[Security] Add ability for voters to explain their vote

nicolas-grekas · nicolas-grekas · commit bb860bf82983 · 2025-02-14T17:13:39.000+01:00
diff --git a/Controller/AbstractController.php b/Controller/AbstractController.php
@@ -35,6 +35,7 @@
 use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
 use Symfony\Component\Routing\RouterInterface;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
+use Symfony\Component\Security\Core\Authorization\AccessDecision;
 use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 use Symfony\Component\Security\Core\User\UserInterface;
@@ -202,6 +203,21 @@ protected function isGranted(mixed $attribute, mixed $subject = null): bool
         return $this->container->get('security.authorization_checker')->isGranted($attribute, $subject);
     }
 
+    /**
+     * Checks if the attribute is granted against the current authentication token and optionally supplied subject.
+     */
+    protected function getAccessDecision(mixed $attribute, mixed $subject = null): AccessDecision
+    {
+        if (!$this->container->has('security.authorization_checker')) {
+            throw new \LogicException('The SecurityBundle is not registered in your application. Try running "composer require symfony/security-bundle".');
+        }
+
+        $accessDecision = new AccessDecision();
+        $accessDecision->isGranted = $this->container->get('security.authorization_checker')->isGranted($attribute, $subject, $accessDecision);
+
+        return $accessDecision;
+    }
+
     /**
      * Throws an exception unless the attribute is granted against the current authentication token and optionally
      * supplied subject.
@@ -210,12 +226,24 @@ protected function isGranted(mixed $attribute, mixed $subject = null): bool
      */
     protected function denyAccessUnlessGranted(mixed $attribute, mixed $subject = null, string $message = 'Access Denied.'): void
     {
-        if (!$this->isGranted($attribute, $subject)) {
-            $exception = $this->createAccessDeniedException($message);
-            $exception->setAttributes([$attribute]);
-            $exception->setSubject($subject);
+        if (class_exists(AccessDecision::class)) {
+            $accessDecision = $this->getAccessDecision($attribute, $subject);
+            $isGranted = $accessDecision->isGranted;
+        } else {
+            $accessDecision = null;
+            $isGranted = $this->isGranted($attribute, $subject);
+        }
+
+        if (!$isGranted) {
+            $e = $this->createAccessDeniedException(3 > \func_num_args() && $accessDecision ? $accessDecision->getMessage() : $message);
+            $e->setAttributes([$attribute]);
+            $e->setSubject($subject);
+
+            if ($accessDecision) {
+                $e->setAccessDecision($accessDecision);
+            }
 
-            throw $exception;
+            throw $e;
         }
     }
 
diff --git a/Tests/Controller/AbstractControllerTest.php b/Tests/Controller/AbstractControllerTest.php
@@ -40,7 +40,10 @@
 use Symfony\Component\Routing\RouterInterface;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;
 use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
+use Symfony\Component\Security\Core\Authorization\AccessDecision;
 use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
+use Symfony\Component\Security\Core\Authorization\Voter\Vote;
+use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 use Symfony\Component\Security\Core\User\InMemoryUser;
 use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
@@ -352,7 +355,19 @@ public function testIsGranted()
     public function testdenyAccessUnlessGranted()
     {
         $authorizationChecker = $this->createMock(AuthorizationCheckerInterface::class);
-        $authorizationChecker->expects($this->once())->method('isGranted')->willReturn(false);
+        $authorizationChecker
+            ->expects($this->once())
+            ->method('isGranted')
+            ->willReturnCallback(function ($attribute, $subject, ?AccessDecision $accessDecision = null) {
+                if (class_exists(AccessDecision::class)) {
+                    $this->assertInstanceOf(AccessDecision::class, $accessDecision);
+                    $accessDecision->votes[] = $vote = new Vote();
+                    $vote->result = VoterInterface::ACCESS_DENIED;
+                    $vote->reasons[] = 'Why should I.';
+                }
+
+                return false;
+            });
 
         $container = new Container();
         $container->set('security.authorization_checker', $authorizationChecker);
@@ -361,8 +376,17 @@ public function testdenyAccessUnlessGranted()
         $controller->setContainer($container);
 
         $this->expectException(AccessDeniedException::class);
+        $this->expectExceptionMessage('Access Denied.'.(class_exists(AccessDecision::class) ? ' Why should I.' : ''));
 
-        $controller->denyAccessUnlessGranted('foo');
+        try {
+            $controller->denyAccessUnlessGranted('foo');
+        } catch (AccessDeniedException $e) {
+            if (class_exists(AccessDecision::class)) {
+                $this->assertFalse($e->getAccessDecision()->isGranted);
+            }
+
+            throw $e;
+        }
     }
 
     /**
