Remove ambiguous usage of multiple roles in access_control

Author: wouterj

security.rst

@@ -513,8 +513,8 @@ start with ``/admin``, you can:
                 # require ROLE_ADMIN for /admin*
                 - { path: '^/admin', roles: ROLE_ADMIN }
 
-                # or require multiple roles for /admin* (when defining multiple roles, the behavior depends on the strategy used in Access Decission Manager)
-                - { path: '^/admin', roles: [IS_AUTHENTICATED_FULLY, ROLE_ADMIN] }
+                # or provide an expression for /admin* (e.g. to require multiple roles)
+                - { path: '^/admin', roles: 'is_granted("IS_AUTHENTICATED_FULLY") and is_granted("ROLE_ADMIN")' }
 
                 # the 'path' value can be any valid regular expression
                 # (this one will match URLs like /api/post/7298 and /api/comment/528491)
@@ -540,10 +540,9 @@ start with ``/admin``, you can:
                 <!-- require ROLE_ADMIN for /admin* -->
                 <rule path="^/admin" role="ROLE_ADMIN"/>
 
-                <!-- require multiple roles for /admin* (when defining multiple roles, the behavior depends on the strategy used in Access Decission Manager) -->
+                <!-- or provide an expression for /admin* (e.g. to require multiple roles) -->
                 <rule path="^/admin">
-                    <role>ROLE_ADMIN</role>
-                    <role>IS_AUTHENTICATED_FULLY</role>
+                    <role>is_granted("IS_AUTHENTICATED_FULLY") and is_granted("ROLE_ADMIN")</role>
                 </rule>
 
                 <!-- the 'path' value can be any valid regular expression
@@ -569,7 +568,7 @@ start with ``/admin``, you can:
                 ['path' => '^/admin', 'roles' => 'ROLE_ADMIN'],
 
                 // require multiple roles for /admin* (when defining multiple roles, the behavior depends on the strategy used in Access Decission Manager)
-                ['path' => '^/admin', 'roles' => ['ROLE_ADMIN', 'IS_AUTHENTICATED_FULLY']],
+                ['path' => '^/admin', 'roles' => 'is_granted("IS_AUTHENTICATED_FULLY") and is_granted("ROLE_ADMIN")'],
 
                 // the 'path' value can be any valid regular expression
                 // (this one will match URLs like /api/post/7298 and /api/comment/528491)

security/access_control.rst

@@ -44,8 +44,6 @@ Take the following ``access_control`` entries as an example:
                 - { path: '^/admin', roles: ROLE_USER_IP, ip: 127.0.0.1 }
                 - { path: '^/admin', roles: ROLE_USER_HOST, host: symfony\.com$ }
                 - { path: '^/admin', roles: ROLE_USER_METHOD, methods: [POST, PUT] }
-                # when defining multiple roles, the behavior depends on the strategy used in Access Decission Manager
-                - { path: '^/admin', roles: [ROLE_MANAGER, ROLE_ADMIN] }
 
     .. code-block:: xml
 
@@ -63,8 +61,6 @@ Take the following ``access_control`` entries as an example:
                 <rule path="^/admin" role="ROLE_USER_IP" ip="127.0.0.1"/>
                 <rule path="^/admin" role="ROLE_USER_HOST" host="symfony\.com$"/>
                 <rule path="^/admin" role="ROLE_USER_METHOD" methods="POST, PUT"/>
-                <!-- when defining multiple roles, the behavior depends on the strategy used in Access Decission Manager -->
-                <rule path="^/admin" roles="ROLE_ADMIN, ROLE_MANAGER"/>
             </config>
         </srv:container>
 
@@ -95,11 +91,6 @@ Take the following ``access_control`` entries as an example:
                     'roles' => 'ROLE_USER_METHOD',
                     'methods' => 'POST, PUT',
                 ],
-                [
-                    'path' => '^/admin',
-                    // when defining multiple roles, the behavior depends on the strategy used in Access Decission Manager
-                    'roles' => ['ROLE_MANAGER', 'ROLE_ADMIN'],
-                ],
             ],
         ]);
 
@@ -156,13 +147,7 @@ options:
 
 * ``roles`` If the user does not have the given role, then access is denied
   (internally, an :class:`Symfony\\Component\\Security\\Core\\Exception\\AccessDeniedException`
-  is thrown). If this value is an array of multiple roles, the user must have:
-  
-  * at least one of them when using the default ``affirmative`` strategy.
-  * more granted than denied roles when using the ``consensus`` strategy.
-  * all of them when using the ``unanimous`` strategy.
-  
-  For more details about different strategies, see :ref:`Access Decision Manager <components-security-access-decision-manager>`.
+  is thrown).
 
 * ``allow_if`` If the expression returns false, then access is denied;