search

api-platform / core

The server component of API Platform: hypermedia and GraphQL APIs in minutes
https://api-platform.com
MIT License
2.39k stars 850 forks source link

securityPostValidation argument on ApiResource and operations attributes is ignored when having use_symfony_listeners: true #6446

Closed GregoireGiraud closed 1 month ago

GregoireGiraud commented 1 month ago

API Platform version(s) affected: 3.3.7

Description

Hey,

I just tried to upgrade my project from 3.2.25 to 3.3.7.

In my project, I have the securityPostValidation attribute on several entities. My tests failed, and I noticed that all security logic inside securityPostValidation was ignored and never applied.

I then tried all patch versions of api-platform/core and the bug was reproduced since 3.3.2 (and didn't occur in 3.3.0).

I noticed that adding use_symfony_listeners: false fixed the problem and that securityPostValidation was again called.

How to reproduce
Create an entity, and add this config.

#[Post(
    denormalizationContext: ['groups' => ['link_type:collection:write']],
    securityPostValidation: 'is_granted(false, object)',
)]
class LinkType
{
    #[ORM\Column(length: 255)]
    #[Gedmo\Versioned]
    #[Groups([
        'link_type:collection:read', 'link_type:item:read',
        'link_type:collection:write', 'link_type:item:write',
    ])]
    private string $name;

    public function getName(): string
    {
        return $this->name;
    }

    public function setName(string $name): static
    {
        $this->name = $name;

        return $this;
    }
}

In config/packages/api_platform.yaml

    use_symfony_listeners: false

Toggle use_symfony_listeners value and check your POST calls. It succeeds when having value set to true while it should fail with the is_granted(false)

Possible Solution

I don't have the solution ! I'd like to keep using use_symfony_listeners: true for some time, until I replace everything that needs it.

Additional Context

Same problem when using ApiResource.operations to define my POST endpoint

SherinBloemendaal commented 1 month ago

Got the same problem, ended up putting use_symfony_listeners to false.

soyuka commented 1 month ago

I'd like to keep using use_symfony_listeners: true for some time, until I replace everything that needs it.

use_symfony_listeners: true will stay forever it should be just the same if needed. I'm testing this.

GregoireGiraud commented 2 weeks ago

Thanks a lot for the quick fix !