bug #34304 [Security] Fix defining multiple roles per access_control rule (chalasr)

fabpot · fabpot · commit 0cba0c7572c3 · 2019-11-09T12:16:35.000+01:00
This PR was merged into the 4.4 branch. Discussion ---------- [Security] Fix defining multiple roles per access_control rule | Q | A | ------------- | --- | Branch? | 4.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | - | License | MIT | Doc PR | symfony/symfony-docs#12371 needs to be reverted #33584 deprecated passing multiple attributes to `AccessDecisionManager::decide()`, but this change must not impact `access_control` as you cannot define multiple rules with the same criteria for request matching (the first match wins). Commits ------- 338b3dfd9f [Security] Fix defining multiple roles per access_control rule
diff --git a/Http/Firewall/AccessListener.php b/Http/Firewall/AccessListener.php
@@ -68,7 +68,14 @@ public function __invoke(RequestEvent $event)
             $this->tokenStorage->setToken($token);
         }
 
-        if (!$this->accessDecisionManager->decide($token, $attributes, $request)) {
+        $granted = false;
+        foreach ($attributes as $key => $value) {
+            if ($this->accessDecisionManager->decide($token, [$key => $value], $request)) {
+                $granted = true;
+            }
+        }
+
+        if (!$granted) {
             $exception = new AccessDeniedException();
             $exception->setAttributes($attributes);
             $exception->setSubject($request);
