KEMBAR78
[Security] Add ability for voters to explain their vote by nicolas-grekas · Pull Request #59771 · symfony/symfony · GitHub
Skip to content

[Security] Add ability for voters to explain their vote #59771

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 17, 2025
Merged

[Security] Add ability for voters to explain their vote #59771

merged 1 commit into from
Feb 17, 2025

Conversation

@nicolas-grekas
Copy link
Member

@nicolas-grekas nicolas-grekas commented Feb 13, 2025
edited
Loading

Q A
Branch? 7.3
Bug fix? no
New feature? no
Deprecations? no
Issues Fix #27995, #26343, #35592, #43147
License MIT

This PR takes over #58107, which itself took over from #46493, etc.

It takes the only approach I could think of that would preserve BC.

The visible tip of what this achieves is:

image

image

Internally, this provides a new access audit log infrastructure that relies on new AccessDecision and Vote objects.

Note that I didn't add (nor fix) tests for now. I'll borrow (and credit) from #58107 / #46493 as much as possible.

@carsonbot carsonbot added this to the 7.3 milestone Feb 13, 2025
This was referenced Feb 13, 2025
Closed
Closed
@nicolas-grekas nicolas-grekas force-pushed the sec-vote-reasons branch 2 times, most recently from d664683 to fcc69a6 Compare February 13, 2025 16:38
alexandre-daubois
alexandre-daubois reviewed Feb 13, 2025
View reviewed changes
Copy link
Member

@alexandre-daubois alexandre-daubois left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a thought at first read: Vote and AccessDecision really look like value objects.

Should we make:

  • AccessDecision::isGranted readonly and set with a constructor? The decision may not change when the object is created, and if so, a new instance may be created instead because that's another decision actually ;
  • The same thing for Vote::$result and Vote::$voter? Here again, if one of these property has to change after instantiation, then it may be more correct to create a new instance because this is not the "same" vote anymore.

@nicolas-grekas
Copy link
Member Author

@alexandre-daubois making the properties readonly would break the FC layer: setting the results multiple times is how an updated implementation can still give proper feedback when given a non-updated one (voters/access decision managers/strategies.)

94noni
94noni reviewed Feb 14, 2025
View reviewed changes
94noni
94noni reviewed Feb 14, 2025
View reviewed changes
@nicolas-grekas nicolas-grekas force-pushed the sec-vote-reasons branch 3 times, most recently from fae982d to 20e7b35 Compare February 14, 2025 13:26
nicolas-grekas
nicolas-grekas commented Feb 14, 2025
View reviewed changes
src/Symfony/Bridge/Twig/Extension/SecurityExtension.php
try {
return $this->userSecurityChecker->isGrantedForUser($user, $attribute, $subject, $accessDecision);
} catch (AuthenticationCredentialsNotFoundException) {
return false;
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added for parity with isGranted() above

@nicolas-grekas nicolas-grekas force-pushed the sec-vote-reasons branch 2 times, most recently from 69264d6 to 2f4b88e Compare February 14, 2025 15:24
@nicolas-grekas
Copy link
Member Author

This PR should be ready for review.
I fixed tests, so that it's green, but I'll add more.

Status: needs review

nicolas-grekas
nicolas-grekas commented Feb 14, 2025
View reviewed changes
src/Symfony/Component/Security/Core/Authorization/AuthorizationChecker.php
}

final public function isGranted(mixed $attribute, mixed $subject = null): bool
final public function isGranted(mixed $attribute, mixed $subject = null, ?AccessDecision $accessDecision = null): bool
Copy link
Member Author

@nicolas-grekas nicolas-grekas Feb 14, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that we could decide to not expose AccessDecision objects when using (User)AuthorizationCheckerInterface.
Any opinions on this?

Having the AccessDecision available to isGranted[ForUser]() methods would allow userland to get the audit log more easily. It's also used right now in AbstractController::denyUnlessGranted(), to compute a better error message. Using the AccessDecisionManager instead of the (User)AuthorizationChecker would be the alternative.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Having it in (User)AuthorizationCheckerInterface looks useful enough

@94noni
Copy link
Contributor

94noni commented Feb 16, 2025

What a ride for those PRs :)
Bravo to all devs includes in the process 👏

@fabpot
Copy link
Member

fabpot commented Feb 17, 2025

Thank you @nicolas-grekas.

@fabpot fabpot merged commit 2962567 into symfony:7.3 Feb 17, 2025
8 of 10 checks passed
@fabpot fabpot mentioned this pull request Feb 17, 2025
Closed
@nicolas-grekas nicolas-grekas deleted the sec-vote-reasons branch February 17, 2025 14:12
@eltharin eltharin mentioned this pull request Mar 30, 2025
Merged
@fabpot fabpot mentioned this pull request May 2, 2025
Merged
@kevinpapst
Copy link

The method Vote:addReason() was added, but the code calls $vote->reasons[] all the time. Would be great if we could replace the actual Vote instance with a custom implementation that does not store the reasons. This code can be called hundreds of times and there is no benefit in production to actually store these information.

@nicolas-grekas
Copy link
Member Author

We'd need benchmarks to consider any perf/mem issue here. To me, this should be negligible.
Also: this can be used in prod to compute nice user error messages if one wants to (some will).

@j-schumann
Copy link

Also: this can be used in prod to compute nice user error messages if one wants to (some will).

