[Security] Add argument $exceptionCode to #[IsGranted]

Maximilian Zumbansen · nicolas-grekas · commit b6a6201fb1d7 · 2023-03-20T10:56:54.000+01:00
diff --git a/Attribute/IsGranted.php b/Attribute/IsGranted.php
@@ -42,6 +42,11 @@ public function __construct(
          * If null, Security\Core's AccessDeniedException will be used.
          */
         public ?int $statusCode = null,
+
+        /**
+         * If set, will add the exception code to thrown exception.
+         */
+        public ?int $exceptionCode = null,
     ) {
     }
 }
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,7 @@ CHANGELOG
 ---
 
  * Add `RememberMeBadge` to `JsonLoginAuthenticator` and enable reading parameter in JSON request body
+ * Add argument `$exceptionCode` to `#[IsGranted]`
 
 6.2
 ---
diff --git a/EventListener/IsGrantedAttributeListener.php b/EventListener/IsGrantedAttributeListener.php
@@ -66,10 +66,10 @@ public function onKernelControllerArguments(ControllerArgumentsEvent $event)
                 $message = $attribute->message ?: sprintf('Access Denied by #[IsGranted(%s)] on controller', $this->getIsGrantedString($attribute));
 
                 if ($statusCode = $attribute->statusCode) {
-                    throw new HttpException($statusCode, $message);
+                    throw new HttpException($statusCode, $message, code: $attribute->exceptionCode ?? 0);
                 }
 
-                $accessDeniedException = new AccessDeniedException($message);
+                $accessDeniedException = new AccessDeniedException($message, code: $attribute->exceptionCode ?? 403);
                 $accessDeniedException->setAttributes($attribute->attribute);
                 $accessDeniedException->setSubject($subject);
 
diff --git a/Tests/EventListener/IsGrantedAttributeListenerTest.php b/Tests/EventListener/IsGrantedAttributeListenerTest.php
@@ -384,4 +384,50 @@ public function testIsGrantedWithRequestAsSubject()
         $listener = new IsGrantedAttributeListener($authChecker, new ExpressionLanguage());
         $listener->onKernelControllerArguments($event);
     }
+
+    public function testHttpExceptionWithExceptionCode()
+    {
+        $this->expectException(HttpException::class);
+        $this->expectExceptionMessage('Exception Code');
+        $this->expectExceptionCode(10010);
+
+        $authChecker = $this->createMock(AuthorizationCheckerInterface::class);
+        $authChecker->expects($this->any())
+            ->method('isGranted')
+            ->willReturn(false);
+
+        $event = new ControllerArgumentsEvent(
+            $this->createMock(HttpKernelInterface::class),
+            [new IsGrantedAttributeMethodsController(), 'exceptionCodeInHttpException'],
+            [],
+            new Request(),
+            null
+        );
+
+        $listener = new IsGrantedAttributeListener($authChecker);
+        $listener->onKernelControllerArguments($event);
+    }
+
+    public function testAccessDeniedExceptionWithExceptionCode()
+    {
+        $this->expectException(AccessDeniedException::class);
+        $this->expectExceptionMessage('Exception Code');
+        $this->expectExceptionCode(10010);
+
+        $authChecker = $this->createMock(AuthorizationCheckerInterface::class);
+        $authChecker->expects($this->any())
+            ->method('isGranted')
+            ->willReturn(false);
+
+        $event = new ControllerArgumentsEvent(
+            $this->createMock(HttpKernelInterface::class),
+            [new IsGrantedAttributeMethodsController(), 'exceptionCodeInAccessDeniedException'],
+            [],
+            new Request(),
+            null
+        );
+
+        $listener = new IsGrantedAttributeListener($authChecker);
+        $listener->onKernelControllerArguments($event);
+    }
 }
diff --git a/Tests/Fixtures/IsGrantedAttributeMethodsController.php b/Tests/Fixtures/IsGrantedAttributeMethodsController.php
@@ -45,6 +45,16 @@ public function notFound()
     {
     }
 
+    #[IsGranted(attribute: 'ROLE_ADMIN', message: 'Exception Code Http', statusCode: 404, exceptionCode: 10010)]
+    public function exceptionCodeInHttpException()
+    {
+    }
+
+    #[IsGranted(attribute: 'ROLE_ADMIN', message: 'Exception Code Access Denied', exceptionCode: 10010)]
+    public function exceptionCodeInAccessDeniedException()
+    {
+    }
+
     #[IsGranted(attribute: new Expression('"ROLE_ADMIN" in role_names or is_granted("POST_VIEW", subject)'), subject: 'post')]
     public function withExpressionInAttribute($post)
     {

Original file line number	Diff line number	Diff line change
`@@ -42,6 +42,11 @@ public function __construct(`
`42`	`42`	`* If null, Security\Core's AccessDeniedException will be used.`
`43`	`43`	`*/`
`44`	`44`	`public ?int $statusCode = null,`
	`45`	`+`
	`46`	`+ /**`
	`47`	`+ * If set, will add the exception code to thrown exception.`
	`48`	`+ */`
	`49`	`+ public ?int $exceptionCode = null,`
`45`	`50`	`) {`
`46`	`51`	`}`
`47`	`52`	`}`
Original file line number	Diff line number	Diff line change
`@@ -45,6 +45,16 @@ public function notFound()`
`45`	`45`	`{`
`46`	`46`	`}`
`47`	`47`
	`48`	`+ #[IsGranted(attribute: 'ROLE_ADMIN', message: 'Exception Code Http', statusCode: 404, exceptionCode: 10010)]`
	`49`	`+ public function exceptionCodeInHttpException()`
	`50`	`+ {`
	`51`	`+ }`
	`52`	`+`
	`53`	`+ #[IsGranted(attribute: 'ROLE_ADMIN', message: 'Exception Code Access Denied', exceptionCode: 10010)]`
	`54`	`+ public function exceptionCodeInAccessDeniedException()`
	`55`	`+ {`
	`56`	`+ }`
	`57`	`+`
`48`	`58`	`#[IsGranted(attribute: new Expression('"ROLE_ADMIN" in role_names or is_granted("POST_VIEW", subject)'), subject: 'post')]`
`49`	`59`	`public function withExpressionInAttribute($post)`
`50`	`60`	`{`