vendor/symfony/security-core/Authorization/AccessDecisionManager.php line 114

Open in your IDE?
  1. <?php
  3. /*
  4. * This file is part of the Symfony package.
  5. *
  6. * (c) Fabien Potencier <fabien@symfony.com>
  7. *
  8. * For the full copyright and license information, please view the LICENSE
  9. * file that was distributed with this source code.
  10. */
  12. namespace Symfony\Component\Security\Core\Authorization;
  14. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  15. use Symfony\Component\Security\Core\Authorization\Strategy\AccessDecisionStrategyInterface;
  16. use Symfony\Component\Security\Core\Authorization\Strategy\AffirmativeStrategy;
  17. use Symfony\Component\Security\Core\Authorization\Strategy\ConsensusStrategy;
  18. use Symfony\Component\Security\Core\Authorization\Strategy\PriorityStrategy;
  19. use Symfony\Component\Security\Core\Authorization\Strategy\UnanimousStrategy;
  20. use Symfony\Component\Security\Core\Authorization\Voter\CacheableVoterInterface;
  21. use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
  22. use Symfony\Component\Security\Core\Exception\InvalidArgumentException;
  24. /**
  25. * AccessDecisionManager is the base class for all access decision managers
  26. * that use decision voters.
  27. *
  28. * @author Fabien Potencier <fabien@symfony.com>
  29. *
  30. * @final since Symfony 5.4
  31. */
  32. class AccessDecisionManager implements AccessDecisionManagerInterface
  33. {
  34. /**
  35. * @deprecated use {@see AffirmativeStrategy} instead
  36. */
  37. public const STRATEGY_AFFIRMATIVE = 'affirmative';
  39. /**
  40. * @deprecated use {@see ConsensusStrategy} instead
  41. */
  42. public const STRATEGY_CONSENSUS = 'consensus';
  44. /**
  45. * @deprecated use {@see UnanimousStrategy} instead
  46. */
  47. public const STRATEGY_UNANIMOUS = 'unanimous';
  49. /**
  50. * @deprecated use {@see PriorityStrategy} instead
  51. */
  52. public const STRATEGY_PRIORITY = 'priority';
  54. private const VALID_VOTES = [
  55. VoterInterface::ACCESS_GRANTED => true,
  56. VoterInterface::ACCESS_DENIED => true,
  57. VoterInterface::ACCESS_ABSTAIN => true,
  58. ];
  60. private $voters;
  61. private $votersCacheAttributes;
  62. private $votersCacheObject;
  63. private $strategy;
  65. /**
  66. * @param iterable<mixed, VoterInterface> $voters An array or an iterator of VoterInterface instances
  67. * @param AccessDecisionStrategyInterface|null $strategy The vote strategy
  68. *
  69. * @throws \InvalidArgumentException
  70. */
  71. public function __construct(iterable $voters = [], /* ?AccessDecisionStrategyInterface */ $strategy = null)
  72. {
  73. $this->voters = $voters;
  74. if (\is_string($strategy)) {
  75. trigger_deprecation('symfony/security-core', '5.4', 'Passing the access decision strategy as a string is deprecated, pass an instance of "%s" instead.', AccessDecisionStrategyInterface::class);
  76. $allowIfAllAbstainDecisions = 3 <= \func_num_args() && func_get_arg(2);
  77. $allowIfEqualGrantedDeniedDecisions = 4 > \func_num_args() || func_get_arg(3);
  79. $strategy = $this->createStrategy($strategy, $allowIfAllAbstainDecisions, $allowIfEqualGrantedDeniedDecisions);
  80. } elseif (null !== $strategy && !$strategy instanceof AccessDecisionStrategyInterface) {
  81. throw new \TypeError(sprintf('"%s": Parameter #2 ($strategy) is expected to be an instance of "%s" or null, "%s" given.', __METHOD__, AccessDecisionStrategyInterface::class, get_debug_type($strategy)));
  82. }
  84. $this->strategy = $strategy ?? new AffirmativeStrategy();
  85. }
  87. /**
  88. * @param bool $allowMultipleAttributes Whether to allow passing multiple values to the $attributes array
  89. *
  90. * {@inheritdoc}
  91. */
