0

I'm in Symfony 4.4

My first permission is

 * @IsGranted(
 *     ModulePermission::MODULE_MODERATOR,
 *     subject="module",
 * )

My second permission is

 * @IsGranted(
 *     ItemPermission::DELETE_ITEM,
 *     subject="cm",
 * )

Every permission works independently as expected, but as I don't have access yet to @security (update to SF5 scheduled but not done), how can I use both permission in my controller for MODULE_MODERATOR OR DELETE_ITEM ?

I have tried different 'googled' solution without success:

Access denied:

 * @IsGranted(
 *     "is_granted('ITEM_PERMISSION::DELETE_ITEM',cm) OR is_granted('MODULE_PERMISSION::MODULE_MODERATOR',module)",
 * )

Access denied:

 * @IsGranted(
 *     "ITEM_PERMISSION::DELETE_ITEM cm OR ModulePermission::MODULE_MODERATOR module",
 * )
Boodyguard
  • 41
  • 4

1 Answers1

0

I would say that you can only concatenate your isGranted annotations (it's even an example in documentation: https://symfony.com/bundles/SensioFrameworkExtraBundle/current/annotations/security.html#isgranted):

/*
 * @IsGranted(ModulePermission::MODULE_MODERATOR, subject="module")
 * @IsGranted(ItemPermission::DELETE_ITEM, subject="cm")
 */

They say in this documentation:

Each IsGranted() must grant access for the user to have access to the controller.

But it's weird according to their example (being ADMIN + having right SHOW the post), moreover, Symfony applies the stategy "affirmative" by default for the voters, it means:

This grants access as soon as there is one voter granting access;

Vincent Decaux
  • 9,857
  • 6
  • 56
  • 84
  • Thanks Vincent, but I have tested with the concatenation, if both conditions are not granted the access is rejected. The best to do is to adapt my voters until the upgrade of the Sf version. – Boodyguard Apr 11 '23 at 08:45
  • Thanks for your feedback, I didn't have time to check and doc was a little unclear to me, sorry for your time loss – Vincent Decaux Apr 11 '23 at 09:29