rectorphp · TomasVotruba · Apr 8, 2025 · Apr 8, 2025
diff --git a/config/sets/symfony/symfony-code-quality.php b/config/sets/symfony/symfony-code-quality.php
@@ -9,14 +9,14 @@
 use Rector\Symfony\CodeQuality\Rector\Class_\EventListenerToEventSubscriberRector;
 use Rector\Symfony\CodeQuality\Rector\Class_\InlineClassRoutePrefixRector;
 use Rector\Symfony\CodeQuality\Rector\Class_\LoadValidatorMetadataToAnnotationRector;
+use Rector\Symfony\CodeQuality\Rector\Class_\SplitAndSecurityAttributeToIsGrantedRector;
 use Rector\Symfony\CodeQuality\Rector\ClassMethod\ActionSuffixRemoverRector;
 use Rector\Symfony\CodeQuality\Rector\ClassMethod\ParamTypeFromRouteRequiredRegexRector;
 use Rector\Symfony\CodeQuality\Rector\ClassMethod\RemoveUnusedRequestParamRector;
 use Rector\Symfony\CodeQuality\Rector\ClassMethod\ResponseReturnTypeControllerActionRector;
 use Rector\Symfony\CodeQuality\Rector\MethodCall\AssertSameResponseCodeWithDebugContentsRector;
 use Rector\Symfony\CodeQuality\Rector\MethodCall\LiteralGetToRequestClassConstantRector;
 use Rector\Symfony\Symfony26\Rector\MethodCall\RedirectToRouteRector;
-use Rector\Symfony\Symfony62\Rector\Class_\SecurityAttributeToIsGrantedAttributeRector;
 
 return static function (RectorConfig $rectorConfig): void {
     $rectorConfig->rules([
@@ -43,5 +43,6 @@
 
         // narrow attributes
         SingleConditionSecurityAttributeToIsGrantedRector::class,
+        SplitAndSecurityAttributeToIsGrantedRector::class,
     ]);
 };
diff --git a/...y/Rector/Class_/SplitAndSecurityAttributeToIsGrantedRector/Fixture/skip_single_or.php.inc b/...y/Rector/Class_/SplitAndSecurityAttributeToIsGrantedRector/Fixture/skip_single_or.php.inc
@@ -0,0 +1,11 @@
+<?php
+
+namespace Rector\Symfony\Tests\CodeQuality\Rector\Class_\SplitAndSecurityAttributeToIsGrantedRector\Fixture;
+
+use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security;
+
+#[Security("(is_granted('ROLE_USER') and is_granted('ROLE_ADMIN')) or is_granted('ROLE_SUDO')")]
+final class TwoSecurityAttributes
+{
+
+}
diff --git a/...Class_/SplitAndSecurityAttributeToIsGrantedRector/Fixture/two_security_attributes.php.inc b/...Class_/SplitAndSecurityAttributeToIsGrantedRector/Fixture/two_security_attributes.php.inc
@@ -0,0 +1,27 @@
+<?php
+
+namespace Rector\Symfony\Tests\CodeQuality\Rector\Class_\SplitAndSecurityAttributeToIsGrantedRector\Fixture;
+
+use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security;
+
+#[Security("is_granted('ROLE_USER') and is_granted('ROLE_ADMIN')")]
+final class TwoSecurityAttributes
+{
+
+}
+
+?>
+-----
+<?php
+
+namespace Rector\Symfony\Tests\CodeQuality\Rector\Class_\SplitAndSecurityAttributeToIsGrantedRector\Fixture;
+
+use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security;
+
+#[\Sensio\Bundle\FrameworkExtraBundle\Configuration\IsGranted('ROLE_USER')]
+#[\Sensio\Bundle\FrameworkExtraBundle\Configuration\IsGranted('ROLE_ADMIN')]
+final class TwoSecurityAttributes
+{
+}
+
+?>
diff --git a/...tAndSecurityAttributeToIsGrantedRector/SplitAndSecurityAttributeToIsGrantedRectorTest.php b/...tAndSecurityAttributeToIsGrantedRector/SplitAndSecurityAttributeToIsGrantedRectorTest.php
@@ -0,0 +1,28 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Rector\Symfony\Tests\CodeQuality\Rector\Class_\SplitAndSecurityAttributeToIsGrantedRector;
+
+use Iterator;
+use PHPUnit\Framework\Attributes\DataProvider;
+use Rector\Testing\PHPUnit\AbstractRectorTestCase;
+
+final class SplitAndSecurityAttributeToIsGrantedRectorTest extends AbstractRectorTestCase
+{
+    #[DataProvider('provideData')]
+    public function test(string $filePath): void
+    {
+        $this->doTestFile($filePath);
+    }
+
+    public static function provideData(): Iterator
+    {
+        return self::yieldFilesFromDirectory(__DIR__ . '/Fixture');
+    }
+
+    public function provideConfigFilePath(): string
+    {
+        return __DIR__ . '/config/configured_rule.php';
+    }
+}
diff --git a/...ality/Rector/Class_/SplitAndSecurityAttributeToIsGrantedRector/config/configured_rule.php b/...ality/Rector/Class_/SplitAndSecurityAttributeToIsGrantedRector/config/configured_rule.php
@@ -0,0 +1,10 @@
+<?php
+
+declare(strict_types=1);
+
+use Rector\Config\RectorConfig;
+use Rector\Symfony\CodeQuality\Rector\Class_\SplitAndSecurityAttributeToIsGrantedRector;
+
+return static function (RectorConfig $rectorConfig): void {
+    $rectorConfig->rule(SplitAndSecurityAttributeToIsGrantedRector::class);
+};
diff --git a/...s/CodeQuality/Rector/AttributeGroup/SingleConditionSecurityAttributeToIsGrantedRector.php b/...s/CodeQuality/Rector/AttributeGroup/SingleConditionSecurityAttributeToIsGrantedRector.php
@@ -19,6 +19,8 @@
 /**
  * @see https://github.com/symfony/symfony/pull/27305/
  * @see https://stackoverflow.com/a/65439590/1348344
+ *
+ * @see \Rector\Symfony\Tests\CodeQuality\Rector\AttributeGroup\SingleConditionSecurityAttributeToIsGrantedRector\SingleConditionSecurityAttributeToIsGrantedRectorTest
  */
 final class SingleConditionSecurityAttributeToIsGrantedRector extends AbstractRector
 {