  92. public function decide(TokenInterface $token, array $attributes, $object = null/* , bool $allowMultipleAttributes = false */)
  93. {
  94. $allowMultipleAttributes = 3 < \func_num_args() && func_get_arg(3);
  96. // Special case for AccessListener, do not remove the right side of the condition before 6.0
  97. if (\count($attributes) > 1 && !$allowMultipleAttributes) {
  98. throw new InvalidArgumentException(sprintf('Passing more than one Security attribute to "%s()" is not supported.', __METHOD__));
  99. }
  101. return $this->strategy->decide(
  102. $this->collectResults($token, $attributes, $object)
  103. );
  104. }
  106. /**
  107. * @param mixed $object
  108. *
  109. * @return \Traversable<int, int>
  110. */
  111. private function collectResults(TokenInterface $token, array $attributes, $object): \Traversable
  112. {
  113. foreach ($this->getVoters($attributes, $object) as $voter) {
  114. $result = $voter->vote($token, $object, $attributes);
  115. if (!\is_int($result) || !(self::VALID_VOTES[$result] ?? false)) {
  116. trigger_deprecation('symfony/security-core', '5.3', 'Returning "%s" in "%s::vote()" is deprecated, return one of "%s" constants: "ACCESS_GRANTED", "ACCESS_DENIED" or "ACCESS_ABSTAIN".', var_export($result, true), get_debug_type($voter), VoterInterface::class);
  117. }
  119. yield $result;
  120. }
  121. }
  123. /**
  124. * @throws \InvalidArgumentException if the $strategy is invalid
  125. */
  126. private function createStrategy(string $strategy, bool $allowIfAllAbstainDecisions, bool $allowIfEqualGrantedDeniedDecisions): AccessDecisionStrategyInterface
  127. {
  128. switch ($strategy) {
  129. case self::STRATEGY_AFFIRMATIVE:
  130. return new AffirmativeStrategy($allowIfAllAbstainDecisions);
  131. case self::STRATEGY_CONSENSUS:
  132. return new ConsensusStrategy($allowIfAllAbstainDecisions, $allowIfEqualGrantedDeniedDecisions);
  133. case self::STRATEGY_UNANIMOUS:
  134. return new UnanimousStrategy($allowIfAllAbstainDecisions);
  135. case self::STRATEGY_PRIORITY:
  136. return new PriorityStrategy($allowIfAllAbstainDecisions);
  137. }
  139. throw new \InvalidArgumentException(sprintf('The strategy "%s" is not supported.', $strategy));
  140. }
  142. /**
  143. * @return iterable<mixed, VoterInterface>
  144. */
  145. private function getVoters(array $attributes, $object = null): iterable
  146. {
  147. $keyAttributes = [];
  148. foreach ($attributes as $attribute) {
  149. $keyAttributes[] = \is_string($attribute) ? $attribute : null;
  150. }
  151. // use `get_class` to handle anonymous classes
  152. $keyObject = \is_object($object) ? \get_class($object) : get_debug_type($object);
  153. foreach ($this->voters as $key => $voter) {
  154. if (!$voter instanceof CacheableVoterInterface) {
  155. yield $voter;
  156. continue;
  157. }
  159. $supports = true;
  160. // The voter supports the attributes if it supports at least one attribute of the list
  161. foreach ($keyAttributes as $keyAttribute) {
  162. if (null === $keyAttribute) {
  163. $supports = true;
  164. } elseif (!isset($this->votersCacheAttributes[$keyAttribute][$key])) {
  165. $this->votersCacheAttributes[$keyAttribute][$key] = $supports = $voter->supportsAttribute($keyAttribute);
  166. } else {
  167. $supports = $this->votersCacheAttributes[$keyAttribute][$key];
  168. }
  169. if ($supports) {
  170. break;
  171. }
  172. }
  173. if (!$supports) {
  174. continue;
  175. }
  177. if (!isset($this->votersCacheObject[$keyObject][$key])) {
  178. $this->votersCacheObject[$keyObject][$key] = $supports = $voter->supportsType($keyObject);
  179. } else {
  180. $supports = $this->votersCacheObject[$keyObject][$key];
  181. }
  182. if (!$supports) {
  183. continue;
  184. }
  185. yield $voter;
  186. }
  187. }
  188. }