Skip to content

Deprecate access_control attribute, add security + security_post_denormalize attributes#2992

Merged
dunglas merged 1 commit into
api-platform:masterfrom
vincentchalamon:issue/1646
Aug 20, 2019
Merged

Deprecate access_control attribute, add security + security_post_denormalize attributes#2992
dunglas merged 1 commit into
api-platform:masterfrom
vincentchalamon:issue/1646

Conversation

@vincentchalamon

@vincentchalamon vincentchalamon commented Aug 19, 2019

Copy link
Copy Markdown
Contributor
Q A
Waiting for PR? #2990
Bug fix? yes
New feature? yes
BC breaks? no
Deprecations? no
Tests pass? yes
Fixed tickets #1646, api-platform/api-platform#1218
License MIT
Doc PR api-platform/docs#859

@vincentchalamon vincentchalamon self-assigned this Aug 19, 2019
@vincentchalamon vincentchalamon changed the title [WIP] Fix #1646 [WIP] Deprecate access_control attribute, add security + late_security attributes Aug 19, 2019

@dunglas dunglas left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you also add a legacy test for access_control?

Comment thread src/EventListener/ReadListener.php Outdated
Comment thread src/GraphQl/Resolver/ResourceAccessCheckerTrait.php Outdated
Comment thread src/Security/EventListener/DenyAccessListener.php
@teohhanhui

Copy link
Copy Markdown
Contributor

If we're really doing this, I'd suggest:

"access_control"={
    "precondition"="...",
    "postcondition"="...",
},

@dunglas

dunglas commented Aug 19, 2019

Copy link
Copy Markdown
Member

Sub-attributes are too verbose, I prefer this approach (see my comment in the related issue).

@soyuka soyuka left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Once tests pass 👍

We need to dig through older issues, I'm sure that this solves more then 2 issues :p.

@vincentchalamon
vincentchalamon force-pushed the issue/1646 branch 3 times, most recently from 8e6dcb2 to 558971f Compare August 19, 2019 12:29
@vincentchalamon vincentchalamon changed the title [WIP] Deprecate access_control attribute, add security + late_security attributes Deprecate access_control attribute, add security + late_security attributes Aug 19, 2019
@teohhanhui

teohhanhui commented Aug 19, 2019

Copy link
Copy Markdown
Contributor

"security" and "late_security" are really confusing names.

If you don't want nested attributes, then perhaps:

  • access_control_precondition
  • access_control_postcondition

Or:

  • authorize_precondition
  • authorize_postcondition

The second option would fit nicely with my suggestion of renaming DenyAccessListener to AuthorizeListener. And of course we could support "authorize"=false.

I don't buy the argument that Symfony uses the term "security" too. It's not related to our case.

@vincentchalamon vincentchalamon changed the title Deprecate access_control attribute, add security + late_security attributes Deprecate access_control attribute, add security + security_post_denormalize attributes Aug 19, 2019
@vincentchalamon
vincentchalamon force-pushed the issue/1646 branch 2 times, most recently from ec43f9e to e354287 Compare August 19, 2019 15:13
@vincentchalamon
vincentchalamon changed the base branch from 2.4 to master August 19, 2019 15:13
@vincentchalamon
vincentchalamon force-pushed the issue/1646 branch 2 times, most recently from d57a903 to 4725000 Compare August 19, 2019 15:25
Comment thread src/Annotation/ApiResource.php Outdated
@vincentchalamon
vincentchalamon force-pushed the issue/1646 branch 3 times, most recently from d265e42 to 705fd64 Compare August 20, 2019 11:28
@dunglas
dunglas merged commit 23d0f8f into api-platform:master Aug 20, 2019
@dunglas

dunglas commented Aug 20, 2019

Copy link
Copy Markdown
Member

Awesome! Thanks @vincentchalamon

@c-lambert

c-lambert commented Mar 8, 2022

Copy link
Copy Markdown

Hello,
i'm not sure to understand the fix applied.
I use API Platform 2.6.4 with security annotation on itemOperation. But when i call this endpoint with unauthorized user, API Platform responds 404 when entity doesn't exist, and 403 when entity exist.

security attribute is not early by default ?

@norkunas

norkunas commented Mar 8, 2022

Copy link
Copy Markdown
Contributor

security is executed only after reading data, so you could have dynamic security by object data, if you want to not expose that item exist you could use security acl for that

@c-lambert

Copy link
Copy Markdown

security is executed only after reading data, so you could have dynamic security by object data, if you want to not expose that item exist you could use security acl for that

Ok thank you, i'll do that.
I was hopping that we can bypass this behavior with a parameter.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants