Assert voter returns valid decision

jderusse · jderusse · commit ffdfb4fb53b4 · 2020-12-06T23:36:13.000+01:00
diff --git a/UPGRADE-5.3.md b/UPGRADE-5.3.md
@@ -12,3 +12,8 @@ Form
  * Deprecated passing an array as the first argument of the `CheckboxListMapper::mapFormsToData()` method, pass `\Traversable` instead.
  * Deprecated passing an array as the second argument of the `RadioListMapper::mapDataToForms()` method, pass `\Traversable` instead.
  * Deprecated passing an array as the first argument of the `RadioListMapper::mapFormsToData()` method, pass `\Traversable` instead.
+
+Security
+--------
+
+ * Deprecated voters that do not return a valid decision when calling the `vote` method.
diff --git a/UPGRADE-6.0.md b/UPGRADE-6.0.md
@@ -159,6 +159,7 @@ Security
    in `PreAuthenticatedToken`, `RememberMeToken`, `SwitchUserToken`, `UsernamePasswordToken`,
    `DefaultAuthenticationSuccessHandler`.
  * Removed the `AbstractRememberMeServices::$providerKey` property in favor of `AbstractRememberMeServices::$firewallName`
+ * `AccessDecisionManager` now throw an exception when a voter does not return a valid decision.
 
 TwigBundle
 ----------
diff --git a/src/Symfony/Component/Security/CHANGELOG.md b/src/Symfony/Component/Security/CHANGELOG.md
@@ -1,6 +1,11 @@
 CHANGELOG
 =========
 
+5.3.0
+-----
+
+* Deprecated voters that do not return a valid decision when calling the `vote` method.
+
 5.2.0
 -----
 
diff --git a/src/Symfony/Component/Security/Core/Authorization/AccessDecisionManager.php b/src/Symfony/Component/Security/Core/Authorization/AccessDecisionManager.php
@@ -89,6 +89,8 @@ private function decideAffirmative(TokenInterface $token, array $attributes, $ob
 
             if (VoterInterface::ACCESS_DENIED === $result) {
                 ++$deny;
+            } elseif (VoterInterface::ACCESS_ABSTAIN !== $result) {
+                trigger_deprecation('symfony/security-core', '5.3', 'Returning "%s" in "%s::vote()" is deprecated, return one of "%s" constants: "ACCESS_GRANTED", "ACCESS_DENIED" or "ACCESS_ABSTAIN".', var_export($result, true), get_debug_type($voter), VoterInterface::class);
             }
         }
 
@@ -124,6 +126,8 @@ private function decideConsensus(TokenInterface $token, array $attributes, $obje
                 ++$grant;
             } elseif (VoterInterface::ACCESS_DENIED === $result) {
                 ++$deny;
+            } elseif (VoterInterface::ACCESS_ABSTAIN !== $result) {
+                trigger_deprecation('symfony/security-core', '5.3', 'Returning "%s" in "%s::vote()" is deprecated, return one of "%s" constants: "ACCESS_GRANTED", "ACCESS_DENIED" or "ACCESS_ABSTAIN".', var_export($result, true), get_debug_type($voter), VoterInterface::class);
             }
         }
 
@@ -161,6 +165,8 @@ private function decideUnanimous(TokenInterface $token, array $attributes, $obje
 
                 if (VoterInterface::ACCESS_GRANTED === $result) {
                     ++$grant;
+                } elseif (VoterInterface::ACCESS_ABSTAIN !== $result) {
+                    trigger_deprecation('symfony/security-core', '5.3', 'Returning "%s" in "%s::vote()" is deprecated, return one of "%s" constants: "ACCESS_GRANTED", "ACCESS_DENIED" or "ACCESS_ABSTAIN".', var_export($result, true), get_debug_type($voter), VoterInterface::class);
                 }
             }
         }
@@ -192,6 +198,10 @@ private function decidePriority(TokenInterface $token, array $attributes, $objec
             if (VoterInterface::ACCESS_DENIED === $result) {
                 return false;
             }
+
+            if (VoterInterface::ACCESS_ABSTAIN !== $result) {
+                trigger_deprecation('symfony/security-core', '5.3', 'Returning "%s" in "%s::vote()" is deprecated, return one of "%s" constants: "ACCESS_GRANTED", "ACCESS_DENIED" or "ACCESS_ABSTAIN".', var_export($result, true), get_debug_type($voter), VoterInterface::class);
+            }
         }
 
         return $this->allowIfAllAbstainDecisions;
diff --git a/src/Symfony/Component/Security/Core/Tests/Authorization/AccessDecisionManagerTest.php b/src/Symfony/Component/Security/Core/Tests/Authorization/AccessDecisionManagerTest.php
@@ -12,11 +12,14 @@
 namespace Symfony\Component\Security\Core\Tests\Authorization;
 
 use PHPUnit\Framework\TestCase;
+use Symfony\Bridge\PhpUnit\ExpectDeprecationTrait;
 use Symfony\Component\Security\Core\Authorization\AccessDecisionManager;
 use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
 
 class AccessDecisionManagerTest extends TestCase
 {
+    use ExpectDeprecationTrait;
+
     public function testSetUnsupportedStrategy()
     {
         $this->expectException('InvalidArgumentException');
@@ -34,6 +37,20 @@ public function testStrategies($strategy, $voters, $allowIfAllAbstainDecisions,
         $this->assertSame($expected, $manager->decide($token, ['ROLE_FOO']));
     }
 
