core icon indicating copy to clipboard operation
core copied to clipboard
verified publisher icon api-platform

Link Security is ignored in YAML resource definition

Open amacrobert opened this issue 1 year ago • 0 comments

API Platform version(s) affected: 3.3.12

Description
Subresources may be secured based on their linked resource thanks to the experimental enable_link_security feature.

The security option is ignored for links in resources configured via YAML.

How to reproduce

Turn on link security and configure your project to use YAML resource configuration. api_platform.yaml:

api_platform:
    enable_link_security: true
    mapping:
        paths:
            - '%kernel.project_dir%/config/api_platform/resources'

Create 2 entities with a Many-to-One relationship.

Configure an operation for the resource on the "many" side of the relationship. Set the security option on the link, for example:

ExternalLibrary\Entity\ActionPlan\Checkin:
  normalizationContext:
    groups: [ 'action-plan-checkin:read' ]
  denormalizationContext:
    groups: [ 'action-plan-checkin:write' ]
  operations:
    ApiPlatform\Metadata\GetCollection:
      uriTemplate: action-plans/{actionPlanId}/checkins
      uriVariables:
        actionPlanId:
          fromClass: ExternalLibrary\Entity\ActionPlan\ActionPlan
          toProperty: actionPlan
          security: 'actionPlan.getUser() == user'

This is expected to return a 403 if the authenticated user is not the same as the actionPlan's user due to uriVariables.actionPlanId.security.

However, this returns a 200 regardless of the security expression.

Possible Solution

Additional Context

amacrobert avatar Sep 06 '24 19:09 amacrobert