core icon indicating copy to clipboard operation
core copied to clipboard
verified publisher icon api-platform

feat(symfony): isGranted before provider

Open soyuka opened this issue 3 months ago • 1 comments

Q A
Branch? main
Tickets Closes #7093
License MIT
Doc PR TBD 

#[ApiResource(
    operations: [
        new Get(uriTemplate: 'is_granted_test_call_provider/{id}', uriVariables: ['id'], security: 'is_granted("ROLE_ADMIN")', provider: [self::class, 'provideShouldNotBeCalled']),
    ]
)]
class IsGrantedTest
{
    private ?int $id = null;

    public function getId(): ?int
    {
        return $this->id;
    }

    public static function provideShouldNotBeCalled(Operation $operation, array $uriVariables = [], array $context = [])
    {
        throw new \RuntimeException('provider should not get called');
    }
}

soyuka avatar Oct 31 '25 14:10 soyuka

Do we also check the following case?

There is also the case that a 404 is returned (instead of 403) when an object does not exist and the user has no access rights. This makes it possible to iterate over the complete collection and check what entities are in the database and which entities don't.

The ReadProvider throws a NotFoundHttpException. And the AccessCheckerProvider does not check any access rights after this exception.

    operations: [
        new Get(
            uriTemplate: 'internal/{parameter}',
            security: "is_granted('ROLE_INTERNAL')"
        ),
    ],

BartHeyrman avatar Dec 10 '25 15:12 BartHeyrman

test added @BartHeyrman

soyuka avatar Dec 11 '25 13:12 soyuka

Thanks @soyuka :+1:

Cocray avatar Dec 11 '25 14:12 Cocray

Thanks @soyuka !

tomxw avatar Dec 11 '25 19:12 tomxw