+    /**
+     * @dataProvider provideStrategies
+     * @group legacy
+     */
+    public function testDeprecatedVoter($strategy)
+    {
+        $token = $this->getMockBuilder('Symfony\Component\Security\Core\Authentication\Token\TokenInterface')->getMock();
+        $manager = new AccessDecisionManager([$this->getVoter(3)], $strategy);
+
+        $this->expectDeprecation('Since symfony/security-core 5.3: Returning "3" in "%s::vote()" is deprecated, return one of "Symfony\Component\Security\Core\Authorization\Voter\VoterInterface" constants: "ACCESS_GRANTED", "ACCESS_DENIED" or "ACCESS_ABSTAIN".');
+
+        $manager->decide($token, ['ROLE_FOO']);
+    }
+
     public function getStrategyTests()
     {
         return [
@@ -94,6 +111,14 @@ public function getStrategyTests()
         ];
     }
 
+    public function provideStrategies()
+    {
+        yield [AccessDecisionManager::STRATEGY_AFFIRMATIVE];
+        yield [AccessDecisionManager::STRATEGY_CONSENSUS];
+        yield [AccessDecisionManager::STRATEGY_UNANIMOUS];
+        yield [AccessDecisionManager::STRATEGY_PRIORITY];
+    }
+
     protected function getVoters($grants, $denies, $abstains)
     {
         $voters = [];

Original file line number	Diff line number	Diff line change
`@@ -89,6 +89,8 @@ private function decideAffirmative(TokenInterface $token, array $attributes, $ob`
`89`	`89`
`90`	`90`	`if (VoterInterface::ACCESS_DENIED === $result) {`
`91`	`91`	`++$deny;`
	`92`	`+ } elseif (VoterInterface::ACCESS_ABSTAIN !== $result) {`
	`93`	`+ trigger_deprecation('symfony/security-core', '5.3', 'Returning "%s" in "%s::vote()" is deprecated, return one of "%s" constants: "ACCESS_GRANTED", "ACCESS_DENIED" or "ACCESS_ABSTAIN".', var_export($result, true), get_debug_type($voter), VoterInterface::class);`
`92`	`94`	`}`
`93`	`95`	`}`
`94`	`96`
`@@ -124,6 +126,8 @@ private function decideConsensus(TokenInterface $token, array $attributes, $obje`
`124`	`126`	`++$grant;`
`125`	`127`	`} elseif (VoterInterface::ACCESS_DENIED === $result) {`
`126`	`128`	`++$deny;`
	`129`	`+ } elseif (VoterInterface::ACCESS_ABSTAIN !== $result) {`
	`130`	`+ trigger_deprecation('symfony/security-core', '5.3', 'Returning "%s" in "%s::vote()" is deprecated, return one of "%s" constants: "ACCESS_GRANTED", "ACCESS_DENIED" or "ACCESS_ABSTAIN".', var_export($result, true), get_debug_type($voter), VoterInterface::class);`
`127`	`131`	`}`
`128`	`132`	`}`
`129`	`133`
`@@ -161,6 +165,8 @@ private function decideUnanimous(TokenInterface $token, array $attributes, $obje`
`161`	`165`
`162`	`166`	`if (VoterInterface::ACCESS_GRANTED === $result) {`
`163`	`167`	`++$grant;`
	`168`	`+ } elseif (VoterInterface::ACCESS_ABSTAIN !== $result) {`
	`169`	`+ trigger_deprecation('symfony/security-core', '5.3', 'Returning "%s" in "%s::vote()" is deprecated, return one of "%s" constants: "ACCESS_GRANTED", "ACCESS_DENIED" or "ACCESS_ABSTAIN".', var_export($result, true), get_debug_type($voter), VoterInterface::class);`
`164`	`170`	`}`
`165`	`171`	`}`
`166`	`172`	`}`
`@@ -192,6 +198,10 @@ private function decidePriority(TokenInterface $token, array $attributes, $objec`
`192`	`198`	`if (VoterInterface::ACCESS_DENIED === $result) {`
`193`	`199`	`return false;`
`194`	`200`	`}`
	`201`	`+`
	`202`	`+ if (VoterInterface::ACCESS_ABSTAIN !== $result) {`
	`203`	`+ trigger_deprecation('symfony/security-core', '5.3', 'Returning "%s" in "%s::vote()" is deprecated, return one of "%s" constants: "ACCESS_GRANTED", "ACCESS_DENIED" or "ACCESS_ABSTAIN".', var_export($result, true), get_debug_type($voter), VoterInterface::class);`
	`204`	`+ }`
`195`	`205`	`}`
`196`	`206`
`197`	`207`	`return $this->allowIfAllAbstainDecisions;`