Open TeddyRoncin opened 2 years ago
The same error occurs on route DELETE /users/{id}
. It seems like all routes which need to fetch a single User (maybe other Entities ?) have this problem
I think the problem might be that the ApiPlatform\Symfony\EventListener\ReadListener
listener is called before the security checks. The ReadListener
is called when the kernel.request
event is called, with a priority of 4. It may be possible to modify the order of events by fetching the main instance of Symfony\Component\EventDispatcher\EventDispatcher
to add and remove listeners.
Description
When you make a request on route![image](https://user-images.githubusercontent.com/46007498/167616942-34c59f8d-ce0f-436d-afef-29c4fb8b0422.png)
GET users/{id}
, API returns an error 404 (Resource not found), even if user was found. It should return an error 401 (Unauthorized), both in the case the user does not exist and in the case it does existThere is a problem that occurs in the same situation when doing tests :
However, the problem is not the same, this is an error, and the problem I described earlier was a bug
Investigation of the issue
I tried changing function
This fix does not change anything in a normal call. It seems like by changing this function, the
supports
of classApp\DataProvider\UserDataVisibilityItemDataProvider
to make it also check for login :$checkLogin = $this->security->getUser() != null;
. This fixes the issue in tests :getItem
method of the same class is not called anymore (which is the behaviour we would expect). But APIPlateform still returns a 404 code instead of a 401 code