Toflar
commented
4 years ago Thanks for contributing! LGTM, however, you should open the PR on our monorepository contao/contao. Could you also add a unit test, please? :)
Closed AndreasA closed 4 years ago
Toflar
commented
4 years ago Thanks for contributing! LGTM, however, you should open the PR on our monorepository contao/contao. Could you also add a unit test, please? :)
aschempp
commented
4 years ago I'm not sure this is a bug in Contao. Voter attributes should always be strings, the argument is even enforced in the latest Symfony version: https://github.com/symfony/symfony/blob/master/src/Symfony/Component/Security/Core/Authorization/Voter/Voter.php#L57
AndreasA
commented
4 years ago Hmm.. not according to this: https://github.com/symfony/symfony/blob/master/src/Symfony/Component/Security/Core/Authorization/Voter/ExpressionVoter.php
But maybe there is a bug in Symfony core that goes beyond just the PHPDoc now.
Although there is no declare(strict_types=1) so it will probably auto-convert to string (as Expression implement _toString) with the newest version.
It is at least currently an issue in Contao because Symfony does create an object here: https://github.com/symfony/symfony/blob/master/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php#L185
EDIT: Due to missing strict_types the value will indeed be converted and that version would actually fix the issue.
AndreasA
commented
4 years ago I have created a Symfony bug report too: https://github.com/symfony/symfony/issues/34532
AndreasA
commented
4 years ago I have created the corresponding PR https://github.com/contao/contao/pull/1013/files
Ensure that the e.g. ExpressionLanguage objects are ignored when checking for support in the BackendAccessVoter.
Fixes: #1710