vendor/api-platform/core/src/Security/EventListener/DenyAccessListener.php line 62

Open in your IDE?
  1. <?php
  3. /*
  4.  * This file is part of the API Platform project.
  5.  *
  6.  * (c) Kévin Dunglas <dunglas@gmail.com>
  7.  *
  8.  * For the full copyright and license information, please view the LICENSE
  9.  * file that was distributed with this source code.
  10.  */
  12. declare(strict_types=1);
  14. namespace ApiPlatform\Core\Security\EventListener;
  16. use ApiPlatform\Core\Metadata\Resource\Factory\ResourceMetadataFactoryInterface;
  17. use ApiPlatform\Core\Security\ExpressionLanguage;
  18. use ApiPlatform\Core\Security\ResourceAccessChecker;
  19. use ApiPlatform\Core\Security\ResourceAccessCheckerInterface;
  20. use ApiPlatform\Core\Util\RequestAttributesExtractor;
  21. use Symfony\Component\HttpFoundation\Request;
  22. use Symfony\Component\HttpKernel\Event\RequestEvent;
  23. use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverInterface;
  24. use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
  25. use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
  26. use Symfony\Component\Security\Core\Exception\AccessDeniedException;
  27. use Symfony\Component\Security\Core\Role\RoleHierarchyInterface;
  29. /**
  30.  * Denies access to the current resource if the logged user doesn't have sufficient permissions.
  31.  *
  32.  * @author Kévin Dunglas <dunglas@gmail.com>
  33.  */
  34. final class DenyAccessListener
  35. {
  36.     private $resourceMetadataFactory;
  37.     /**
  38.      * @var ResourceAccessCheckerInterface
  39.      */
  40.     private $resourceAccessChecker;
  42.     public function __construct(ResourceMetadataFactoryInterface $resourceMetadataFactory/*ResourceAccessCheckerInterface*/ $resourceAccessCheckerOrExpressionLanguage nullAuthenticationTrustResolverInterface $authenticationTrustResolver nullRoleHierarchyInterface $roleHierarchy nullTokenStorageInterface $tokenStorage nullAuthorizationCheckerInterface $authorizationChecker null)
  43.     {
  44.         $this->resourceMetadataFactory $resourceMetadataFactory;
  46.         if ($resourceAccessCheckerOrExpressionLanguage instanceof ResourceAccessCheckerInterface) {
  47.             $this->resourceAccessChecker $resourceAccessCheckerOrExpressionLanguage;
  49.             return;
  50.         }
  52.         $this->resourceAccessChecker = new ResourceAccessChecker($resourceAccessCheckerOrExpressionLanguage$authenticationTrustResolver$roleHierarchy$tokenStorage$authorizationChecker);
  53.         @trigger_error(sprintf('Passing an instance of "%s" or null as second argument of "%s" is deprecated since API Platform 2.2 and will not be possible anymore in API Platform 3. Pass an instance of "%s" and no extra argument instead.'ExpressionLanguage::class, self::class, ResourceAccessCheckerInterface::class), \E_USER_DEPRECATED);
  54.     }
  56.     public function onKernelRequest(RequestEvent $event): void
  57.     {
  58.         @trigger_error(sprintf('Method "%1$s::onKernelRequest" is deprecated since API Platform 2.4 and will not be available anymore in API Platform 3. Prefer calling "%1$s::onSecurity" instead.'self::class), \E_USER_DEPRECATED);
  59.         $this->onSecurityPostDenormalize($event);
  60.     }
  62.     public function onSecurity(RequestEvent $event): void
  63.     {
  64.         $this->checkSecurity($event->getRequest(), 'security'false);
  65.     }
  67.     public function onSecurityPostDenormalize(RequestEvent $event): void
  68.     {
  69.         $request $event->getRequest();
  70.         $this->checkSecurity($request'security_post_denormalize'true, [
  71.             'previous_object' => $request->attributes->get('previous_data'),
  72.         ]);
  73.     }
  75.     /**
  76.      * @throws AccessDeniedException
  77.      */
  78.     private function checkSecurity(Request $requeststring $attributebool $backwardCompatibility, array $extraVariables = []): void
  79.     {
  80.         if (!$attributes RequestAttributesExtractor::extractAttributes($request)) {
  81.             return;
  82.         }
  84.         $resourceMetadata $this->resourceMetadataFactory->create($attributes['resource_class']);
  86.         $isGranted $resourceMetadata->getOperationAttribute($attributes$attributenulltrue);
  87.         if ($backwardCompatibility && null === $isGranted) {
  88.             // Backward compatibility
  89.             $isGranted $resourceMetadata->getOperationAttribute($attributes'access_control'nulltrue);
  90.             if (null !== $isGranted) {
  91.                 @trigger_error('Using "access_control" attribute is deprecated since API Platform 2.4 and will not be possible anymore in API Platform 3. Use "security" attribute instead.', \E_USER_DEPRECATED);
  92.             }
  93.         }
  95.         if (null === $isGranted) {
  96.             return;
  97.         }
  99.         $extraVariables += $request->attributes->all();
  100.         $extraVariables['object'] = $request->attributes->get('data');
  101.         $extraVariables['request'] = $request;
  103.         if (!$this->resourceAccessChecker->isGranted($attributes['resource_class'], $isGranted$extraVariables)) {
  104.             throw new AccessDeniedException($resourceMetadata->getOperationAttribute($attributes$attribute.'_message''Access Denied.'true));
  105.         }
  106.     }
  107. }