api-platform
Security protect access to RESOURCEs not to OPERATIONs
API Platform version(s) affected: 3.2.13
Description
Security system works only on resource not on operation level. For example ROLE_WORKER doesn't have access to the PUT /workers/{id} operation (even to him self) but ROLE_MANAGER has and only to workers (resources) from his team.
Now when ROLE_WORKER will calls PUT /workers/1 (s)he'll got 401 response (it's Ok!) but under the hood custom provider/doctrine extensions will run too. They shouldn't, worker doesn't have access to that operation.
The only way to deny access to the operation is access_control section in config/packages/security.yaml file.
How to reproduce
- install the newest version of api-platform (https://github.com/api-platform/api-platform/releases/tag/v3.2.13),
- create new custom provider/doctrine extension (can be empty) and setup it for Greeting resource,
- put
die(__CLASS__)in provider/extension, - setup in Greeting resource
security: "is_granted('ROLE_USER')", - call any action (not
POST) to/greetings[/1], - you will got class name in response,
- setup in
access_control-- { path: ^/greetings, roles: ROLE_USER }, - call any action (not
POST) to/greetings[/1], - you will got
401.
Possible Solution
Update security documentation introduction "You can not apply access control expressions on operation level. Use access_control in config/packages/security.yaml file instead".
Or add new property in ApiResource/operations operation_security which will protect operation access and security property will protect resource access as it does now.
Additional Context
Other issuses address the same problem:
https://github.com/api-platform/core/issues/4098 https://github.com/api-platform/core/issues/4075 https://github.com/api-platform/core/issues/4436
