feature symfony#61359 [Security] Add $methods support to #[IsGranted] to restrict access by HTTP method (santysisi)

fabpot · fabpot · commit 0d47620049b8 · 2025-08-20T08:36:36.000+02:00
This PR was merged into the 7.4 branch. Discussion ---------- [Security] Add `$methods` support to `#[IsGranted]` to restrict access by HTTP method | Q | A | ------------- | --- | Branch? | 7.4 | Bug fix? | no | New feature? | yes | Deprecations? | no | Issues | no | License | MIT ### Description This PR adds support for restricting `#[IsGranted]` validation to specific HTTP methods via a new `$methods` argument. ### What's New You can now define access control per HTTP method directly in the `#[IsGranted]` attribute. This allows greater flexibility when securing controller actions that handle multiple HTTP verbs. ```php #[IsGranted('ROLE_ADMIN', methods: ['GET', 'POST'])] public function someAction() {} #[IsGranted('ROLE_ADMIN', methods: 'POST')] public function otherAction() {} ``` * If the current request method does not match, the attribute is ignored. * If the method matches, the usual access check logic runs as expected. This change aligns `#[IsGranted]` more closely with other HTTP-aware attributes like: * `#[IsCsrfTokenValid]` * `#[IsSignatureValid]` (currently under review) Commits ------- 68f0fca [Security] Add `$methods` support to `#[IsGranted]` to restrict access by HTTP method
diff --git a/src/Symfony/Component/Security/Http/Attribute/IsGranted.php b/src/Symfony/Component/Security/Http/Attribute/IsGranted.php
@@ -24,19 +24,25 @@
 #[\Attribute(\Attribute::IS_REPEATABLE | \Attribute::TARGET_CLASS | \Attribute::TARGET_METHOD | \Attribute::TARGET_FUNCTION)]
 final class IsGranted
 {
+    /** @var string[] */
+    public readonly array $methods;
+
     /**
-     * @param string|Expression|\Closure(IsGrantedContext, mixed $subject):bool $attribute The attribute that will be checked against a given authentication token and optional subject
-     * @param array|string|Expression|\Closure(array<string,mixed>, Request):mixed|null $subject An optional subject - e.g. the current object being voted on
-     * @param string|null $message       A custom message when access is not granted
-     * @param int|null    $statusCode    If set, will throw HttpKernel's HttpException with the given $statusCode; if null, Security\Core's AccessDeniedException will be used
-     * @param int|null    $exceptionCode If set, will add the exception code to thrown exception
+     * @param string|Expression|\Closure(IsGrantedContext, mixed $subject):bool         $attribute     The attribute that will be checked against a given authentication token and optional subject
+     * @param array|string|Expression|\Closure(array<string,mixed>, Request):mixed|null $subject       An optional subject - e.g. the current object being voted on
+     * @param string|null                                                               $message       A custom message when access is not granted
+     * @param int|null                                                                  $statusCode    If set, will throw HttpKernel's HttpException with the given $statusCode; if null, Security\Core's AccessDeniedException will be used
+     * @param int|null                                                                  $exceptionCode If set, will add the exception code to thrown exception
+     * @param string[]|string                                                           $methods       HTTP methods to apply validation to. Empty array means all methods are allowed
      */
     public function __construct(
         public string|Expression|\Closure $attribute,
         public array|string|Expression|\Closure|null $subject = null,
         public ?string $message = null,
         public ?int $statusCode = null,
         public ?int $exceptionCode = null,
+        array|string $methods = [],
     ) {
+        $this->methods = (array) $methods;
     }
 }
diff --git a/src/Symfony/Component/Security/Http/CHANGELOG.md b/src/Symfony/Component/Security/Http/CHANGELOG.md
@@ -7,6 +7,7 @@ CHANGELOG
  * Add support for union types with `#[CurrentUser]`
  * Deprecate callable firewall listeners, extend `AbstractListener` or implement `FirewallListenerInterface` instead
  * Deprecate `AbstractListener::__invoke`
+ * Add `$methods` argument to `#[IsGranted]` to restrict validation to specific HTTP methods
 
 7.3
 ---
diff --git a/src/Symfony/Component/Security/Http/EventListener/IsGrantedAttributeListener.php b/src/Symfony/Component/Security/Http/EventListener/IsGrantedAttributeListener.php
@@ -47,6 +47,10 @@ public function onKernelControllerArguments(ControllerArgumentsEvent $event): vo
         $arguments = $event->getNamedArguments();
 
         foreach ($attributes as $attribute) {
+            if ($attribute->methods && !\in_array($request->getMethod(), array_map('strtoupper', $attribute->methods), true)) {
+                continue;
+            }
+
             $subject = null;
 
             if ($subjectRef = $attribute->subject) {
diff --git a/src/Symfony/Component/Security/Http/Tests/EventListener/IsGrantedAttributeListenerTest.php b/src/Symfony/Component/Security/Http/Tests/EventListener/IsGrantedAttributeListenerTest.php
@@ -454,4 +454,74 @@ public function testAccessDeniedExceptionWithExceptionCode()
 
