124 lines
3.2 KiB
Plaintext
124 lines
3.2 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
== Noncompliant Code Example
|
|
|
|
In a Symfony web application:
|
|
|
|
* the ``vote`` method of a https://symfony.com/doc/current/security/voters.html[VoterInterface] type is not compliant when it returns only an affirmative decision (``ACCESS_GRANTED``):
|
|
|
|
----
|
|
class NoncompliantVoterInterface implements VoterInterface
|
|
{
|
|
public function vote(TokenInterface $token, $subject, array $attributes)
|
|
{
|
|
return self::ACCESS_GRANTED; // Noncompliant
|
|
}
|
|
}
|
|
----
|
|
|
|
* the ``voteOnAttribute`` method of a https://symfony.com/doc/current/security/voters.html[Voter] type is not compliant when it returns only an affirmative decision (``true``):
|
|
|
|
----
|
|
class NoncompliantVoter extends Voter
|
|
{
|
|
protected function supports(string $attribute, $subject)
|
|
{
|
|
return true;
|
|
}
|
|
|
|
protected function voteOnAttribute(string $attribute, $subject, TokenInterface $token)
|
|
{
|
|
return true; // Noncompliant
|
|
}
|
|
}
|
|
----
|
|
|
|
In a Laravel web application:
|
|
|
|
* the ``define``, ``before``, and ``after`` methods of a https://laravel.com/docs/8.x/authorization[Gate] are not compliant when they return only an affirmative decision (``true`` or ``Response::allow()``):
|
|
|
|
----
|
|
class NoncompliantGuard
|
|
{
|
|
public function boot()
|
|
{
|
|
Gate::define('xxx', function ($user) {
|
|
return true; // Noncompliant
|
|
});
|
|
|
|
Gate::define('xxx', function ($user) {
|
|
return Response::allow(); // Noncompliant
|
|
});
|
|
}
|
|
}
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
In a Symfony web application:
|
|
|
|
* the ``vote`` method of a https://symfony.com/doc/current/security/voters.html[VoterInterface] type should return a negative decision (``ACCESS_DENIED``) or abstain from making a decision (``ACCESS_ABSTAIN``):
|
|
|
|
----
|
|
class CompliantVoterInterface implements VoterInterface
|
|
{
|
|
public function vote(TokenInterface $token, $subject, array $attributes)
|
|
{
|
|
if (foo()) {
|
|
return self::ACCESS_GRANTED; // Compliant
|
|
} else if (bar()) {
|
|
return self::ACCESS_ABSTAIN;
|
|
}
|
|
return self::ACCESS_DENIED;
|
|
}
|
|
}
|
|
----
|
|
|
|
* the ``voteOnAttribute`` method of a https://symfony.com/doc/current/security/voters.html[Voter] type should return a negative decision (``false``):
|
|
|
|
----
|
|
class CompliantVoter extends Voter
|
|
{
|
|
protected function supports(string $attribute, $subject)
|
|
{
|
|
return true;
|
|
}
|
|
|
|
protected function voteOnAttribute(string $attribute, $subject, TokenInterface $token)
|
|
{
|
|
if (foo()) {
|
|
return true; // Compliant
|
|
}
|
|
return false;
|
|
}
|
|
}
|
|
----
|
|
|
|
In a Laravel web application:
|
|
|
|
* the ``define``, ``before``, and ``after`` methods of a https://laravel.com/docs/8.x/authorization[Gate] should return a negative decision (``false`` or ``Response::deny()``) or abstain from making a decision (``null``):
|
|
|
|
----
|
|
class NoncompliantGuard
|
|
{
|
|
public function boot()
|
|
{
|
|
Gate::define('xxx', function ($user) {
|
|
if (foo()) {
|
|
return true; // Compliant
|
|
}
|
|
return false;
|
|
});
|
|
|
|
Gate::define('xxx', function ($user) {
|
|
if (foo()) {
|
|
return Response::allow(); // Compliant
|
|
}
|
|
return Response::deny();
|
|
});
|
|
}
|
|
}
|
|
----
|
|
|
|
include::../see.adoc[]
|