API Platform version(s) affected: 2.6.*
Description
When using new Authenticator-based security, accessing a resource as anonymous user will throw SyntaxError if the resource security expression includes user, token or roles variable.
For example this was valid before:
* @ApiResource(
* itemOperations={
* "get"={
* "method"="GET",
* "security"="is_granted('ROLE_MERCHANT') and object.getMerchant() == user.getMerchant()",
* },
* },
* collectionOperations={
* }
* )
But if you enable authenticator, it will throw SyntaxError like this:
Variable "user" is not valid around position 54 for expression `is_granted('ROLE_MERCHANT') and object.getMerchant() == user.getMerchant()`.`
How to reproduce
Possible Solution
In ResourceAccessChecker, use NullToken if no authentication is available.
Replace this
if ($token = $this->tokenStorage->getToken()) {
$variables = array_merge($variables, $this->getVariables($token));
}
with
$variables = array_merge($variables, $this->getVariables($this->tokenStorage->getToken() ?: new NullToken()));
Additional Context
Tested using API-platform 2.6.2 and Symfony 5.2.3
API Platform version(s) affected: 2.6.*
Description
When using new Authenticator-based security, accessing a resource as anonymous user will throw SyntaxError if the resource security expression includes user, token or roles variable.
For example this was valid before:
But if you enable authenticator, it will throw SyntaxError like this:
How to reproduce
Possible Solution
In ResourceAccessChecker, use NullToken if no authentication is available.
Replace this
with
Additional Context
Tested using API-platform 2.6.2 and Symfony 5.2.3