Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Question: collectionOperations / access_control

See original GitHub issue

When trying to control access in Api Platform the documentation states you can do the following in order to limit Item Operations:

/**
 * @ApiResource(
 *     attributes={"access_control"="is_granted('ROLE_USER')"},
 *     collectionOperations={
 *         "get"={"method"="GET"},
 *         "post"={"method"="POST", "access_control"="is_granted('ROLE_ADMIN')"}
 *     },
 *     itemOperations={
 *         "get"={"method"="GET", "access_control"="is_granted('ROLE_USER') and object.owner == user"}
 *     }
 * )
*/

There is however, no mention for how you would limit a collection by the current user. I tried the following but it fails, presumably because the collection is an array, with no direct access to the interior objects, so object.user doesn’t exist.

/**
 * @ApiResource(
 *     collectionOperations={
 *         "get"={"method"="GET",  "access_control"="is_granted('ROLE_USER') and object.getOwner() == user"}
 *     }
 * )
*/

hydra:description: Unable to call method “owner” of object "ApiPlatform\Core\Bridge\Doctrine\Orm\Paginator

I was wondering if there is a built-in way of getting around this?

Issue Analytics

State:
Created 6 years ago
Comments:7 (3 by maintainers)

Top GitHub Comments

1reaction

antograssiotcommented, Feb 5, 2018

I use extension to automaticaly filter collection results in addition to access filter based on the connected user https://api-platform.com/docs/core/extensions/#extensions

0reactions

DougHaywardcommented, Feb 7, 2018

Thank you, I think I found a slightly clearer solution (but again I’m unsure if its best practice). In the doc’s example they do a check to see if the $resourceClass == Offers, however this ties it to that class. So instead of this I’ve got the follow which checks if the method exists dynamically:

$client = $this->tokenStorage->getToken()->getUser()->getClient();
if ($client instanceof Client && method_exists(new $resourceClass, 'getClient') && !$this->authorizationChecker->isGranted('ROLE_SUPER_ADMIN')) {
     $rootAlias = $queryBuilder->getRootAliases()[0];
     $queryBuilder->andWhere(sprintf('%s.client = :current_client', $rootAlias));
     $queryBuilder->setParameter('current_client', $client->getId());
}

I hope this helps someone else at some point, and thank you @antograssiot for your help.

Top Results From Across the Web

Problem Access_control on collectionOperations(GET) #602

I setted annotation on my entity but nothing happen. it seems that Access control annotation is not supported... I have access_control on ...

ApiResource access_control > API Platform Part 2: Security

Open up that entity: src/Entity/CheeseListing.php . We already have an itemOperations key, which we used to remove the delete operation and also to...

Api Platform access_control : adding role is not working

I'm trying to say that my access control is working perfectly at other places except in my API PLATFORM entities.

API Platform Crash Course Part 17: Role-based Access Control

ℹ This is a crash course on the API Platform which is intended to get you writing your own API's as quickly as...

Security - API Platform

The API Platform security layer is built on top of the Symfony Security component. All its features, including global access control directives are...