Merge branch '7.4' into 8.0

nicolas-grekas · nicolas-grekas · commit 807aba054ceb · 2025-09-01T11:26:06.000+02:00
* 7.4: (31 commits)
  [Validator] Update Romanian translations
  fix tests
  [JsonStreamer] Fix decoding iterable lists
  [String][Inflector] Fix edge cases
  [Serializer][Validator] Add JSON schema for validating and autocompleting YAML config files
  [DependencyInjection] Allow adding resource tags using any config formats
  Fix merge
  Add missing Sweego Mailer Bridge webhook events
  [Security] Fix attribute-based chained user providers
  [Intl] Fix Intl::getIcuStubVersion()
  [Intl] Add methods to filter currencies more precisely
  [Notifier] Add tests for option classes
  Sync intl scripts
  [Intl] Add metadata about currencies' validtity dates
  Bump Symfony version to 7.3.4
  Update VERSION for 7.3.3
  Update CHANGELOG for 7.3.3
  Bump Symfony version to 6.4.26
  Update VERSION for 6.4.25
  Update CONTRIBUTORS for 6.4.25
  ...
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -18,7 +18,7 @@ CHANGELOG
  * Deprecate callable firewall listeners, extend `AbstractListener` or implement `FirewallListenerInterface` instead
  * Deprecate `AbstractListener::__invoke`
  * Add `$methods` argument to `#[IsGranted]` to restrict validation to specific HTTP methods
- * Remove `final` keyword from `#[IsGranted]` to allow implementation of custom attributes
+ * Allow subclassing `#[IsGranted]`
 
 7.3
 ---
diff --git a/EventListener/IsGrantedAttributeListener.php b/EventListener/IsGrantedAttributeListener.php
@@ -39,7 +39,14 @@ public function __construct(
 
     public function onKernelControllerArguments(ControllerArgumentsEvent $event): void
     {
-        if (!$attributes = $event->getAttributes(IsGranted::class)) {
+        $attributes = [];
+        foreach ($event->getAttributes() as $class => $attributes[]) {
+            if (!is_a($class, IsGranted::class, true)) {
+                array_pop($attributes);
+            }
+        }
+
+        if (!$attributes = array_merge(...$attributes)) {
             return;
         }
 
diff --git a/Tests/EventListener/IsGrantedAttributeListenerTest.php b/Tests/EventListener/IsGrantedAttributeListenerTest.php
@@ -29,6 +29,7 @@
 use Symfony\Component\Security\Core\Authorization\Voter\Vote;
 use Symfony\Component\Security\Core\Authorization\Voter\Voter;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
+use Symfony\Component\Security\Http\Attribute\IsGranted;
 use Symfony\Component\Security\Http\EventListener\IsGrantedAttributeListener;
 use Symfony\Component\Security\Http\Tests\Fixtures\IsGrantedAttributeController;
 use Symfony\Component\Security\Http\Tests\Fixtures\IsGrantedAttributeMethodsController;
@@ -524,4 +525,59 @@ public function testSkipsAuthorizationWhenMethodDoesNotMatchStringConstraint()
         $listener = new IsGrantedAttributeListener($authChecker);
         $listener->onKernelControllerArguments($event);
     }
+
+    public function testFiltersOnlyIsGrantedAttributesUsingInstanceof()
+    {
+        $authChecker = $this->createMock(AuthorizationCheckerInterface::class);
+        $authChecker->expects($this->once())
+            ->method('isGranted')
+            ->with('ROLE_ADMIN')
+            ->willReturn(true);
+
+        $controller = [new IsGrantedAttributeMethodsController(), 'admin'];
+        $event = new ControllerArgumentsEvent(
+            $this->createMock(HttpKernelInterface::class),
+            $controller,
+            [],
+            new Request(),
+            null
+        );
+
+        // Inject mixed attributes: one IsGranted and one unrelated object; only IsGranted should be processed
+        $event->setController($controller, [
+            IsGranted::class => [new IsGranted('ROLE_ADMIN')],
+            \stdClass::class => [new \stdClass()],
+        ]);
+
+        $listener = new IsGrantedAttributeListener($authChecker);
+        $listener->onKernelControllerArguments($event);
+    }
+
+    public function testSupportsSubclassOfIsGrantedViaInstanceof()
+    {
+        $authChecker = $this->createMock(AuthorizationCheckerInterface::class);
+        $authChecker->expects($this->once())
+            ->method('isGranted')
+            ->with('ROLE_ADMIN')
+            ->willReturn(true);
+
+        $controller = [new IsGrantedAttributeMethodsController(), 'admin'];
+        $event = new ControllerArgumentsEvent(
+            $this->createMock(HttpKernelInterface::class),
+            $controller,
+            [],
+            new Request(),
+            null
+        );
+
+        $custom = new class('ROLE_ADMIN') extends IsGranted {};
+
+        // Inject subclass instance; instanceof IsGranted should match
+        $event->setController($controller, [
+            $custom::class => [$custom],
+        ]);
+
+        $listener = new IsGrantedAttributeListener($authChecker);
+        $listener->onKernelControllerArguments($event);
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -39,7 +39,14 @@ public function __construct(`
`39`	`39`
`40`	`40`	`public function onKernelControllerArguments(ControllerArgumentsEvent $event): void`
`41`	`41`	`{`
`42`		`- if (!$attributes = $event->getAttributes(IsGranted::class)) {`
	`42`	`+ $attributes = [];`
	`43`	`+ foreach ($event->getAttributes() as $class => $attributes[]) {`
	`44`	`+ if (!is_a($class, IsGranted::class, true)) {`
	`45`	`+ array_pop($attributes);`
	`46`	`+ }`
	`47`	`+ }`
	`48`	`+`
	`49`	`+ if (!$attributes = array_merge(...$attributes)) {`
`43`	`50`	`return;`
`44`	`51`	`}`
`45`	`52`