         $listener->onKernelControllerArguments($event);
     }
+
+    public function testThrowsAccessDeniedExceptionWhenMethodMatchesStringConstraint()
+    {
+        $authChecker = $this->createMock(AuthorizationCheckerInterface::class);
+        $authChecker->expects($this->once())->method('isGranted')->willReturn(false);
+
+        $event = new ControllerArgumentsEvent(
+            $this->createMock(HttpKernelInterface::class),
+            [new IsGrantedAttributeMethodsController(), 'adminWithMethodGet'],
+            [],
+            new Request([], [], [], [], [], ['REQUEST_METHOD' => 'GET']),
+            null
+        );
+
+        $listener = new IsGrantedAttributeListener($authChecker);
+        $this->expectException(AccessDeniedException::class);
+        $listener->onKernelControllerArguments($event);
+    }
+
+    public function testThrowsAccessDeniedExceptionWhenMethodMatchesArrayConstraint()
+    {
+        $authChecker = $this->createMock(AuthorizationCheckerInterface::class);
+        $authChecker->expects($this->once())->method('isGranted')->willReturn(false);
+
+        $event = new ControllerArgumentsEvent(
+            $this->createMock(HttpKernelInterface::class),
+            [new IsGrantedAttributeMethodsController(), 'adminWithMethodGetAndPost'],
+            [],
+            new Request([], [], [], [], [], ['REQUEST_METHOD' => 'POST']),
+            null
+        );
+
+        $listener = new IsGrantedAttributeListener($authChecker);
+        $this->expectException(AccessDeniedException::class);
+        $listener->onKernelControllerArguments($event);
+    }
+
+    public function testSkipsAuthorizationWhenMethodDoesNotMatchArrayConstraint()
+    {
+        $authChecker = $this->createMock(AuthorizationCheckerInterface::class);
+        $authChecker->expects($this->never())->method('isGranted');
+
+        $event = new ControllerArgumentsEvent(
+            $this->createMock(HttpKernelInterface::class),
+            [new IsGrantedAttributeMethodsController(), 'adminWithMethodGetAndPost'],
+            [],
+            new Request([], [], [], [], [], ['REQUEST_METHOD' => 'PUT']),
+            null
+        );
+
+        $listener = new IsGrantedAttributeListener($authChecker);
+        $listener->onKernelControllerArguments($event);
+    }
+
+    public function testSkipsAuthorizationWhenMethodDoesNotMatchStringConstraint()
+    {
+        $authChecker = $this->createMock(AuthorizationCheckerInterface::class);
+        $authChecker->expects($this->never())->method('isGranted');
+
+        $event = new ControllerArgumentsEvent(
+            $this->createMock(HttpKernelInterface::class),
+            [new IsGrantedAttributeMethodsController(), 'adminWithMethodGet'],
+            [],
+            new Request([], [], [], [], [], ['REQUEST_METHOD' => 'POST']),
+            null
+        );
+
+        $listener = new IsGrantedAttributeListener($authChecker);
+        $listener->onKernelControllerArguments($event);
+    }
 }
diff --git a/src/Symfony/Component/Security/Http/Tests/Fixtures/IsGrantedAttributeMethodsController.php b/src/Symfony/Component/Security/Http/Tests/Fixtures/IsGrantedAttributeMethodsController.php
@@ -77,4 +77,14 @@ public function withNestedExpressionInSubject($post, $arg2Name)
     public function withRequestAsSubject()
     {
     }
+
+    #[IsGranted(attribute: 'ROLE_ADMIN', methods: 'get')]
+    public function adminWithMethodGet(): void
+    {
+    }
+
+    #[IsGranted(attribute: 'ROLE_ADMIN', methods: ['GET', 'POST'])]
+    public function adminWithMethodGetAndPost(): void
+    {
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -77,4 +77,14 @@ public function withNestedExpressionInSubject($post, $arg2Name)`
`77`	`77`	`public function withRequestAsSubject()`
`78`	`78`	`{`
`79`	`79`	`}`
	`80`	`+`
	`81`	`+ #[IsGranted(attribute: 'ROLE_ADMIN', methods: 'get')]`
	`82`	`+ public function adminWithMethodGet(): void`
	`83`	`+ {`
	`84`	`+ }`
	`85`	`+`
	`86`	`+ #[IsGranted(attribute: 'ROLE_ADMIN', methods: ['GET', 'POST'])]`
	`87`	`+ public function adminWithMethodGetAndPost(): void`
	`88`	`+ {`
	`89`	`+ }`
`80`	`90`	`}`