1

I'm taking over someone's code and I don't understand something about the voting.

Here is the PhotosController class: 

class PhotosController extends Controller
{
    /**
     * @Route("/dashboard/photos/{id}/view", name="dashboard_photos_view")
     * @Security("is_granted('view.photo', photo)")
     * @param Photo $photo
     * @param PhotoRepository $photoRepository
     */
    public function index(Photo $photo, PhotoRepository $photoRepository)
    {
        $obj = $photoRepository->getFileObjectFromS3($photo);
        header("Content-Type: {$obj['ContentType']}");
        echo $obj['Body'];
        exit;
    }

Here is the voter class: 

class PhotoVoter extends Voter
{
    const VIEW        = 'view.photo';
    protected function supports($attribute, $subject)
    {
        if (!$subject instanceof Photo) {
            return false;
        }
        if (!in_array($attribute, array(self::VIEW))) {
            return false;
        }
        return true;
    }

    protected function voteOnAttribute($attribute, $subject, TokenInterface    $token)
    {
        return $subject->getUser()->getId() === $token->getUser()->getId();
    }
}

I don't understand what the

, photo

is for in the PhotosController class. And in PhpStorm I get "cannot find declaration" when I try to go to the "is_granted" declaration.

Brent Heigold
  • 1,213
  • 5
  • 24
  • 50
  • 1
    There is no special significance to .photo. The attribute could be any string. Using just 'view' is perhaps a bit more normal. But again, it could be anything. Since you are supporting legacy app then you might want to take a look at any other custom voters and just follow whatever standards the original developer had. – Cerad Dec 29 '18 at 01:39
  • Hi Cerad, it's not the . (dot) photo I'm confused about, it's the , (comma) photo right after 'view.photo'. I don't understand what it's use is. – Brent Heigold Dec 29 '18 at 01:45
  • It basically ends up calling the AuthorizationChecker::isGranted('view.photo',$photo) method which eventually ends up calling the PhotoVoter instance. https://symfony.com/doc/current/security/voters.html. Never did care for annotations myself. – Cerad Dec 29 '18 at 01:49
  • So it capitalizes the first letter and changes "photo" to "Photo" and then looks for PhotoVoter? Is that the process? – Brent Heigold Dec 29 '18 at 02:02
  • Shouldn't it say ", $photo" then instead of ", photo"? – Brent Heigold Dec 29 '18 at 02:13
  • Nope. Look over the doc link I posted. 'photo' is the variable name. You don't need a $ because, well, because you don't. The magic of annotation. The authorization checker has a list of all available voters. It uses the Voter::supports method to determine which voters to actually use. – Cerad Dec 29 '18 at 02:31
  • 3
    And while a bit off topic, if the code actually uses header and echo to generate a response then buckle up because you are in for a very rough ride indeed. – Cerad Dec 29 '18 at 02:33
  • Ok I'll do that. Thanks so much for your help Cerad. – Brent Heigold Dec 29 '18 at 02:33

0 Answers0