Allow to show what permissions a user is lacking in case of access denied message

Should help with errors like 1026

Author: jbtronics

src/Security/Voter/PermissionVoter.php

@@ -24,6 +24,7 @@
 
 use App\Services\UserSystem\VoterHelper;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authorization\Voter\Vote;
 use Symfony\Component\Security\Core\Authorization\Voter\Voter;
 
 /**
@@ -39,12 +40,17 @@ public function __construct(private readonly VoterHelper $helper)
 
     }
 
-    protected function voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token): bool
+    protected function voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token, ?Vote $vote = null): bool
     {
         $attribute = ltrim($attribute, '@');
         [$perm, $op] = explode('.', $attribute);
 
-        return $this->helper->isGranted($token, $perm, $op);
+        $result = $this->helper->isGranted($token, $perm, $op);
+        if ($result === false) {
+            $this->helper->addReason($vote, $perm, $op);
+        }
+
+        return $result;
     }
 
     public function supportsAttribute(string $attribute): bool

src/Services/UserSystem/VoterHelper.php

@@ -28,17 +28,24 @@
 use App\Security\ApiTokenAuthenticatedToken;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authorization\Voter\Vote;
+use Symfony\Component\Security\Core\Authorization\Voter\Voter;
+use Symfony\Contracts\Translation\TranslatorInterface;
 
 /**
  * @see \App\Tests\Services\UserSystem\VoterHelperTest
  */
 final class VoterHelper
 {
     private readonly UserRepository $userRepository;
+    private readonly array $permissionStructure;
 
-    public function __construct(private readonly PermissionManager $permissionManager, private readonly EntityManagerInterface $entityManager)
+    public function __construct(private readonly PermissionManager $permissionManager,
+        private readonly TranslatorInterface $translator,
+        private readonly EntityManagerInterface $entityManager)
     {
         $this->userRepository = $this->entityManager->getRepository(User::class);
+        $this->permissionStructure = $this->permissionManager->getPermissionStructure();
     }
 
     /**
@@ -124,4 +131,17 @@ public function isValidOperation(string $permission, string $operation): bool
     {
         return $this->permissionManager->isValidOperation($permission, $operation);
     }
-}
+
+    public function addReason(?Vote $voter, string $permission, $operation): void
+    {
+        if ($voter !== null) {
+            $voter->addReason(sprintf("User does not have permission %s -> %s -> %s (%s.%s).",
+                $this->translator->trans('perm.group.'.$this->permissionStructure['perms'][$permission]['group'] ?? 'default' ),
+                $this->translator->trans($this->permissionStructure['perms'][$permission]['label'] ?? $permission),
+                $this->translator->trans($this->permissionStructure['perms'][$permission]['operations'][$operation]['label'] ?? $operation),
+                $permission,
+                $operation
+            ));
+        }
+    }
+}

templates/bundles/TwigBundle/Exception/error403.html.twig

@@ -1,6 +1,9 @@
 {% extends "bundles/TwigBundle/Exception/error.html.twig" %}
 
 {% block status_comment %}
-    Nice try! But you are not allowed to do this!
+    Nice try! But you are not allowed to do this!<br>
+    <code>{{ exception.message }}</code>
     <br> <small>If you think you should have access to this ressource, contact the adminstrator.</small>
-{% endblock %}
+
+
+{% endblock %}