search

api-platform / core

The server component of API Platform: hypermedia and GraphQL APIs in minutes
https://api-platform.com
MIT License
2.38k stars 846 forks source link

feat(doctrine): check property security during search filter #6433

Closed emmanuel-tilleuls closed 3 days ago

emmanuel-tilleuls commented 4 days ago
Q A
Branch? main
License MIT

TODO

SearchFilter should check property security before adding where condition to the query. In other words : a user should not be able to filter resources by a property he is not allowed to see.

Use case Considering a Student resource with following properties :

Users with «corrector» role don't see name property. A SearchFilter can be applied on name.

As a corrector I can try to find which student matches each anonymization code by trying : GET /api/students?name=John+Doe

emmanuel-tilleuls commented 3 days ago

This PR is replaced by #6435