19029875892

Committed 03 Nov 2025 09:28AM UTC coverage: 0.0%. First build

Build # 19029875892

Build Type

Pull #7500

github

Committed by

web-flow

Commit Message

Merge d8e30ad48 into 07d0ef86e

Pull Request Pull Request #7500: feat(symfony): isGranted before provider

Run Details

0 of 28 new or added lines in 2 files covered. (0.0%)

0 of 56758 relevant lines covered (0.0%)

0.0 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

0.0

/src/Symfony/Security/State/AccessCheckerProvider.php

<?php

/*
 * This file is part of the API Platform project.
 *
 * (c) Kévin Dunglas <dunglas@gmail.com>
 *
 * For the full copyright and license information, please view the LICENSE
 * file that was distributed with this source code.
 */

declare(strict_types=1);

namespace ApiPlatform\Symfony\Security\State;

use ApiPlatform\Metadata\Exception\RuntimeException;
use ApiPlatform\Metadata\GraphQl\Operation as GraphQlOperation;
use ApiPlatform\Metadata\GraphQl\QueryCollection;
use ApiPlatform\Metadata\HttpOperation;
use ApiPlatform\Metadata\Operation;
use ApiPlatform\Metadata\ResourceAccessCheckerInterface;
use ApiPlatform\State\ProviderInterface;
use ApiPlatform\Symfony\Security\Exception\AccessDeniedException;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;

/**
 * Allows access based on the ApiPlatform\Metadata\ResourceAccessCheckerInterface.
 * This implementation covers GraphQl and HTTP.
 *
 * @see ResourceAccessCheckerInterface
 */
final class AccessCheckerProvider implements ProviderInterface
{
    public function __construct(private readonly ProviderInterface $decorated, private readonly ResourceAccessCheckerInterface $resourceAccessChecker, private readonly ?string $event = null)
    {
    }

    public function provide(Operation $operation, array $uriVariables = [], array $context = []): object|array|null
    {
        switch ($this->event) {
            case 'post_denormalize':
                $isGranted = $operation->getSecurityPostDenormalize();
                $message = $operation->getSecurityPostDenormalizeMessage();
                break;
            case 'post_validate':
                $isGranted = $operation->getSecurityPostValidation();
                $message = $operation->getSecurityPostValidationMessage();
                break;
            case 'after_resolver':
                if (!$operation instanceof GraphQlOperation) {
                    throw new RuntimeException('Not a graphql operation');
                }

                $isGranted = $operation->getSecurityAfterResolver();
                $message = $operation->getSecurityMessageAfterResolver();
                break;
            default:
                $isGranted = $operation->getSecurity();
                $message = $operation->getSecurityMessage();
        }

        if (
            null === $isGranted
            // On a GraphQl QueryCollection we want to perform security stage only on the top-level query
            || ($operation instanceof QueryCollection && null !== ($context['source'] ?? null))
        ) {
            return $this->decorated->provide($operation, $uriVariables, $context);
        }

        $body = 'pre_read' === $this->event ? null : $this->decorated->provide($operation, $uriVariables, $context);

        if (!\is_array($isGranted)) {
            $isGranted = [$isGranted];
        }

        foreach ($isGranted as $attribute) {
            if ($operation instanceof HttpOperation) {
                $request = $context['request'] ?? null;

                $resourceAccessCheckerContext = [
                    'object' => $body,
                    'previous_object' => $request?->attributes->get('previous_data'),
                    'request' => $request,
                ];
            } else {
                $resourceAccessCheckerContext = [
                    'object' => $body,
                    'previous_object' => $context['graphql_context']['previous_object'] ?? null,
                ];
            }

            if (!$this->resourceAccessChecker->isGranted($operation->getClass(), $attribute, $resourceAccessCheckerContext)) {
                $operation instanceof GraphQlOperation ? throw new AccessDeniedHttpException($message ?? 'Access Denied.') : throw new AccessDeniedException($message ?? 'Access Denied.');
            }
        }

        return 'pre_read' ? $this->decorated->provide($operation, $uriVariables, $context) : $body;
    }
}

