Skip to content

ExpressionLanguage may throw SyntaxError with Authenticator-based security #4055

Description

@Jontsa

API Platform version(s) affected: 2.6.*

Description

When using new Authenticator-based security, accessing a resource as anonymous user will throw SyntaxError if the resource security expression includes user, token or roles variable.

For example this was valid before:

 * @ApiResource(
 *     itemOperations={
 *         "get"={
 *             "method"="GET",
 *             "security"="is_granted('ROLE_MERCHANT') and object.getMerchant() == user.getMerchant()",
 *         },
 *     },
 *     collectionOperations={
 *     }
 * )

But if you enable authenticator, it will throw SyntaxError like this:

Variable "user" is not valid around position 54 for expression `is_granted('ROLE_MERCHANT') and object.getMerchant() == user.getMerchant()`.`

How to reproduce

Possible Solution

In ResourceAccessChecker, use NullToken if no authentication is available.

Replace this

if ($token = $this->tokenStorage->getToken()) {
    $variables = array_merge($variables, $this->getVariables($token));
}

with

$variables = array_merge($variables, $this->getVariables($this->tokenStorage->getToken() ?: new NullToken()));

Additional Context

Tested using API-platform 2.6.2 and Symfony 5.2.3

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions