[Symfony 7.3] Replace AuthorizationChecker with AccessDecisionManager in voters

meddrh · meddrh · commit e64d0b2790b6 · 2026-01-13T15:12:43.000+01:00
diff --git a/rules-tests/Symfony73/Rector/Class_/AuthorizationCheckerToAccessDecisionManagerInVoterRector/AuthorizationCheckerToAccessDecisionManagerInVoterRectorTest.php b/rules-tests/Symfony73/Rector/Class_/AuthorizationCheckerToAccessDecisionManagerInVoterRector/AuthorizationCheckerToAccessDecisionManagerInVoterRectorTest.php
@@ -0,0 +1,28 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Rector\Symfony\Tests\Symfony73\Rector\Class_\AuthorizationCheckerToAccessDecisionManagerInVoterRector;
+
+use Iterator;
+use PHPUnit\Framework\Attributes\DataProvider;
+use Rector\Testing\PHPUnit\AbstractRectorTestCase;
+
+final class AuthorizationCheckerToAccessDecisionManagerInVoterRectorTest extends AbstractRectorTestCase
+{
+    #[DataProvider('provideData')]
+    public function test(string $filePath): void
+    {
+        $this->doTestFile($filePath);
+    }
+
+    public static function provideData(): Iterator
+    {
+        return self::yieldFilesFromDirectory(__DIR__ . '/Fixture');
+    }
+
+    public function provideConfigFilePath(): string
+    {
+        return __DIR__ . '/config/configured_rule.php';
+    }
+}
diff --git a/rules-tests/Symfony73/Rector/Class_/AuthorizationCheckerToAccessDecisionManagerInVoterRector/Fixture/authorization_checker_voter.php.inc b/rules-tests/Symfony73/Rector/Class_/AuthorizationCheckerToAccessDecisionManagerInVoterRector/Fixture/authorization_checker_voter.php.inc
@@ -0,0 +1,49 @@
+<?php
+
+namespace Rector\Symfony\Tests\Symfony73\Rector\Class_\AuthorizationCheckerToAccessDecisionManagerInVoterRector\Fixture;
+
+use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
+use Symfony\Component\Security\Core\Authorization\Voter\Voter;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+
+final class AuthorizationCheckerVoter extends Voter
+{
+    public function __construct(
+        private AuthorizationCheckerInterface $authorizationChecker
+    ) {}
+
+    protected function supports(string $attribute, mixed $subject): bool
+    {
+        return true;
+    }
+
+    protected function voteOnAttribute(string $attribute, $subject, TokenInterface $token): bool
+    {
+        return $this->authorizationChecker->isGranted('ROLE_ADMIN');
+    }
+}
+-----
+<?php
+
+namespace Rector\Symfony\Tests\Symfony73\Rector\Class_\AuthorizationCheckerToAccessDecisionManagerInVoterRector\Fixture;
+
+use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
+use Symfony\Component\Security\Core\Authorization\Voter\Voter;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+
+final class AuthorizationCheckerVoter extends Voter
+{
+    public function __construct(
+        private AccessDecisionManagerInterface $accessDecisionManager
+    ) {}
+
+    protected function supports(string $attribute, mixed $subject): bool
+    {
+        return true;
+    }
+
+    protected function voteOnAttribute(string $attribute, $subject, TokenInterface $token): bool
+    {
+        return $this->accessDecisionManager->decide($token, ['ROLE_ADMIN']);
+    }
+}
diff --git a/rules-tests/Symfony73/Rector/Class_/AuthorizationCheckerToAccessDecisionManagerInVoterRector/config/configured_rule.php b/rules-tests/Symfony73/Rector/Class_/AuthorizationCheckerToAccessDecisionManagerInVoterRector/config/configured_rule.php
@@ -0,0 +1,11 @@
+<?php
+
+declare(strict_types=1);
+
+use Rector\Config\RectorConfig;
+use Rector\Symfony\Symfony73\Rector\Class_\AuthorizationCheckerToAccessDecisionManagerInVoterRector;
+
+return RectorConfig::configure()
+    ->withRules([
+        AuthorizationCheckerToAccessDecisionManagerInVoterRector::class,
+    ]);
diff --git a/rules/Symfony73/Rector/Class_/AuthorizationCheckerToAccessDecisionManagerInVoterRector.php b/rules/Symfony73/Rector/Class_/AuthorizationCheckerToAccessDecisionManagerInVoterRector.php
@@ -0,0 +1,274 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Rector\Symfony\Symfony73\Rector\Class_;
+
+use PhpParser\Node;
+use PhpParser\Node\Arg;
+use PhpParser\Node\ArrayItem;
+use PhpParser\Node\Expr\Array_;
+use PhpParser\Node\Expr\MethodCall;
+use PhpParser\Node\Expr\PropertyFetch;
+use PhpParser\Node\Expr\Variable;
+use PhpParser\Node\Identifier;
+use PhpParser\Node\Name;
+use PhpParser\Node\Stmt\Class_;
+use PhpParser\Node\Stmt\ClassMethod;
+use PhpParser\Node\Stmt\Namespace_;
+use PhpParser\Node\Stmt\Use_;
+use PHPStan\Type\ObjectType;
+use Rector\Rector\AbstractRector;