This is our primary/only reason why we wanted this feature.

@MatTheCat MatTheCat mentioned this pull request May 25, 2025
Closed
@aschempp aschempp mentioned this pull request Jul 9, 2025
Open
@valtzu valtzu mentioned this pull request Jul 31, 2025
Closed
@j-schumann j-schumann mentioned this pull request Aug 6, 2025
Open
fabpot added a commit that referenced this pull request Sep 24, 2025
@fabpot
feature #60085 [Security] improve VoteObject adding extraData for giv…
f1f6344 
…e more possibilities to AccessDecicsionStrategy (eltharin)

This PR was squashed before being merged into the 7.4 branch.

Discussion
----------

[Security] improve VoteObject adding extraData for give more possibilities to AccessDecicsionStrategy

| Q             | A
| ------------- | ---
| Branch?       | 7.3
| Bug fix?      | no
| New feature?  | yes
| Deprecations? | no
| License       | MIT

In continuation of #58107 and #59771, add ExtraData in VoteObject and pass it to AccessDecicsionStrategy Object to allow the decision to be refined.

ExtraData can be an array or an object, and AccessDecicsionStrategy can get it to get the final decision.

In 7.2, voter can only respond abstain / allow or deny, but what if we want more choices, per example a ponderable vote ?

With this PR, it allow to put somme data in the new VoteObject as :

```php
/** ScoreData.php */

/** MyVoter.php */

    public function vote(TokenInterface $token, mixed $subject, array $attributes, ?Vote $vote = null) : int
    {
        $vote->result = 1;
        $vote->reasons[] = 'is Admin';
        $vote->extraData['score'] = 10;

        return $vote->result;
    }
```
we need also a custom strategy to take this score into account :

```php
/** MyStrategy.php */

public function decide(\Traversable $results, $accessDecision = null): bool
    {
        $score = 0;

        foreach ($results as $key => $result) {
            $vote = $accessDecision->votes[$key];  // <==

            if(array_key_exists('score', $vote->extraData)) {
                $score += $vote->extraData['score'];
            } else {
                $score += $vote->result;
            }
        }

        $accessDecision->result = $score;

        if ($score > 0) {
            return true;
        }

        if ($score< 0) {
            return false;
        }

        return $this->allowIfAllAbstainDecisions;
    }
```

AccessDecision contains Vote objects and we can read our score from it.

Commits
-------

bd24f84 [Security] improve VoteObject adding extraData for give more possibilities to AccessDecicsionStrategy
symfony-splitter pushed a commit to symfony/security-core that referenced this pull request Sep 24, 2025
@fabpot
feature #60085 [Security] improve VoteObject adding extraData for giv…
70afc2c 
…e more possibilities to AccessDecicsionStrategy (eltharin)

This PR was squashed before being merged into the 7.4 branch.

Discussion
----------

[Security] improve VoteObject adding extraData for give more possibilities to AccessDecicsionStrategy

| Q             | A
| ------------- | ---
| Branch?       | 7.3
| Bug fix?      | no
| New feature?  | yes
| Deprecations? | no
| License       | MIT

In continuation of symfony/symfony#58107 and symfony/symfony#59771, add ExtraData in VoteObject and pass it to AccessDecicsionStrategy Object to allow the decision to be refined.

ExtraData can be an array or an object, and AccessDecicsionStrategy can get it to get the final decision.

In 7.2, voter can only respond abstain / allow or deny, but what if we want more choices, per example a ponderable vote ?

With this PR, it allow to put somme data in the new VoteObject as :

```php
/** ScoreData.php */

/** MyVoter.php */

    public function vote(TokenInterface $token, mixed $subject, array $attributes, ?Vote $vote = null) : int
    {
        $vote->result = 1;
        $vote->reasons[] = 'is Admin';
        $vote->extraData['score'] = 10;

        return $vote->result;
    }
```
we need also a custom strategy to take this score into account :

```php
/** MyStrategy.php */

public function decide(\Traversable $results, $accessDecision = null): bool
    {
        $score = 0;

        foreach ($results as $key => $result) {
            $vote = $accessDecision->votes[$key];  // <==

            if(array_key_exists('score', $vote->extraData)) {
                $score += $vote->extraData['score'];
            } else {
                $score += $vote->result;
            }
        }

        $accessDecision->result = $score;

        if ($score > 0) {
            return true;
        }

        if ($score< 0) {
            return false;
        }

        return $this->allowIfAllAbstainDecisions;
    }
```

AccessDecision contains Vote objects and we can read our score from it.

Commits
-------

bd24f84ab90 [Security] improve VoteObject adding extraData for give more possibilities to AccessDecicsionStrategy
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stof stof stof left review comments

@alexandre-daubois alexandre-daubois alexandre-daubois left review comments

@fabpot fabpot fabpot approved these changes

@chalasr chalasr Awaiting requested review from chalasr chalasr is a code owner

+4 more reviewers

@j-schumann j-schumann j-schumann left review comments

@gharlan gharlan gharlan left review comments

@alamirault alamirault alamirault left review comments

@94noni 94noni 94noni approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Security Status: Reviewed

Projects

None yet

Milestone

7.3

Development

Successfully merging this pull request may close these issues.

[Security][DX] Be able to know why exactly SecurityVoter returns false