vendor/sensio/framework-extra-bundle/src/EventListener/SecurityListener.php line 54

Open in your IDE?
  1. <?php
  3. /*
  4. * This file is part of the Symfony package.
  5. *
  6. * (c) Fabien Potencier <fabien@symfony.com>
  7. *
  8. * For the full copyright and license information, please view the LICENSE
  9. * file that was distributed with this source code.
  10. */
  12. namespace Sensio\Bundle\FrameworkExtraBundle\EventListener;
  14. use Psr\Log\LoggerInterface;
  15. use Sensio\Bundle\FrameworkExtraBundle\Request\ArgumentNameConverter;
  16. use Sensio\Bundle\FrameworkExtraBundle\Security\ExpressionLanguage;
  17. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  18. use Symfony\Component\HttpKernel\Event\KernelEvent;
  19. use Symfony\Component\HttpKernel\Exception\HttpException;
  20. use Symfony\Component\HttpKernel\KernelEvents;
  21. use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverInterface;
  22. use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
  23. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  24. use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
  25. use Symfony\Component\Security\Core\Exception\AccessDeniedException;
  26. use Symfony\Component\Security\Core\Role\RoleHierarchyInterface;
  28. /**
  29. * SecurityListener handles security restrictions on controllers.
  30. *
  31. * @author Fabien Potencier <fabien@symfony.com>
  32. */
  33. class SecurityListener implements EventSubscriberInterface
  34. {
  35. private $argumentNameConverter;
  36. private $tokenStorage;
  37. private $authChecker;
  38. private $language;
  39. private $trustResolver;
  40. private $roleHierarchy;
  41. private $logger;
  43. public function __construct(ArgumentNameConverter $argumentNameConverter, ExpressionLanguage $language = null, AuthenticationTrustResolverInterface $trustResolver = null, RoleHierarchyInterface $roleHierarchy = null, TokenStorageInterface $tokenStorage = null, AuthorizationCheckerInterface $authChecker = null, LoggerInterface $logger = null)
  44. {
  45. $this->argumentNameConverter = $argumentNameConverter;
  46. $this->tokenStorage = $tokenStorage;
  47. $this->authChecker = $authChecker;
  48. $this->language = $language;
  49. $this->trustResolver = $trustResolver;
  50. $this->roleHierarchy = $roleHierarchy;
  51. $this->logger = $logger;
  52. }
  54. public function onKernelControllerArguments(KernelEvent $event)
  55. {
  56. $request = $event->getRequest();
  57. if (!$configurations = $request->attributes->get('_security')) {
  58. return;
  59. }
  61. if (null === $this->tokenStorage || null === $this->trustResolver) {
  62. throw new \LogicException('To use the @Security tag, you need to install the Symfony Security bundle.');
  63. }
  65. if (null === $this->tokenStorage->getToken()) {
  66. throw new AccessDeniedException('No user token or you forgot to put your controller behind a firewall while using a @Security tag.');
  67. }
  69. if (null === $this->language) {
  70. throw new \LogicException('To use the @Security tag, you need to use the Security component 2.4 or newer and install the ExpressionLanguage component.');
  71. }
  73. foreach ($configurations as $configuration) {
  74. if (!$this->language->evaluate($configuration->getExpression(), $this->getVariables($event))) {
  75. if ($statusCode = $configuration->getStatusCode()) {
  76. throw new HttpException($statusCode, $configuration->getMessage());
  77. }
  79. throw new AccessDeniedException($configuration->getMessage() ?: sprintf('Expression "%s" denied access.', $configuration->getExpression()));
  80. }
  81. }
  82. }
  84. // code should be sync with Symfony\Component\Security\Core\Authorization\Voter\ExpressionVoter
  85. private function getVariables(KernelEvent $event)
  86. {
  87. $request = $event->getRequest();
  88. $token = $this->tokenStorage->getToken();
  89. $variables = [
  90. 'token' => $token,
  91. 'user' => $token->getUser(),
  92. 'object' => $request,
  93. 'subject' => $request,
  94. 'request' => $request,
  95. 'roles' => $this->getRoles($token),
  96. 'trust_resolver' => $this->trustResolver,
  97. // needed for the is_granted expression function
  98. 'auth_checker' => $this->authChecker,
  99. ];
  101. $controllerArguments = $this->argumentNameConverter->getControllerArguments($event);
  103. if ($diff = array_intersect(array_keys($variables), array_keys($controllerArguments))) {
  104. foreach ($diff as $key => $variableName) {
  105. if ($variables[$variableName] === $controllerArguments[$variableName]) {
  106. unset($diff[$key]);
  107. }
  108. }
  110. if ($diff) {
  111. $singular = 1 === \count($diff);
  112. if (null !== $this->logger) {
  113. $this->logger->warning(sprintf('Controller argument%s "%s" collided with the built-in security expression variables. The built-in value%s are being used for the @Security expression.', $singular ? '' : 's', implode('", "', $diff), $singular ? 's' : ''));
  114. }
  115. }
  116. }
  118. // controller variables should also be accessible
  119. return array_merge($controllerArguments, $variables);
  120. }
  122. private function getRoles(TokenInterface $token): array
  123. {
  124. if (method_exists($this->roleHierarchy, 'getReachableRoleNames')) {
  125. if (null !== $this->roleHierarchy) {
  126. $roles = $this->roleHierarchy->getReachableRoleNames($token->getRoleNames());
  127. } else {
  128. $roles = $token->getRoleNames();
  129. }
  130. } else {
  131. if (null !== $this->roleHierarchy) {
  132. $roles = $this->roleHierarchy->getReachableRoles($token->getRoles());
  133. } else {
  134. $roles = $token->getRoles();
  135. }
  137. $roles = array_map(function ($role) {
  138. return $role->getRole();
  139. }, $roles);
  140. }
  142. return $roles;
  143. }
  145. /**
  146. * {@inheritdoc}
  147. */
  148. public static function getSubscribedEvents()
  149. {
  150. return [KernelEvents::CONTROLLER_ARGUMENTS => 'onKernelControllerArguments'];
  151. }
  152. }