search

api-platform / core

The server component of API Platform: hypermedia and GraphQL APIs in minutes
https://api-platform.com
MIT License
2.38k stars 846 forks source link

Access checks for a DTO created through a resolver should happen after it was created #6427

Open NicoHaase opened 2 weeks ago

NicoHaase commented 2 weeks ago

API Platform version(s) affected: 3.3.6

Description
When using ApiPlatform 3.2, a custom DTO created through an instance of QueryItemResolverInterface could run through the security checks after the DTO was created. Since using 3.3, the resolver is run after the security check, such that the validator does not have access to the instance of that DTO.

How to reproduce

Configure a DTO like this:

#[ApiResource(
    graphQlOperations: [
        new Query(
            resolver: SubmissionAggregationResolver::class,
            security: "is_granted('submission_aggregation_read', object)",
            name: 'get'
        ),
    ]
)]

A voter that is responsible for handling the attribute submission_aggregation_read does not have access to the object yet, as it hasn't been initialized during the security checks.

Possible Solution
Like implemented for #6354, there could be something like securityAfterResolver which we could use instead of security

soyuka commented 23 hours ago

Hi @NicoHaase sorry for the delay was really busy, can you check my patch?