7970407897

Committed 20 Feb 2024 08:20AM UTC coverage: 66.686% (+0.003%) from 66.683%

Build # 7970407897

Build Type

push

github

Committed by

web-flow

Commit Message

fix(openapi): skip requestBody if input is false (#6163)

* fix(openapi): skip requestBody if input is false

* cs fix

* fix phpstan error

* cs fix

* merge condition

---------

Co-authored-by: soyuka <soyuka@users.noreply.github.com>

Run Details

2 of 2 new or added lines in 1 file covered. (100.0%)

86 existing lines in 9 files now uncovered.

16306 of 24452 relevant lines covered (66.69%)

37.54 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

97.14

/src/Symfony/EventListener/DenyAccessListener.php

<?php

/*
 * This file is part of the API Platform project.
 *
 * (c) Kévin Dunglas <dunglas@gmail.com>
 *
 * For the full copyright and license information, please view the LICENSE
 * file that was distributed with this source code.
 */

declare(strict_types=1);

namespace ApiPlatform\Symfony\EventListener;

use ApiPlatform\Metadata\Resource\Factory\ResourceMetadataCollectionFactoryInterface;
use ApiPlatform\State\Util\OperationRequestInitiatorTrait;
use ApiPlatform\Symfony\Security\ResourceAccessCheckerInterface;
use ApiPlatform\Symfony\Util\RequestAttributesExtractor;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpKernel\Event\RequestEvent;
use Symfony\Component\HttpKernel\Event\ViewEvent;
use Symfony\Component\Security\Core\Exception\AccessDeniedException;

/**
 * Denies access to the current resource if the logged user doesn't have sufficient permissions.
 *
 * @author Kévin Dunglas <dunglas@gmail.com>
 */
final class DenyAccessListener
{
    use OperationRequestInitiatorTrait;

    public function __construct(?ResourceMetadataCollectionFactoryInterface $resourceMetadataCollectionFactory = null, private readonly ?ResourceAccessCheckerInterface $resourceAccessChecker = null)
    {
        $this->resourceMetadataCollectionFactory = $resourceMetadataCollectionFactory;
    }

    public function onSecurity(RequestEvent $event): void
    {
        $this->checkSecurity($event->getRequest(), 'security');
    }

    public function onSecurityPostDenormalize(RequestEvent $event): void
    {
        $request = $event->getRequest();
        $this->checkSecurity($request, 'security_post_denormalize', [
            'previous_object' => $request->attributes->get('previous_data'),
        ]);
    }

    public function onSecurityPostValidation(ViewEvent $event): void
    {
        $request = $event->getRequest();
        $this->checkSecurity($request, 'security_post_validation', [
            'previous_object' => $request->attributes->get('previous_data'),
        ]);
    }

    /**
     * @throws AccessDeniedException
     */
    private function checkSecurity(Request $request, string $attribute, array $extraVariables = []): void
    {
        if ($request->attributes->get('_api_platform_disable_listeners') || !$this->resourceAccessChecker || !$attributes = RequestAttributesExtractor::extractAttributes($request)) {
            return;
        }

        $operation = $this->initializeOperation($request);
        if ('api_platform.symfony.main_controller' === $operation?->getController()) {
            return;
        }

        if (!$operation) {
            return;
        }

        switch ($attribute) {
            case 'security_post_denormalize':
                $isGranted = $operation->getSecurityPostDenormalize();
                $message = $operation->getSecurityPostDenormalizeMessage();
                break;
            case 'security_post_validation':
                $isGranted = $operation->getSecurityPostValidation();
                $message = $operation->getSecurityPostValidationMessage();
                break;
            default:
                $isGranted = $operation->getSecurity();
                $message = $operation->getSecurityMessage();
        }

        if (null === $isGranted) {
            return;
        }

        $extraVariables += $request->attributes->all();
        $extraVariables['object'] = $request->attributes->get('data');
        $extraVariables['previous_object'] = $request->attributes->get('previous_data');
        $extraVariables['request'] = $request;

        if (!$this->resourceAccessChecker->isGranted($attributes['resource_class'], $isGranted, $extraVariables)) {
            throw new AccessDeniedException($message ?? 'Access Denied.');
        }
    }
}