1	<?php
2
3	/*
4	* This file is part of the API Platform project.
5	*
6	* (c) Kévin Dunglas <dunglas@gmail.com>
7	*
8	* For the full copyright and license information, please view the LICENSE
9	* file that was distributed with this source code.
10	*/
11
12	declare(strict_types=1);
13
14	namespace ApiPlatform\Symfony\Security\State;
15
16	use ApiPlatform\Metadata\Exception\RuntimeException;
17	use ApiPlatform\Metadata\GraphQl\Operation as GraphQlOperation;
18	use ApiPlatform\Metadata\GraphQl\QueryCollection;
19	use ApiPlatform\Metadata\HttpOperation;
20	use ApiPlatform\Metadata\Operation;
21	use ApiPlatform\Metadata\ResourceAccessCheckerInterface;
22	use ApiPlatform\State\ProviderInterface;
23	use ApiPlatform\Symfony\Security\Exception\AccessDeniedException;
24	use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
25
26	/**
27	* Allows access based on the ApiPlatform\Metadata\ResourceAccessCheckerInterface.
28	* This implementation covers GraphQl and HTTP.
29	*
30	* @see ResourceAccessCheckerInterface
31	*/
32	final class AccessCheckerProvider implements ProviderInterface
33	{
34	public function __construct(private readonly ProviderInterface $decorated, private readonly ResourceAccessCheckerInterface $resourceAccessChecker, private readonly ?string $event = null)
35	{
36	}	×
37
38	public function provide(Operation $operation, array $uriVariables = [], array $context = []): object\|array\|null
39	{
40	switch ($this->event) {	×
41	case 'post_denormalize':	×
42	$isGranted = $operation->getSecurityPostDenormalize();	×
43	$message = $operation->getSecurityPostDenormalizeMessage();	×
44	break;	×
45	case 'post_validate':	×
46	$isGranted = $operation->getSecurityPostValidation();	×
47	$message = $operation->getSecurityPostValidationMessage();	×
48	break;	×
49	case 'after_resolver':	×
50	if (!$operation instanceof GraphQlOperation) {	×
51	throw new RuntimeException('Not a graphql operation');	×
52	}
53
54	$isGranted = $operation->getSecurityAfterResolver();	×
55	$message = $operation->getSecurityMessageAfterResolver();	×
56	break;	×
57	default:
58	$isGranted = $operation->getSecurity();	×
59	$message = $operation->getSecurityMessage();	×
60	}
61
62	if (
NEW 63	null === $isGranted	×
64	// On a GraphQl QueryCollection we want to perform security stage only on the top-level query
NEW 65	\|\| ($operation instanceof QueryCollection && null !== ($context['source'] ?? null))	×
66	) {
NEW 67	return $this->decorated->provide($operation, $uriVariables, $context);	×
68	}
69
NEW 70	$body = 'pre_read' === $this->event ? null : $this->decorated->provide($operation, $uriVariables, $context);	×
71
NEW 72	if (!\is_array($isGranted)) {	×
NEW 73	$isGranted = [$isGranted];	×
74	}
75
NEW 76	foreach ($isGranted as $attribute) {	×
NEW 77	if ($operation instanceof HttpOperation) {	×
NEW 78	$request = $context['request'] ?? null;	×
79
NEW 80	$resourceAccessCheckerContext = [	×
NEW 81	'object' => $body,	×
NEW 82	'previous_object' => $request?->attributes->get('previous_data'),	×
NEW 83	'request' => $request,	×
NEW 84	];	×
85	} else {
NEW 86	$resourceAccessCheckerContext = [	×
NEW 87	'object' => $body,	×
NEW 88	'previous_object' => $context['graphql_context']['previous_object'] ?? null,	×
NEW 89	];	×
90	}
91
NEW 92	if (!$this->resourceAccessChecker->isGranted($operation->getClass(), $attribute, $resourceAccessCheckerContext)) {	×
NEW 93	$operation instanceof GraphQlOperation ? throw new AccessDeniedHttpException($message ?? 'Access Denied.') : throw new AccessDeniedException($message ?? 'Access Denied.');	×
94	}
95	}
96
NEW 97	return 'pre_read' ? $this->decorated->provide($operation, $uriVariables, $context) : $body;	×
98	}
99	}

api-platform / core / 19029875892

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous