-
-
Notifications
You must be signed in to change notification settings - Fork 892
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
refactor: Refactor ReadProvider.php and AccessCheckerProvider.php to …
…extract link security into their own providers
- Loading branch information
1 parent
c374794
commit 16b9558
Showing
9 changed files
with
284 additions
and
136 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| <?xml version="1.0" ?> | ||
|
|
||
| <container xmlns="http://symfony.com/schema/dic/services" | ||
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||
| xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd"> | ||
|
|
||
| <services> | ||
|
|
||
| <service id="api_platform.state_provider.read_link" class="ApiPlatform\Symfony\Security\State\LinkedReadProvider" decorates="api_platform.state_provider.read" decoration-priority="499"> | ||
| <argument type="service" id="api_platform.state_provider.read_link.inner" /> | ||
| <argument type="service" id="api_platform.state_provider.locator" /> | ||
| <argument type="service" id="api_platform.metadata.resource.metadata_collection_factory" /> | ||
| </service> | ||
|
|
||
| <service id="api_platform.state_provider.access_checker_linked" class="ApiPlatform\Symfony\Security\State\LinkAccessCheckerProvider" decorates="api_platform.state_provider.read"> | ||
| <argument type="service" id="api_platform.state_provider.access_checker_linked.inner" /> | ||
| <argument type="service" id="api_platform.security.resource_access_checker" /> | ||
| </service> | ||
| </services> | ||
| </container> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,75 @@ | ||
| <?php | ||
|
|
||
| /* | ||
| * This file is part of the API Platform project. | ||
| * | ||
| * (c) Kévin Dunglas <[email protected]> | ||
| * | ||
| * For the full copyright and license information, please view the LICENSE | ||
| * file that was distributed with this source code. | ||
| */ | ||
|
|
||
| declare(strict_types=1); | ||
|
|
||
| namespace ApiPlatform\Symfony\Security\State; | ||
|
|
||
| use ApiPlatform\Metadata\HttpOperation; | ||
| use ApiPlatform\Metadata\Link; | ||
| use ApiPlatform\Metadata\Operation; | ||
| use ApiPlatform\State\ProviderInterface; | ||
| use ApiPlatform\Symfony\Security\Exception\AccessDeniedException; | ||
| use ApiPlatform\Symfony\Security\ResourceAccessCheckerInterface; | ||
|
|
||
| class LinkAccessCheckerProvider implements ProviderInterface | ||
| { | ||
| public function __construct( | ||
| private readonly ProviderInterface $decorated, | ||
| private readonly ResourceAccessCheckerInterface $resourceAccessChecker | ||
| ) { | ||
| } | ||
|
|
||
| public function provide(Operation $operation, array $uriVariables = [], array $context = []): object|array|null | ||
| { | ||
| $request = ($context['request'] ?? null); | ||
|
|
||
| $data = $this->decorated->provide($operation, $uriVariables, $context); | ||
|
|
||
| if ($operation instanceof HttpOperation && $operation->getUriVariables()) { | ||
| foreach ($operation->getUriVariables() as $uriVariable) { | ||
| if (!$uriVariable instanceof Link || !$uriVariable->getSecurity()) { | ||
| continue; | ||
| } | ||
|
|
||
| $targetResource = $uriVariable->getFromClass() ?? $uriVariable->getToClass(); | ||
|
|
||
| if (!$targetResource) { | ||
| continue; | ||
| } | ||
|
|
||
| $propertyName = $uriVariable->getToProperty() ?? $uriVariable->getFromProperty(); | ||
| $securityObjectName = $uriVariable->getSecurityObjectName(); | ||
|
|
||
| if (!$securityObjectName) { | ||
| $securityObjectName = $propertyName; | ||
| } | ||
|
|
||
| if (!$securityObjectName) { | ||
| continue; | ||
| } | ||
|
|
||
| $resourceAccessCheckerContext = [ | ||
| 'object' => $data, | ||
| 'previous_object' => $request?->attributes->get('previous_data'), | ||
| $securityObjectName => $request?->attributes->get($securityObjectName), | ||
| 'request' => $request, | ||
| ]; | ||
|
|
||
| if (!$this->resourceAccessChecker->isGranted($targetResource, $uriVariable->getSecurity(), $resourceAccessCheckerContext)) { | ||
| throw new AccessDeniedException($uriVariable->getSecurityMessage() ?? 'Access Denied.'); | ||
| } | ||
| } | ||
| } | ||
|
|
||
| return $data; | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,86 @@ | ||
| <?php | ||
|
|
||
| /* | ||
| * This file is part of the API Platform project. | ||
| * | ||
| * (c) Kévin Dunglas <[email protected]> | ||
| * | ||
| * For the full copyright and license information, please view the LICENSE | ||
| * file that was distributed with this source code. | ||
| */ | ||
|
|
||
| declare(strict_types=1); | ||
|
|
||
| namespace ApiPlatform\Symfony\Security\State; | ||
|
|
||
| use ApiPlatform\Exception\InvalidIdentifierException; | ||
| use ApiPlatform\Exception\InvalidUriVariableException; | ||
| use ApiPlatform\Metadata\HttpOperation; | ||
| use ApiPlatform\Metadata\Link; | ||
| use ApiPlatform\Metadata\Operation; | ||
| use ApiPlatform\Metadata\Resource\Factory\ResourceMetadataCollectionFactoryInterface; | ||
| use ApiPlatform\State\Exception\ProviderNotFoundException; | ||
| use ApiPlatform\State\ProviderInterface; | ||
| use Symfony\Component\HttpKernel\Exception\NotFoundHttpException; | ||
|
|
||
| class LinkedReadProvider implements ProviderInterface | ||
| { | ||
| public function __construct( | ||
| private readonly ProviderInterface $decorated, | ||
| private readonly ProviderInterface $locator, | ||
| private readonly ResourceMetadataCollectionFactoryInterface $resourceMetadataCollectionFactory | ||
| ) { | ||
| } | ||
|
|
||
| public function provide(Operation $operation, array $uriVariables = [], array $context = []): object|array|null | ||
| { | ||
| $data = $this->decorated->provide($operation, $uriVariables, $context); | ||
|
|
||
| if (!$operation instanceof HttpOperation) { | ||
| return $data; | ||
| } | ||
|
|
||
| $request = ($context['request'] ?? null); | ||
|
|
||
| if ($operation->getUriVariables()) { | ||
| foreach ($operation->getUriVariables() as $key => $uriVariable) { | ||
| if (!$uriVariable instanceof Link || !$uriVariable->getSecurity()) { | ||
| continue; | ||
| } | ||
|
|
||
| $relationClass = $uriVariable->getFromClass() ?? $uriVariable->getToClass(); | ||
|
|
||
| if (!$relationClass) { | ||
| continue; | ||
| } | ||
|
|
||
| $parentOperation = $this->resourceMetadataCollectionFactory | ||
| ->create($relationClass) | ||
| ->getOperation($operation->getExtraProperties()['parent_uri_template'] ?? null); | ||
| try { | ||
| $relation = $this->locator->provide($parentOperation, [$uriVariable->getIdentifiers()[0] => $request?->attributes->all()[$key]], $context); | ||
| } catch (ProviderNotFoundException) { | ||
| $relation = null; | ||
| } | ||
|
|
||
| if (!$relation) { | ||
| throw new NotFoundHttpException('Relation for link security not found.'); | ||
| } | ||
|
|
||
| try { | ||
| $securityObjectName = $uriVariable->getSecurityObjectName(); | ||
|
|
||
| if (!$securityObjectName) { | ||
| $securityObjectName = $uriVariable->getToProperty() ?? $uriVariable->getFromProperty(); | ||
| } | ||
|
|
||
| $request?->attributes->set($securityObjectName, $relation); | ||
| } catch (InvalidIdentifierException|InvalidUriVariableException $e) { | ||
| throw new NotFoundHttpException('Invalid identifier value or configuration.', $e); | ||
| } | ||
| } | ||
| } | ||
|
|
||
| return $data; | ||
| } | ||
| } |
Oops, something went wrong.