custom action with voter hides action on dropdown but you can still perform the action by copying the link

Question

custom action with voter hides action on dropdown but you can still perform the action by copying the link

budzik opened this issue 5 months ago · 1 comments

Describe the bug
Can someone confirm that? is this a bug or am I doing something wrong?
The code is shortened, the same voter works correctly for the default EA actions like NEW, EDIT or DETAILS.
Got error performing default EA actions copying the link on account !ROLE_ADMIN

custom action - is not visible on index list (good)
but i can perform that action on user without permission copying a link (got nice green success flash message)

// TournamentVoter

namespace App\Security\Voter\Tournament;

use App\Entity\Tournament\Tournament;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Authorization\Voter\Voter;
use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Bundle\SecurityBundle\Security;

class TournamentVoter extends Voter
{

public const MAKE_SERIES = 'TOURNAMENT_MAKE_SERIES';

public function __construct(private Security $security)
{
}

protected function supports(string $attribute, mixed $subject): bool
{
    return in_array($attribute, [self::MAKE_SERIES])
        && $subject instanceof Tournament;
}

protected function voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token): bool
{
    $user = $token->getUser();

    if (!$user instanceof UserInterface) {
        return false;
    }


    switch ($attribute) {

        case self::MAKE_SERIES:
            if (
                (in_array("ROLE_ADMIN", $user->getRoles()))
            )
            {
                return true;
            }
            break;

    }

    return false;
}

}

//TournamentCrudController

#[\Override]
public function configureActions(Actions $actions): Actions
{

    $makeSeries = Action::new('Clone series', 'Klonuj serię')->linkToCrudAction('makeSeries');

    return $actions
        ->add(Crud::PAGE_INDEX, $makeSeries)->setPermission($makeSeries, TournamentVoter::MAKE_SERIES)
    ;
}

public function makeSeries(AdminUrlGenerator $adminUrlGenerator)
{

    $this->addFlash('success', 'Success');

    $url = $adminUrlGenerator
        ->setAction(Action::INDEX)
        ->generateUrl();

    return $this->redirect($url);

}

To Reproduce
Symfony 7.0.6, EA 4.10.0

Answer 1 · 2024-04-25T18:41:16.000Z

#[IsGranted('ROLE_ADMIN')]
public function makeSeries(AdminUrlGenerator $adminUrlGenerator)
{
...
$this->denyAccessUnlessGranted('TOURNAMENT_MAKE_SERIES', $entity);