symfony
diff --git a/‎Authentication/Token/UserAuthorizationCheckerToken.php
Lines changed: 0 additions & 31 deletions b/‎Authentication/Token/UserAuthorizationCheckerToken.php
Lines changed: 0 additions & 31 deletions
diff --git a/‎Authorization/AuthorizationChecker.php
Lines changed: 19 additions & 2 deletions b/‎Authorization/AuthorizationChecker.php
Lines changed: 19 additions & 2 deletions
diff --git a/‎Authorization/UserAuthorizationChecker.php
Lines changed: 0 additions & 31 deletions b/‎Authorization/UserAuthorizationChecker.php
Lines changed: 0 additions & 31 deletions
diff --git a/‎Authorization/Voter/ClosureVoter.php
Lines changed: 5 additions & 12 deletions b/‎Authorization/Voter/ClosureVoter.php
Lines changed: 5 additions & 12 deletions
diff --git a/‎CHANGELOG.md
Lines changed: 1 addition & 2 deletions b/‎CHANGELOG.md
Lines changed: 1 addition & 2 deletions
diff --git a/‎Tests/Authentication/Token/UserAuthorizationCheckerTokenTest.php
Lines changed: 0 additions & 26 deletions b/‎Tests/Authentication/Token/UserAuthorizationCheckerTokenTest.php
Lines changed: 0 additions & 26 deletions
diff --git a/‎Tests/Authorization/AuthorizationCheckerTest.php
Lines changed: 39 additions & 0 deletions b/‎Tests/Authorization/AuthorizationCheckerTest.php
Lines changed: 39 additions & 0 deletions
diff --git a/‎Tests/Authorization/UserAuthorizationCheckerTest.php
Lines changed: 0 additions & 70 deletions b/‎Tests/Authorization/UserAuthorizationCheckerTest.php
Lines changed: 0 additions & 70 deletions
diff --git a/‎Tests/Authorization/Voter/AuthenticatedVoterTest.php
Lines changed: 2 additions & 2 deletions b/‎Tests/Authorization/Voter/AuthenticatedVoterTest.php
Lines changed: 2 additions & 2 deletions
@@ -11,8 +11,11 @@
 
 namespace Symfony\Component\Security\Core\Authorization;
 
+use Symfony\Component\Security\Core\Authentication\Token\AbstractToken;
 use Symfony\Component\Security\Core\Authentication\Token\NullToken;
+use Symfony\Component\Security\Core\Authentication\Token\OfflineTokenInterface;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
+use Symfony\Component\Security\Core\User\UserInterface;
 
 /**
  * AuthorizationChecker is the main authorization point of the Security component.
@@ -22,8 +25,9 @@
  * @author Fabien Potencier <[email protected]>
  * @author Johannes M. Schmitt <[email protected]>
  */
-class AuthorizationChecker implements AuthorizationCheckerInterface
+class AuthorizationChecker implements AuthorizationCheckerInterface, UserAuthorizationCheckerInterface
 {
+    private array $tokenStack = [];
     private array $accessDecisionStack = [];
 
     public function __construct(
@@ -34,7 +38,7 @@ public function __construct(
 
     final public function isGranted(mixed $attribute, mixed $subject = null, ?AccessDecision $accessDecision = null): bool
     {
-        $token = $this->tokenStorage->getToken();
+        $token = end($this->tokenStack) ?: $this->tokenStorage->getToken();
 
         if (!$token || !$token->getUser()) {
             $token = new NullToken();
@@ -48,4 +52,17 @@ final public function isGranted(mixed $attribute, mixed $subject = null, ?Access
             array_pop($this->accessDecisionStack);
         }
     }
+
+    final public function isGrantedForUser(UserInterface $user, mixed $attribute, mixed $subject = null, ?AccessDecision $accessDecision = null): bool
+    {
+        $token = new class($user->getRoles()) extends AbstractToken implements OfflineTokenInterface {};
+        $token->setUser($user);
+        $this->tokenStack[] = $token;
+
+        try {
+            return $this->isGranted($attribute, $subject, $accessDecision);
+        } finally {
+            array_pop($this->tokenStack);
+        }
+    }
 }
@@ -11,30 +11,22 @@
 
 namespace Symfony\Component\Security\Core\Authorization\Voter;
 
-use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverInterface;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
-use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
+use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
 use Symfony\Component\Security\Http\Attribute\IsGranted;
+use Symfony\Component\Security\Http\Attribute\IsGrantedContext;
 
 /**
  * This voter allows using a closure as the attribute being voted on.
  *
- * The following named arguments are passed to the closure:
- *
- * - `token`: The token being used for voting
- * - `subject`: The subject of the vote
- * - `accessDecisionManager`: The access decision manager
- * - `trustResolver`: The trust resolver
- *
  * @see IsGranted doc for the complete closure signature.
  *
  * @author Alexandre Daubois <[email protected]>
  */
 final class ClosureVoter implements CacheableVoterInterface
 {
     public function __construct(
-        private AccessDecisionManagerInterface $accessDecisionManager,
-        private AuthenticationTrustResolverInterface $trustResolver,
+        private AuthorizationCheckerInterface $authorizationChecker,
     ) {
     }
 
