core icon indicating copy to clipboard operation
core copied to clipboard
verified publisher icon api-platform

Access checks for a DTO created through a resolver should happen after it was created

Open NicoHaase opened this issue 1 year ago • 1 comments

API Platform version(s) affected: 3.3.6

Description
When using ApiPlatform 3.2, a custom DTO created through an instance of QueryItemResolverInterface could run through the security checks after the DTO was created. Since using 3.3, the resolver is run after the security check, such that the validator does not have access to the instance of that DTO.

How to reproduce

Configure a DTO like this:

#[ApiResource(
    graphQlOperations: [
        new Query(
            resolver: SubmissionAggregationResolver::class,
            security: "is_granted('submission_aggregation_read', object)",
            name: 'get'
        ),
    ]
)]

A voter that is responsible for handling the attribute submission_aggregation_read does not have access to the object yet, as it hasn't been initialized during the security checks.

Possible Solution
Like implemented for #6354, there could be something like securityAfterResolver which we could use instead of security

NicoHaase avatar Jun 14 '24 09:06 NicoHaase

Hi @NicoHaase sorry for the delay was really busy, can you check my patch?

soyuka avatar Jun 28 '24 08:06 soyuka

@soyuka yes, this works ✌️

NicoHaase avatar Jul 01 '24 06:07 NicoHaase