1	<?php
2
3	/*
4	* This file is part of the API Platform project.
5	*
6	* (c) Kévin Dunglas <dunglas@gmail.com>
7	*
8	* For the full copyright and license information, please view the LICENSE
9	* file that was distributed with this source code.
10	*/
11
12	declare(strict_types=1);
13
14	namespace ApiPlatform\Symfony\EventListener;
15
16	use ApiPlatform\Metadata\Resource\Factory\ResourceMetadataCollectionFactoryInterface;
17	use ApiPlatform\State\Util\OperationRequestInitiatorTrait;
18	use ApiPlatform\Symfony\Security\ResourceAccessCheckerInterface;
19	use ApiPlatform\Symfony\Util\RequestAttributesExtractor;
20	use Symfony\Component\HttpFoundation\Request;
21	use Symfony\Component\HttpKernel\Event\RequestEvent;
22	use Symfony\Component\HttpKernel\Event\ViewEvent;
23	use Symfony\Component\Security\Core\Exception\AccessDeniedException;
24
25	/**
26	* Denies access to the current resource if the logged user doesn't have sufficient permissions.
27	*
28	* @author Kévin Dunglas <dunglas@gmail.com>
29	*/
30	final class DenyAccessListener
31	{
32	use OperationRequestInitiatorTrait;
33
34	public function __construct(?ResourceMetadataCollectionFactoryInterface $resourceMetadataCollectionFactory = null, private readonly ?ResourceAccessCheckerInterface $resourceAccessChecker = null)
35	{
36	$this->resourceMetadataCollectionFactory = $resourceMetadataCollectionFactory;	136✔
37	}
38
39	public function onSecurity(RequestEvent $event): void
40	{
41	$this->checkSecurity($event->getRequest(), 'security');	136✔
42	}
43
44	public function onSecurityPostDenormalize(RequestEvent $event): void
45	{
46	$request = $event->getRequest();	112✔
47	$this->checkSecurity($request, 'security_post_denormalize', [	112✔
48	'previous_object' => $request->attributes->get('previous_data'),	112✔
49	]);	112✔
50	}
51
52	public function onSecurityPostValidation(ViewEvent $event): void
53	{
UNCOV 54	$request = $event->getRequest();	16✔
UNCOV 55	$this->checkSecurity($request, 'security_post_validation', [	16✔
UNCOV 56	'previous_object' => $request->attributes->get('previous_data'),	16✔
UNCOV 57	]);	16✔
58	}
59
60	/**
61	* @throws AccessDeniedException
62	*/
63	private function checkSecurity(Request $request, string $attribute, array $extraVariables = []): void
64	{
65	if ($request->attributes->get('_api_platform_disable_listeners') \|\| !$this->resourceAccessChecker \|\| !$attributes = RequestAttributesExtractor::extractAttributes($request)) {	136✔
66	return;	64✔
67	}
68
69	$operation = $this->initializeOperation($request);	83✔
70	if ('api_platform.symfony.main_controller' === $operation?->getController()) {	83✔
71	return;	51✔
72	}
73
74	if (!$operation) {	32✔
75	return;	×
76	}
77
78	switch ($attribute) {
79	case 'security_post_denormalize':	32✔
UNCOV 80	$isGranted = $operation->getSecurityPostDenormalize();	16✔
UNCOV 81	$message = $operation->getSecurityPostDenormalizeMessage();	16✔
UNCOV 82	break;	16✔
83	case 'security_post_validation':	32✔
UNCOV 84	$isGranted = $operation->getSecurityPostValidation();	16✔
UNCOV 85	$message = $operation->getSecurityPostValidationMessage();	16✔
UNCOV 86	break;	16✔
87	default:
88	$isGranted = $operation->getSecurity();	32✔
89	$message = $operation->getSecurityMessage();	32✔
90	}
91
92	if (null === $isGranted) {	32✔
93	return;	20✔
94	}
95
96	$extraVariables += $request->attributes->all();	16✔
97	$extraVariables['object'] = $request->attributes->get('data');	16✔
98	$extraVariables['previous_object'] = $request->attributes->get('previous_data');	16✔
99	$extraVariables['request'] = $request;	16✔
100
101	if (!$this->resourceAccessChecker->isGranted($attributes['resource_class'], $isGranted, $extraVariables)) {	16✔
102	throw new AccessDeniedException($message ?? 'Access Denied.');	8✔
103	}
104	}
105	}

api-platform / core / 7970407897

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous