You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
minor #48080 [Security] Make request always available to #[IsGranted] (HypeMC)
This PR was merged into the 6.2 branch.
Discussion
----------
[Security] Make request always available to `#[IsGranted]`
| Q | A
| ------------- | ---
| Branch? | 6.2
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets | Fixsymfony/symfony#48071 (comment)
| License | MIT
| Doc PR | -
Currently, the request is only available to the `#[IsGranted]` attribute when it's a controller argument, eg:
```php
#[IsGranted(attribute: 'SOME_ATTRIBUTE', subject: 'request')]
public function index(Request $request)
{
}
#[IsGranted(
attribute: 'SOME_ATTRIBUTE',
subject: new Expression('args["request"].query.get("foo")'),
)]
public function index(Request $request)
{
}
```
However, since the `$request` variable might not always be needed in the controller itself, it seems kind of weird to have to add it as an argument just so the `#[IsGranted]` attribute could work. With this PR, the request will always be available to the attribute:
```php
#[IsGranted(attribute: 'SOME_ATTRIBUTE', subject: 'request')]
public function index()
{
}
#[IsGranted(
attribute: 'SOME_ATTRIBUTE',
subject: new Expression('request.query.get("foo")'),
)]
public function index()
{
}
```
Don't know if this qualifies as a tweak for 6.2 or feature for 6.3.
Commits
-------
3b6865295e [Security] Make request always available to #[IsGranted]
if (!\array_key_exists($subjectRef, $arguments)) {
95
+
if ('request' === $subjectRef) {
96
+
return$request;
97
+
}
92
98
thrownewRuntimeException(sprintf('Could not find the subject "%s" for the #[IsGranted] attribute. Try adding a "$%s" argument to your controller method.', $subjectRef, $subjectRef));
0 commit comments