RouteVoter missing check

Question

RouteVoter missing check

opened this issue 8 years ago · comments

The RouteVoter only checks if parameters in the testedRoute match, but should also check if all parameters in the request are matched. The number of parameters are not necessarily equal.

$routeParameters = $this->request->attributes->get('_route_params', array());

foreach ($routeParameters as $name => $value) {
    if (!isset($testedRoute['parameters'][$name]) || $testedRoute['parameters'][$name] !== (string) $value) {
        return false;
    }
}

Deleted user · Answer 1 · Tue Feb 16 2016 02:14:28 GMT+0800 (China Standard Time)

I belief the requested route parameters should be compared to the tested route parameters and not the other way around like it is now.

David Buchmann · Answer 2 · Tue Jun 21 2016 22:28:21 GMT+0800 (China Standard Time)

is the code above what we currently do or what you think we should do? if its about what we do, it feels right to me. if there is an additional query string like ?_nocache on the actual request, this should not break the matching. the matcher also matches the route name and you should list all parameters that are in the route unless you want to match e.g. all products for a route /products/{id}.

David Buchmann · Answer 3 · Thu Sep 22 2016 15:35:08 GMT+0800 (China Standard Time)

ping @Teadawg

Deleted user · Answer 4 · Fri Sep 23 2016 01:29:52 GMT+0800 (China Standard Time)

The above code is what I think you should do. The current code is:

foreach ($testedRoute['parameters'] as $name => $value) {
    if (!isset($routeParameters[$name]) || $routeParameters[$name] !== (string) $value) {
        return false;
    }
}

David Buchmann · Answer 5 · Fri Sep 23 2016 17:13:27 GMT+0800 (China Standard Time)

so

current behaviour: if the route has extra parameters, we don't match it.
your suggestion: ignore extra parameters and only care about the ones in the definition of what we want to match.

for the use case of current menu item, i find your logic makes more sense. but i am a bit afraid of there being a BC break. if somebody is relying on this, they would suddenly match too many menu entries.

@stof how do you feel about this? can we change this? should we have a "strict parameter matching" flag to guarantee BC that is true by default, but can be set to false?

Christophe Coevoet · Answer 6 · Tue Sep 05 2017 19:38:17 GMT+0800 (China Standard Time)

Well, the current behavior is to allow to have any extra parameters alongside the one specified in the menu config: specified parameters must match the provided value, but extra unknown params are fine.
I don't want to change this behavior. This would be a huge BC break, and it would make the voter much less flexible (I have lots of cases where I need to match based on 1 parameter, but don't care at all about the values of others as they contain ids of sub-resources, especially when using a regexp for the route name).

The code suggested in the issue description has another flaw (which would make it fail tests btw): if the route does not have the expected parameter at all, it could still match, because this code loops over defined route attributes, not over expected attributes.