+use Rector\Symfony\Enum\SymfonyClass;
+use Symplify\RuleDocGenerator\ValueObject\CodeSample\CodeSample;
+use Symplify\RuleDocGenerator\ValueObject\RuleDefinition;
+
+/**
+ * @see \Rector\Symfony\Tests\Symfony73\Rector\Class_\AuthorizationCheckerToAccessDecisionManagerInVoterRector\AuthorizationCheckerToAccessDecisionManagerInVoterRectorTest
+ */
+final class AuthorizationCheckerToAccessDecisionManagerInVoterRector extends AbstractRector
+{
+    private const AUTHORIZATION_CHECKER_PROPERTY = 'authorizationChecker';
+    private const ACCESS_DECISION_MANAGER_PROPERTY = 'accessDecisionManager';
+
+    private const ACCESS_DECISION_MANAGER_SHORT_NAME = 'AccessDecisionManagerInterface';
+
+    public function getRuleDefinition(): RuleDefinition
+    {
+        return new RuleDefinition(
+            'Replaces AuthorizationCheckerInterface with AccessDecisionManagerInterface inside Symfony Voters',
+            [
+                new CodeSample(
+                    <<<'CODE_SAMPLE'
+use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
+use Symfony\Component\Security\Core\Authorization\Voter\Voter;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+
+final class PostVoter extends Voter
+{
+    public function __construct(
+        private AuthorizationCheckerInterface $authorizationChecker
+    ) {}
+
+    protected function voteOnAttribute(string $attribute, $subject, TokenInterface $token): bool
+    {
+        return $this->authorizationChecker->isGranted('ROLE_ADMIN');
+    }
+}
+CODE_SAMPLE
+                    ,
+                    <<<'CODE_SAMPLE'
+use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
+use Symfony\Component\Security\Core\Authorization\Voter\Voter;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+
+final class PostVoter extends Voter
+{
+    public function __construct(
+        private AccessDecisionManagerInterface $accessDecisionManager
+    ) {}
+
+    protected function voteOnAttribute(string $attribute, $subject, TokenInterface $token): bool
+    {
+        return $this->accessDecisionManager->decide($token, ['ROLE_ADMIN']);
+    }
+}
+CODE_SAMPLE
+                ),
+            ]
+        );
+    }
+
+    public function getNodeTypes(): array
+    {
+        return [Namespace_::class];
+    }
+
+    public function refactor(Node $node): ?Node
+    {
+        $hasChanged = false;
+
+        foreach ($node->stmts as $stmt) {
+            if (! $stmt instanceof Class_) {
+                continue;
+            }
+
+            if ($this->refactorVoterClass($stmt)) {
+                $hasChanged = true;
+            }
+        }
+
+        if (! $hasChanged) {
+            return null;
+        }
+
+        $this->replaceUseImport(
+            $node,
+            SymfonyClass::AUTHORIZATION_CHECKER_INTERFACE,
+            SymfonyClass::ACCESS_DECISION_MANAGER_INTERFACE
+        );
+
+        return $node;
+    }
+
+    private function refactorVoterClass(Class_ $class): bool
+    {
+        if ($class->extends === null || ! $this->isName($class->extends, SymfonyClass::VOTER_CLASS)) {
+            return false;
+        }
+
+        $hasChanged = false;
+        $renamedPropertyByOldName = [];
+
+        $authorizationCheckerType = new ObjectType(SymfonyClass::AUTHORIZATION_CHECKER_INTERFACE);
+
+        // properties
+        foreach ($class->getProperties() as $property) {
+            if (! $this->isObjectType($property, $authorizationCheckerType)) {
+                continue;
+            }
+
+            $property->type = new Name(self::ACCESS_DECISION_MANAGER_SHORT_NAME);
+
+            foreach ($property->props as $propertyProperty) {
+                if ($this->getName($propertyProperty) === self::AUTHORIZATION_CHECKER_PROPERTY) {
+                    $propertyProperty->name = new Identifier(self::ACCESS_DECISION_MANAGER_PROPERTY);
+                    $renamedPropertyByOldName[self::AUTHORIZATION_CHECKER_PROPERTY]
+                        = self::ACCESS_DECISION_MANAGER_PROPERTY;
+                }
+            }
+
+            $hasChanged = true;
+        }
+
+        // promoted properties
+        $constructor = $class->getMethod('__construct');
+        if ($constructor instanceof ClassMethod) {
+            foreach ($constructor->params as $param) {
+                if (
+                    $param->type === null
+                    || ! $this->isName($param->type, SymfonyClass::AUTHORIZATION_CHECKER_INTERFACE)
+                ) {
+                    continue;
+                }
+
