feature #34548 Added access decision strategy to respect voter priority (aschempp)

This PR was squashed before being merged into the 5.1-dev branch (closes #34548).

Discussion
----------

Added access decision strategy to respect voter priority

| Q             | A
| ------------- | ---
| Branch?       | master
| Bug fix?      | no
| New feature?  | yes
| Deprecations? | no
| Tickets       | -
| License       | MIT
| Doc PR        | _will happily do if this is of interest/to be merged 🙃_

The priority-based access decision strategy will decide based on the first voter that does not abstain from the decision. Security voters can be registered with priority (`PriorityTaggedServiceTrait`), so a voter with higher priority can overrule other voters.

In [Contao CMS](https://github.com/contao/contao), the core system should provide security voters that provide the "default permissions", but extensions/bundles can override almost anything and therefore need to be able to override the core decision. None of the existing strategies allow for something like that.

/ping @chalasr @Toflar @leofeyer @ausi
#SymfonyHackday

Commits
-------

0b8028a0ec Added access decision strategy to respect voter priority

Author: chalasr

Authorization/AccessDecisionManager.php

@@ -26,6 +26,7 @@ class AccessDecisionManager implements AccessDecisionManagerInterface
     const STRATEGY_AFFIRMATIVE = 'affirmative';
     const STRATEGY_CONSENSUS = 'consensus';
     const STRATEGY_UNANIMOUS = 'unanimous';
+    const STRATEGY_PRIORITY = 'priority';
 
     private $voters;
     private $strategy;
@@ -166,4 +167,28 @@ private function decideUnanimous(TokenInterface $token, array $attributes, $obje
 
         return $this->allowIfAllAbstainDecisions;
     }
+
+    /**
+     * Grant or deny access depending on the first voter that does not abstain.
+     * The priority of voters can be used to overrule a decision.
+     *
+     * If all voters abstained from voting, the decision will be based on the
+     * allowIfAllAbstainDecisions property value (defaults to false).
+     */
+    private function decidePriority(TokenInterface $token, array $attributes, $object = null)
+    {
+        foreach ($this->voters as $voter) {
+            $result = $voter->vote($token, $object, $attributes);
+
+            if (VoterInterface::ACCESS_GRANTED === $result) {
+                return true;
+            }
+
+            if (VoterInterface::ACCESS_DENIED === $result) {
+                return false;
+            }
+        }
+
+        return $this->allowIfAllAbstainDecisions;
+    }
 }

Tests/Authorization/AccessDecisionManagerTest.php

@@ -66,6 +66,31 @@ public function getStrategyTests()
 
             [AccessDecisionManager::STRATEGY_UNANIMOUS, $this->getVoters(0, 0, 2), false, true, false],
             [AccessDecisionManager::STRATEGY_UNANIMOUS, $this->getVoters(0, 0, 2), true, true, true],
+
+            // priority
+            [AccessDecisionManager::STRATEGY_PRIORITY, [
+                $this->getVoter(VoterInterface::ACCESS_ABSTAIN),
+                $this->getVoter(VoterInterface::ACCESS_GRANTED),
+                $this->getVoter(VoterInterface::ACCESS_DENIED),
+                $this->getVoter(VoterInterface::ACCESS_DENIED),
+            ], true, true, true],
+
+            [AccessDecisionManager::STRATEGY_PRIORITY, [
+                $this->getVoter(VoterInterface::ACCESS_ABSTAIN),
+                $this->getVoter(VoterInterface::ACCESS_DENIED),
+                $this->getVoter(VoterInterface::ACCESS_GRANTED),
+                $this->getVoter(VoterInterface::ACCESS_GRANTED),
+            ], true, true, false],
+
+            [AccessDecisionManager::STRATEGY_PRIORITY, [
+                $this->getVoter(VoterInterface::ACCESS_ABSTAIN),
+                $this->getVoter(VoterInterface::ACCESS_ABSTAIN),
+            ], false, true, false],
+
+            [AccessDecisionManager::STRATEGY_PRIORITY, [
+                $this->getVoter(VoterInterface::ACCESS_ABSTAIN),
+                $this->getVoter(VoterInterface::ACCESS_ABSTAIN),
+            ], true, true, true],
         ];
     }