@@ -51,6 +43,7 @@ public function supportsType(string $subjectType): bool
     public function vote(TokenInterface $token, mixed $subject, array $attributes, ?Vote $vote = null): int
     {
         $vote ??= new Vote();
+        $context = new IsGrantedContext($token, $token->getUser(), $this->authorizationChecker);
         $failingClosures = [];
         $result = VoterInterface::ACCESS_ABSTAIN;
         foreach ($attributes as $attribute) {
@@ -60,7 +53,7 @@ public function vote(TokenInterface $token, mixed $subject, array $attributes, ?
 
             $name = (new \ReflectionFunction($attribute))->name;
             $result = VoterInterface::ACCESS_DENIED;
-            if ($attribute(token: $token, subject: $subject, accessDecisionManager: $this->accessDecisionManager, trustResolver: $this->trustResolver)) {
+            if ($attribute($context, $subject)) {
                 $vote->reasons[] = \sprintf('Closure %s returned true.', $name);
 
                 return VoterInterface::ACCESS_GRANTED;
 
@@ -4,8 +4,7 @@ CHANGELOG
 7.3
 ---
 
- * Add `UserAuthorizationChecker::isGrantedForUser()` to test user authorization without relying on the session.
-   For example, users not currently logged in, or while processing a message from a message queue.
+ * Add `UserAuthorizationCheckerInterface` to test user authorization without relying on the session
  * Add `OfflineTokenInterface` to mark tokens that do not represent the currently logged-in user
  * Deprecate `UserInterface::eraseCredentials()` and `TokenInterface::eraseCredentials()`,
    erase credentials e.g. using `__serialize()` instead
 
@@ -14,6 +14,7 @@
 use PHPUnit\Framework\MockObject\MockObject;
 use PHPUnit\Framework\TestCase;
 use Symfony\Component\Security\Core\Authentication\Token\NullToken;
+use Symfony\Component\Security\Core\Authentication\Token\OfflineTokenInterface;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;
 use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
 use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
@@ -77,4 +78,42 @@ public function testIsGrantedWithObjectAttribute()
         $this->tokenStorage->setToken($token);
         $this->assertTrue($this->authorizationChecker->isGranted($attribute));
     }
+
+    /**
+     * @dataProvider isGrantedForUserProvider
+     */
+    public function testIsGrantedForUser(bool $decide, array $roles)
+    {
+        $user = new InMemoryUser('username', 'password', $roles);
+
+        $this->accessDecisionManager
+            ->expects($this->once())
+            ->method('decide')
+            ->with($this->callback(static fn (OfflineTokenInterface $token) => $token->getUser() === $user), ['ROLE_FOO'])
+            ->willReturn($decide);
+
+        $this->assertSame($decide, $this->authorizationChecker->isGrantedForUser($user, 'ROLE_FOO'));
+    }
+
+    public static function isGrantedForUserProvider(): array
+    {
+        return [
+            [false, ['ROLE_USER']],
+            [true, ['ROLE_USER', 'ROLE_FOO']],
+        ];
+    }
+
+    public function testIsGrantedForUserWithObjectAttribute()
+    {
+        $attribute = new \stdClass();
+
+        $user = new InMemoryUser('username', 'password', ['ROLE_USER']);
+
+        $this->accessDecisionManager
+            ->expects($this->once())
+            ->method('decide')
+            ->with($this->isInstanceOf(OfflineTokenInterface::class), [$attribute])
+            ->willReturn(true);
+        $this->assertTrue($this->authorizationChecker->isGrantedForUser($user, $attribute));
+    }
 }
@@ -15,9 +15,9 @@
 use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolver;
 use Symfony\Component\Security\Core\Authentication\Token\AbstractToken;
 use Symfony\Component\Security\Core\Authentication\Token\NullToken;
+use Symfony\Component\Security\Core\Authentication\Token\OfflineTokenInterface;
 use Symfony\Component\Security\Core\Authentication\Token\RememberMeToken;
 use Symfony\Component\Security\Core\Authentication\Token\SwitchUserToken;
-use Symfony\Component\Security\Core\Authentication\Token\UserAuthorizationCheckerToken;
 use Symfony\Component\Security\Core\Authorization\Voter\AuthenticatedVoter;
 use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
 use Symfony\Component\Security\Core\Exception\InvalidArgumentException;
@@ -148,7 +148,7 @@ public function getCredentials()
         }
 
         if ('offline' === $authenticated) {
-            return new UserAuthorizationCheckerToken($user);
+            return new class($user->getRoles()) extends AbstractToken implements OfflineTokenInterface {};
         }
 
         return new NullToken();