diff --git a/rules/CodeQuality/Rector/Class_/SplitAndSecurityAttributeToIsGrantedRector.php b/rules/CodeQuality/Rector/Class_/SplitAndSecurityAttributeToIsGrantedRector.php
@@ -0,0 +1,125 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Rector\Symfony\CodeQuality\Rector\Class_;
+
+use PhpParser\Node\Name\FullyQualified;
+use Nette\Utils\Strings;
+use PhpParser\Node;
+use PhpParser\Node\Arg;
+use PhpParser\Node\Attribute;
+use PhpParser\Node\AttributeGroup;
+use PhpParser\Node\Scalar\String_;
+use PhpParser\Node\Stmt\Class_;
+use PhpParser\Node\Stmt\ClassMethod;
+use Rector\Rector\AbstractRector;
+use Sensio\Bundle\FrameworkExtraBundle\Configuration\IsGranted;
+use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security;
+use Symplify\RuleDocGenerator\ValueObject\CodeSample\CodeSample;
+use Symplify\RuleDocGenerator\ValueObject\RuleDefinition;
+
+final class SplitAndSecurityAttributeToIsGrantedRector extends AbstractRector
+{
+    public function getRuleDefinition(): RuleDefinition
+    {
+        return new RuleDefinition(
+            'Split #[Security] attribute with "and" condition string to multiple #[IsGranted] attributes with sole values',
+            [
+                new CodeSample(
+                    <<<'CODE_SAMPLE'
+use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security;
+
+#[Security("is_granted('ROLE_USER') and has_role('ROLE_ADMIN')")]
+class SomeClass
+{
+}
+CODE_SAMPLE
+                    ,
+                    <<<'CODE_SAMPLE'
+use Symfony\Component\Security\Http\Attribute\IsGranted;
+
+#[IsGranted('ROLE_USER')]
+#[IsGranted('ROLE_ADMIN')]
+class SomeClass
+{
+}
+CODE_SAMPLE
+                ),
+
+            ]
+        );
+    }
+
+    public function getNodeTypes(): array
+    {
+        return [Class_::class, ClassMethod::class];
+    }
+
+    /**
+     * @param Class_|ClassMethod $node
+     */
+    public function refactor(Node $node): ?Node
+    {
+        $hasChanged = false;
+
+        foreach ($node->attrGroups as $key => $attrGroup) {
+            foreach ($attrGroup->attrs as $attr) {
+                if (! $this->isName($attr->name, Security::class)) {
+                    continue;
+                }
+
+                $firstArgValue = $attr->args[0]->value;
+                if (! $firstArgValue instanceof String_) {
+                    continue;
+                }
+
+                $content = $firstArgValue->value;
+
+                // unable to resolve with pure attributes
+                if (str_contains($content, ' or ')) {
+                    continue;
+                }
+
+                // we look for "and"s
+                if (! str_contains($content, ' and')) {
+                    continue;
+                }
+
+                $andItems = explode(' and ', $content);
+
+                $accessRights = [];
+
+                foreach ($andItems as $andItem) {
+                    $matches = Strings::match($andItem, '#^(is_granted|has_role)\(\'(?<access_right>[A-Za-z_]+)\'\)$#');
+                    if (! isset($matches['access_right'])) {
+                        // all or nothing
+                        return null;
+                    }
+
+                    $accessRights[] = $matches['access_right'];
+                }
+
+                unset($node->attrGroups[$key]);
+
+                $hasChanged = true;
+
+                foreach ($accessRights as $accessRight) {
+                    $attributeGroup = new AttributeGroup([
+                        new Attribute(new FullyQualified(IsGranted::class), [
+                            new Arg(new String_($accessRight)),
+                        ]),
+                    ]);
+
+                    $node->attrGroups[] = $attributeGroup;
+                }
+            }
+        }
+
+        if ($hasChanged) {
+            return $node;
+        }
+
+        return null;
+    }
+}