+                $param->type = new Name(self::ACCESS_DECISION_MANAGER_SHORT_NAME);
+
+                if (
+                    $param->var instanceof Variable
+                    && $this->getName($param->var) === self::AUTHORIZATION_CHECKER_PROPERTY
+                ) {
+                    $param->var->name = self::ACCESS_DECISION_MANAGER_PROPERTY;
+                    $renamedPropertyByOldName[self::AUTHORIZATION_CHECKER_PROPERTY]
+                        = self::ACCESS_DECISION_MANAGER_PROPERTY;
+                }
+
+                $hasChanged = true;
+            }
+        }
+
+        // isGranted → decide
+        $voteMethod = $class->getMethod('voteOnAttribute');
+        if ($voteMethod instanceof ClassMethod) {
+            $this->traverseNodesWithCallable(
+                $voteMethod,
+                function (Node $node) use (
+                    &$hasChanged,
+                    $voteMethod,
+                    $renamedPropertyByOldName
+                ) {
+                    if (
+                        ! $node instanceof MethodCall
+                        || ! $this->isName($node->name, 'isGranted')
+                        || ! $node->var instanceof PropertyFetch
+                    ) {
+                        return null;
+                    }
+
+                    $propertyName = $this->getName($node->var->name);
+                    if ($propertyName === null || ! isset($renamedPropertyByOldName[$propertyName])) {
+                        return null;
+                    }
+
+                    $node->var->name = new Identifier($renamedPropertyByOldName[$propertyName]);
+                    $node->name = new Identifier('decide');
+
+                    $tokenVariable = $voteMethod->params[2]->var ?? null;
+                    if (! $tokenVariable instanceof Variable) {
+                        return null;
+                    }
+
+                    $attributeArgument = $node->args[0] ?? null;
+                    if ($attributeArgument === null) {
+                        return null;
+                    }
+
+                    $node->args = [
+                        new Arg($tokenVariable),
+                        new Arg(new Array_([new ArrayItem($attributeArgument->value)])),
+                    ];
+
+                    $hasChanged = true;
+                    return $node;
+                }
+            );
+        }
+
+        return $hasChanged;
+    }
+
+    private function replaceUseImport(Namespace_ $namespace, string $oldFqn, string $newFqn): void
+    {
+        $hasNewImport = false;
+
+        foreach ($namespace->stmts as $stmt) {
+            if (! $stmt instanceof Use_) {
+                continue;
+            }
+
+            foreach ($stmt->uses as $useUse) {
+                if ($this->isName($useUse->name, $newFqn)) {
+                    $hasNewImport = true;
+                    break 2;
+                }
+            }
+        }
+
+        foreach ($namespace->stmts as $index => $stmt) {
+            if (! $stmt instanceof Use_) {
+                continue;
+            }
+
+            $newUses = [];
+            $hasChanged = false;
+
+            foreach ($stmt->uses as $useUse) {
+                if ($this->isName($useUse->name, $oldFqn)) {
+                    $hasChanged = true;
+
+                    if (! $hasNewImport) {
+                        $useUse->name = new Name($newFqn);
+                        $newUses[] = $useUse;
+                        $hasNewImport = true;
+                    }
+
+                    continue;
+                }
+
+                $newUses[] = $useUse;
+            }
+
+            if (! $hasChanged) {
+                continue;
+            }
+
+            if ($newUses === []) {
+                unset($namespace->stmts[$index]);
+                $namespace->stmts = array_values($namespace->stmts);
+                continue;
+            }
+
+            $stmt->uses = $newUses;
+        }
+    }
+}
diff --git a/src/Enum/SymfonyClass.php b/src/Enum/SymfonyClass.php
@@ -206,6 +206,16 @@ final class SymfonyClass
      */
     public const VOTER_CLASS = 'Symfony\Component\Security\Core\Authorization\Voter\Voter';
 
+    /**
+     * @var string
+     */
+    public const AUTHORIZATION_CHECKER_INTERFACE = 'Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface';
+
+    /**
+     * @var string
+     */
+    public const ACCESS_DECISION_MANAGER_INTERFACE = 'Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface';
+
     /**
      * @var string
      */
