feat(security): add roles param to simplfy migration

Author: sidux

src/Attribute/Security.php

@@ -8,14 +8,16 @@
 final class Security extends Attribute
 {
     /**
-     * @param array<string>|string|null       $handlers
+     * @param array<string>|string|null $handlers
+     * @param array<string>|null $roles
      * @param class-string<\RuntimeException> $exception
      */
     public function __construct(
-        public readonly ?string  $expression = null,
+        public readonly ?string $expression = null,
         public array|string|null $handlers = null,
-        public ?string           $message = null,
-        public ?string           $exception = null,
+        public ?string $message = null,
+        public ?string $exception = null,
+        public ?array $roles = null,
     ) {
         parent::__construct();
         $this->setHandlers($handlers);

src/Interceptor/Impl/SecurityInterceptor.php

@@ -51,10 +51,25 @@ public function prefix(Instance $instance): Response
             return new Response();
         }
 
+        $rolesExpressions = null;
+        if ($attribute->roles !== null) {
+            if ($attribute->expression !== null) {
+                throw new \RuntimeException('You cannot use both roles and expression in the Security attribute.');
+            }
+            $rolesExpressions = array_map(
+                static fn (string $role) => "is_granted('{$role}')",
+                $attribute->roles
+            );
+        }
+
         $expression = $attribute->expression;
         if ($expression === null) {
-            $role = $this->guessRoleName($instance);
-            $expression = "is_granted('{$role}')";
+            if ($rolesExpressions !== null) {
+                $expression = implode(' or ', $rolesExpressions);
+            } else {
+                $role = $this->guessRoleName($instance);
+                $expression = "is_granted('{$role}')";
+            }
         }
         $handlers = $this->getHandlers(SecurityHandler::class, $attribute);
         foreach ($handlers as $handler) {

tests/Double/Stub/Security/SecurityAnnotatedClass.php

@@ -61,4 +61,19 @@ public function accessDeniedWithMessage(): void
     public function accessDeniedWithException(): void
     {
     }
+
+    #[Security(roles: ['ROLE_1'])]
+    public function rolesParamOne(): void
+    {
+    }
+
+    #[Security(roles: ['ROLE_3', 'ROLE_1'])]
+    public function rolesParamMultiple(): void
+    {
+    }
+
+    #[Security("is_granted('ROLE_1')", roles: ['ROLE_1', 'ROLE_2'])]
+    public function conflict(): void
+    {
+    }
 }

tests/Interceptor/SecurityInterceptorTest.php

@@ -111,4 +111,22 @@ public function testAccessDeniedWithException(): void
         $this->expectExceptionMessage('Invalid argument.');
         $this->proxy->accessDeniedWithException();
     }
+
+    public function testWithRolesParamOne(): void
+    {
+        $this->proxy->rolesParamOne();
+        $this->assertSame(['ROLE_1'], $this->handler->attributes);
+    }
+
+    public function testWithRolesParamMultiple(): void
+    {
+        $this->proxy->rolesParamMultiple();
+        $this->assertSame(['ROLE_3', 'ROLE_1'], $this->handler->attributes);
+    }
+
+    public function testWithRolesAndExpressionShouldThrow(): void
+    {
+        $this->expectException(\RuntimeException::class);
+        $this->proxy->conflict();
+    }
 }