feature #19473 [Security] Expose the required roles in AccessDeniedException (Nicofuma)

fabpot · fabpot · commit a45ccd009939 · 2016-08-09T06:40:33.000-07:00
This PR was merged into the 3.2-dev branch.

Discussion
----------

[Security] Expose the required roles in AccessDeniedException

| Q             | A
| ------------- | ---
| Branch?       | master
| Bug fix?      | no
| New feature?  | yes
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| License       | MIT

Nowadays it is more and more common to protect some sensitive actions and part of a website using 2FA or some re-authentication mechanism (per example, on Github you have to enter your password again when you add an ssh key). But currently, in Symfony, it is really hard to implement without having to duplicate the logic, provide an explicit list of URLs to protect or hack into the security component.

A good way to achieve that would be to add a special role (like IS_AUTHENTICATED_FULLY) and use it in the access map. But it requires us to be able to have a custom logic in an ExceptionListener depending on the roles behind an AccessDeniedException.

With this patch we could write an ExceptionListener of this kind (a similar logic could also be used in an AccessDeniedHandler):

```php
    public function onKernelException(GetResponseForExceptionEvent $event)
    {
        $exception = $event-&gt;getException();
        do {
            if ($exception instanceof AccessDeniedException) {
                foreach ($exception-&gt;getAttributes() as $role) {
                    if ($role === 'IS_AUTHENTICATED_2FA' &amp;&amp; !$this-&gt;accessDecisionManager-&gt;decide($this-&gt;tokenStorage-&gt;getToken(), $role, $exception-&gt;getObject())) {
                        // Start 2FA
                    }
                }
            }
        } while (null !== $exception = $exception-&gt;getPrevious());
    }
```

Replaces #18661

Commits
-------

6618c18 [Security] Expose the required roles in AccessDeniedException
diff --git a/Controller/Controller.php b/Controller/Controller.php
@@ -192,7 +192,11 @@ protected function isGranted($attributes, $object = null)
     protected function denyAccessUnlessGranted($attributes, $object = null, $message = 'Access Denied.')
     {
         if (!$this->isGranted($attributes, $object)) {
-            throw $this->createAccessDeniedException($message);
+            $exception = $this->createAccessDeniedException($message);
+            $exception->setAttributes($attributes);
+            $exception->setObject($object);
+
+            throw $exception;
         }
     }
 
diff --git a/composer.json b/composer.json
@@ -29,7 +29,7 @@
         "symfony/filesystem": "~2.8|~3.0",
         "symfony/finder": "~2.8|~3.0",
         "symfony/routing": "~3.0",
-        "symfony/security-core": "~2.8|~3.0",
+        "symfony/security-core": "~3.2",
         "symfony/security-csrf": "~2.8|~3.0",
         "symfony/stopwatch": "~2.8|~3.0",
         "symfony/templating": "~2.8|~3.0",

Original file line number	Diff line number	Diff line change
`@@ -192,7 +192,11 @@ protected function isGranted($attributes, $object = null)`
`192`	`192`	`protected function denyAccessUnlessGranted($attributes, $object = null, $message = 'Access Denied.')`
`193`	`193`	`{`
`194`	`194`	`if (!$this->isGranted($attributes, $object)) {`
`195`		`- throw $this->createAccessDeniedException($message);`
	`195`	`+ $exception = $this->createAccessDeniedException($message);`
	`196`	`+ $exception->setAttributes($attributes);`
	`197`	`+ $exception->setObject($object);`
	`198`	`+`
	`199`	`+ throw $exception;`
`196`	`200`	`}`
`197`	`201`	`}`
`198`	`202`