bug #1614 Use ServiceIterator in Security provider for voters (hkdobrev)

This PR was squashed before being merged into the 2.3.x-dev branch (closes #1614). Discussion ---------- Use ServiceIterator in Security provider for voters Fixes #1530. Commits ------- e2c48152 Use ServiceIterator in Security provider for voters

bug #1614 Use ServiceIterator in Security provider for voters (hkdobrev)
This PR was squashed before being merged into the 2.3.x-dev branch (closes #1614). Discussion ---------- Use ServiceIterator in Security provider for voters Fixes #1530. Commits ------- e2c48152 Use ServiceIterator in Security provider for voters
38ca05e1 · Fabien Potencier · d75a4a48 · e2c48152 · 38ca05e1 · 38ca05e1
Commit 38ca05e1 authored Feb 26, 2018 by Fabien Potencier
Hide whitespace changes
Inline Side-by-side

Showing with 47 additions and 5 deletions

doc/providers/security.rst doc/providers/security.rst +26 -0

src/Silex/Provider/SecurityServiceProvider.php src/Silex/Provider/SecurityServiceProvider.php +21 -5

No files found.
--- a/doc/providers/security.rst
+++ b/doc/providers/security.rst
@@ -686,6 +686,32 @@ Symfony `cookbook`_.
    providers. :doc:`How to Create a Custom Authentication System with Guard
    </cookbook/guard_authentication>`
+Using Voters to check user permissions
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+See the `Security component documentation on voters <http://symfony.com/doc/current/security/voters.html>`_.
+By default Silex includes the role hierarchy and authenticated voters.
+If you want to add a custom voter, you need to register it as a service and extend ``security.voter_services``.
+.. code-block:: php
+    $app['custom_voter'] = function () {
+        return MyCustomVoter();
+    };
+    $app->extend('security.voter_services', function (array $voters) {
+        $voters[] = 'custom_voter';
+        return $voters;
+    });
+.. note::
+    Using the above approach with the service names circular references are avoided
+    and you can use the ``AccessDecisionManager`` in your custom voter
+    to `check for roles inside a voter
+    <http://symfony.com/doc/current/security/voters.html#checking-for-roles-inside-a-voter>`_.
 Stateless Authentication
 ~~~~~~~~~~~~~~~~~~~~~~~~

--- a/src/Silex/Provider/SecurityServiceProvider.php
+++ b/src/Silex/Provider/SecurityServiceProvider.php
@@ -12,6 +12,7 @@
 namespace Silex\Provider;
 use Pimple\Container;
+use Pimple\ServiceIterator;
 use Pimple\ServiceProviderInterface;
 use Silex\Application;
 use Silex\Api\BootableProviderInterface;
@@ -140,14 +141,29 @@ class SecurityServiceProvider implements ServiceProviderInterface, EventListener
        };
        $app['security.access_manager'] = function ($app) {
-            return new AccessDecisionManager($app['security.voters']);
+            $votersIterator = new ServiceIterator($app, $app['security.voter_services']);
+            return new AccessDecisionManager($votersIterator);
+        };
+        $app['security.voter_services'] = function () {
+            return [RoleHierarchyVoter::class, AuthenticatedVoter::class];
+        };
+        $app[RoleHierarchyVoter::class] = function ($app) {
+            return new RoleHierarchyVoter(new RoleHierarchy($app['security.role_hierarchy']));
+        };
+        $app[AuthenticatedVoter::class] = function ($app) {
+            return new AuthenticatedVoter($app['security.trust_resolver']);
        };
+        // Unused, kept for backwards-compatibility
+        // Extend security.voter_services instead to prevent circular references
        $app['security.voters'] = function ($app) {
-            return [
+            return array_map(function ($voterServiceId) use ($app) {
-                new RoleHierarchyVoter(new RoleHierarchy($app['security.role_hierarchy'])),
+                return $app[$voterServiceId];
-                new AuthenticatedVoter($app['security.trust_resolver']),
+            });
-            ];
        };
        $app['security.firewall'] = function ($app) {