Skip to content

Also pass the object to the resource access checker in the serializer#3966

Merged
soyuka merged 1 commit into
api-platform:masterfrom
Toflar:fix-missing-object-in-resource-access-checker
Jan 21, 2021
Merged

Also pass the object to the resource access checker in the serializer#3966
soyuka merged 1 commit into
api-platform:masterfrom
Toflar:fix-missing-object-in-resource-access-checker

Conversation

@Toflar

@Toflar Toflar commented Jan 20, 2021

Copy link
Copy Markdown
Contributor
Q A
Bug fix? yes
New feature? sort of
BC breaks? no
Deprecations? no
Tickets
License MIT
Doc PR

In #3503 @GregoireHebert introduced support for the security attribute on an api property.
I found that this is very useful to me because I can get rid of my own normalizer. However, my permission system depends not only on roles but you can have different roles per organisation. This in turn means, it depends on the object.
The object itself is already passed on in e.g. the DenyAccessListener (https://github.com/api-platform/core/blob/master/src/Security/EventListener/DenyAccessListener.php#L100) so we should also have it here.

By introducing that, I was able to super conveniently restrict access to a certain property by registering my own custom expression language function. It now looks like this ❤️ :

    /**
     * @ApiProperty(security="user_has_role_for_organisation('ROLE_OWNER', object)")
     */
    private $stuff;

Regarding docs, I guess I could expand a bit on what Frédéric already wrote in api-platform/docs#1000.

@alanpoulain alanpoulain left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@soyuka soyuka merged commit b4f930c into api-platform:master Jan 21, 2021
@soyuka

soyuka commented Jan 21, 2021

Copy link
Copy Markdown
Member

thanks @Toflar

@Toflar Toflar deleted the fix-missing-object-in-resource-access-checker branch January 21, 2021 13:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants