Geek Answers Handbook

Why did Symfony2 security guards always call?

I use security voters as an alternative to symfony acl.

voter example:

My voters look the same, following the following.

class FoobarVoter implements VoterInterface { public function supportsClass($class) { return in_array($class, array( 'Example\FoobarBundle\Entity\Foobar', )); } public function supportsAttribute($attribute) { return in_array(strtolower($attribute), array('foo', 'bar')); } public function vote(TokenInterface $token, $object, array $attributes) { $result = VoterInterface::ACCESS_ABSTAIN if (!$this->supportsClass(get_class($object))) { return VoterInterface::ACCESS_ABSTAIN; } foreach ($attributes as $attribute) { $attribute = strtolower($attribute); // skip not supported attributes if (!$this->supportsAttribute($attribute)) { continue; } [... some logic ...] } return $result; } }

questions:

reduce the number of calls to Voter :: vote ()

my voters are on and cause every page to load. even if they do not support solutions for this class. FoobarVoter::vote() always called. even if FoobarVoter::supportsClass() or FoobarVoter::supportsAttribute returns false. so I need to check the class and attribute inside FoobarVoter::vote() . is it a standard of behavior? how can i prevent this unnecessary call.

restrict voters

some voters are needed only in certain packages. some of them are only needed to define specific classes. therefore, some voters are not needed in all parts of my application. Is it possible to include voters dynamically in a bunch / entity? for example, include only voters in the decision manager chain if a specific node or object is accessed / used?

+7
source share
1 answer

Looking through the source code for Symfony seems to be because the AccessDecisionManager uses these methods (supports Class and seupportsAttribute) to support collapse.

What this allows your voter to do is expand the cases when the manager will be applied. Thus, you do not specify the capabilities of your voter, but the entire voting process. No matter what you want, this is something else ...

As for reducing unnecessary calls, in the general case this is not necessary. The system is developed using one of three methods:

  • Allow ( decideAffirmative ). This uses an "allow" vote. This means that if one plugin says "allow", then you are allowed.

  • Transition-based ( decideConsensus ). It uses consensus-based permission, where if more voters agree to allow than deny that you are allowed ...

  • Rejected ( decideUnanimous ). It uses a rejection-based vote. This means that if one plugin says "deny", then you are denied. Otherwise, you will need at least one grant.

Therefore, given that they all rely on explicit prohibition vs Allow, using all the plugins for each request really makes sense. Because even if you do not specifically support the class, you can allow or reject this request.

In short, there is nothing to win by restricting voters to attributes of support.

+8
source

More articles:


All Articles