\Event\GetResponseEvent;
use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverInterface;
use Symfony\Component\Security\Core\Authentication\Token\AbstractToken;
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
use Symfony\Component\Security\Core\Role\RoleHierarchy;
use Symfony\Component\Security\Core\Role\RoleHierarchyInterface;

/**
Expand Down Expand Up @@ -269,14 +271,14 @@ private function getLegacyListener(ResourceMetadataFactoryInterface $resourceMet
$authenticationTrustResolverProphecy = $this->prophesize(AuthenticationTrustResolverInterface::class);

$roleHierarchyInterfaceProphecy = $this->prophesize(RoleHierarchyInterface::class);
$roleHierarchyInterfaceProphecy->getReachableRoles(Argument::type('array'))->willReturn([]);
$roleHierarchyInterfaceProphecy->{method_exists(RoleHierarchy::class, 'getReachableRoleNames') ? 'getReachableRoleNames' : 'getReachableRoles'}(Argument::type('array'))->willReturn([]);

$tokenProphecy = $this->prophesize(TokenInterface::class);
$tokenProphecy = $this->prophesize(AbstractToken::class);
$tokenProphecy->getUser()->willReturn('anon.');
$tokenProphecy->getRoles()->willReturn([]);
$tokenProphecy->{method_exists(AbstractToken::class, 'getRoleNames') ? 'getRoleNames' : 'getRoles'}()->willReturn([]);

$tokenStorageProphecy = $this->prophesize(TokenStorageInterface::class);
$tokenStorageProphecy->getToken()->willReturn($tokenProphecy->reveal())->shouldBeCalled();
$tokenStorageProphecy->getToken()->willReturn($tokenProphecy)->shouldBeCalled();

$authorizationCheckerInterface = $this->prophesize(AuthorizationCheckerInterface::class);

Expand Down