vendor/sensio/framework-extra-bundle/src/EventListener/SecurityListener.php line 53

Open in your IDE?
  1. <?php
  3. /*
  4.  * This file is part of the Symfony package.
  5.  *
  6.  * (c) Fabien Potencier <fabien@symfony.com>
  7.  *
  8.  * For the full copyright and license information, please view the LICENSE
  9.  * file that was distributed with this source code.
  10.  */
  12. namespace Sensio\Bundle\FrameworkExtraBundle\EventListener;
  14. use Psr\Log\LoggerInterface;
  15. use Sensio\Bundle\FrameworkExtraBundle\Request\ArgumentNameConverter;
  16. use Sensio\Bundle\FrameworkExtraBundle\Security\ExpressionLanguage;
  17. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  18. use Symfony\Component\HttpKernel\Event\KernelEvent;
  19. use Symfony\Component\HttpKernel\Exception\HttpException;
  20. use Symfony\Component\HttpKernel\KernelEvents;
  21. use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverInterface;
  22. use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
  23. use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
  24. use Symfony\Component\Security\Core\Exception\AccessDeniedException;
  25. use Symfony\Component\Security\Core\Role\RoleHierarchyInterface;
  27. /**
  28.  * SecurityListener handles security restrictions on controllers.
  29.  *
  30.  * @author Fabien Potencier <fabien@symfony.com>
  31.  */
  32. class SecurityListener implements EventSubscriberInterface
  33. {
  34.     private $argumentNameConverter;
  35.     private $tokenStorage;
  36.     private $authChecker;
  37.     private $language;
  38.     private $trustResolver;
  39.     private $roleHierarchy;
  40.     private $logger;
  42.     public function __construct(ArgumentNameConverter $argumentNameConverterExpressionLanguage $language nullAuthenticationTrustResolverInterface $trustResolver nullRoleHierarchyInterface $roleHierarchy nullTokenStorageInterface $tokenStorage nullAuthorizationCheckerInterface $authChecker nullLoggerInterface $logger null)
  43.     {
  44.         $this->argumentNameConverter $argumentNameConverter;
  45.         $this->tokenStorage $tokenStorage;
  46.         $this->authChecker $authChecker;
  47.         $this->language $language;
  48.         $this->trustResolver $trustResolver;
  49.         $this->roleHierarchy $roleHierarchy;
  50.         $this->logger $logger;
  51.     }
  53.     public function onKernelControllerArguments(KernelEvent $event)
  54.     {
  55.         $request $event->getRequest();
  56.         if (!$configurations $request->attributes->get('_security')) {
  57.             return;
  58.         }
  60.         if (null === $this->tokenStorage || null === $this->trustResolver) {
  61.             throw new \LogicException('To use the @Security tag, you need to install the Symfony Security bundle.');
  62.         }
  64.         if (null === $this->tokenStorage->getToken()) {
  65.             throw new \LogicException('To use the @Security tag, your controller needs to be behind a firewall.');
  66.         }
  68.         if (null === $this->language) {
  69.             throw new \LogicException('To use the @Security tag, you need to use the Security component 2.4 or newer and install the ExpressionLanguage component.');
  70.         }
  72.         foreach ($configurations as $configuration) {
  73.             if (!$this->language->evaluate($configuration->getExpression(), $this->getVariables($event))) {
  74.                 if ($statusCode $configuration->getStatusCode()) {
  75.                     throw new HttpException($statusCode$configuration->getMessage());
  76.                 }
  78.                 throw new AccessDeniedException($configuration->getMessage() ?: sprintf('Expression "%s" denied access.'$configuration->getExpression()));
  79.             }
  80.         }
  81.     }
  83.     // code should be sync with Symfony\Component\Security\Core\Authorization\Voter\ExpressionVoter
  84.     private function getVariables(KernelEvent $event)
  85.     {
  86.         $request $event->getRequest();
  87.         $token $this->tokenStorage->getToken();
  89.         if (method_exists($this->roleHierarchy'getReachableRoleNames')) {
  90.             if (null !== $this->roleHierarchy) {
  91.                 $roles $this->roleHierarchy->getReachableRoleNames($token->getRoleNames());
  92.             } else {
  93.                 $roles $token->getRoleNames();
  94.             }
  95.         } else {
  96.             if (null !== $this->roleHierarchy) {
  97.                 $roles $this->roleHierarchy->getReachableRoles($token->getRoles());
  98.             } else {
  99.                 $roles $token->getRoles();
  100.             }
  102.             $roles array_map(function ($role) {
  103.                 return $role->getRole();
  104.             }, $roles);
  105.         }
  107.         $variables = [
  108.             'token' => $token,
  109.             'user' => $token->getUser(),
  110.             'object' => $request,
  111.             'subject' => $request,
  112.             'request' => $request,
  113.             'roles' => $roles,
  114.             'trust_resolver' => $this->trustResolver,
  115.             // needed for the is_granted expression function
  116.             'auth_checker' => $this->authChecker,
  117.         ];
  119.         $controllerArguments $this->argumentNameConverter->getControllerArguments($event);
  121.         if ($diff array_intersect(array_keys($variables), array_keys($controllerArguments))) {
  122.             foreach ($diff as $key => $variableName) {
  123.                 if ($variables[$variableName] === $controllerArguments[$variableName]) {
  124.                     unset($diff[$key]);
  125.                 }
  126.             }
  128.             if ($diff) {
  129.                 $singular === \count($diff);
  130.                 if (null !== $this->logger) {
  131.                     $this->logger->warning(sprintf('Controller argument%s "%s" collided with the built-in security expression variables. The built-in value%s are being used for the @Security expression.'$singular '' 's'implode('", "'$diff), $singular 's' ''));
  132.                 }
  133.             }
  134.         }
  136.         // controller variables should also be accessible
  137.         return array_merge($controllerArguments$variables);
  138.     }
  140.     /**
  141.      * {@inheritdoc}
  142.      */
  143.     public static function getSubscribedEvents()
  144.     {
  145.         return [KernelEvents::CONTROLLER_ARGUMENTS => 'onKernelControllerArguments'];
  146.     }
  147. }