vendor/api-platform/core/src/Symfony/EventListener/DenyAccessListener.php line 89

Open in your IDE?
  1. <?php
  3. /*
  4.  * This file is part of the API Platform project.
  5.  *
  6.  * (c) Kévin Dunglas <dunglas@gmail.com>
  7.  *
  8.  * For the full copyright and license information, please view the LICENSE
  9.  * file that was distributed with this source code.
  10.  */
  12. declare(strict_types=1);
  14. namespace ApiPlatform\Symfony\EventListener;
  16. use ApiPlatform\Core\Metadata\Resource\Factory\ResourceMetadataFactoryInterface;
  17. use ApiPlatform\Metadata\Resource\Factory\ResourceMetadataCollectionFactoryInterface;
  18. use ApiPlatform\Symfony\Security\ExpressionLanguage;
  19. use ApiPlatform\Symfony\Security\ResourceAccessChecker;
  20. use ApiPlatform\Symfony\Security\ResourceAccessCheckerInterface;
  21. use ApiPlatform\Util\OperationRequestInitiatorTrait;
  22. use ApiPlatform\Util\RequestAttributesExtractor;
  23. use Symfony\Component\HttpFoundation\Request;
  24. use Symfony\Component\HttpKernel\Event\RequestEvent;
  25. use Symfony\Component\HttpKernel\Event\ViewEvent;
  26. use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverInterface;
  27. use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
  28. use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
  29. use Symfony\Component\Security\Core\Exception\AccessDeniedException;
  30. use Symfony\Component\Security\Core\Role\RoleHierarchyInterface;
  32. /**
  33.  * Denies access to the current resource if the logged user doesn't have sufficient permissions.
  34.  *
  35.  * @author Kévin Dunglas <dunglas@gmail.com>
  36.  */
  37. final class DenyAccessListener
  38. {
  39.     use OperationRequestInitiatorTrait;
  41.     /**
  42.      * @var ResourceMetadataFactoryInterface|ResourceMetadataCollectionFactoryInterface
  43.      */
  44.     private $resourceMetadataFactory;
  45.     /**
  46.      * @var ResourceAccessCheckerInterface
  47.      */
  48.     private $resourceAccessChecker;
  50.     public function __construct($resourceMetadataFactory/* ResourceAccessCheckerInterface */ $resourceAccessCheckerOrExpressionLanguage nullAuthenticationTrustResolverInterface $authenticationTrustResolver nullRoleHierarchyInterface $roleHierarchy nullTokenStorageInterface $tokenStorage nullAuthorizationCheckerInterface $authorizationChecker null)
  51.     {
  52.         $this->resourceMetadataFactory $resourceMetadataFactory;
  54.         if ($resourceAccessCheckerOrExpressionLanguage instanceof ResourceAccessCheckerInterface) {
  55.             $this->resourceAccessChecker $resourceAccessCheckerOrExpressionLanguage;
  57.             return;
  58.         }
  60.         $this->resourceAccessChecker = new ResourceAccessChecker($resourceAccessCheckerOrExpressionLanguage$authenticationTrustResolver$roleHierarchy$tokenStorage$authorizationChecker);
  61.         @trigger_error(sprintf('Passing an instance of "%s" or null as second argument of "%s" is deprecated since API Platform 2.2 and will not be possible anymore in API Platform 3. Pass an instance of "%s" and no extra argument instead.'ExpressionLanguage::class, self::class, ResourceAccessCheckerInterface::class), \E_USER_DEPRECATED);
  63.         if (!$resourceMetadataFactory instanceof ResourceMetadataCollectionFactoryInterface) {
  64.             trigger_deprecation('api-platform/core''2.7'sprintf('Use "%s" instead of "%s".'ResourceMetadataCollectionFactoryInterface::class, ResourceMetadataFactoryInterface::class));
  65.         } else {
  66.             $this->resourceMetadataCollectionFactory $resourceMetadataFactory;
  67.         }
  68.     }
  70.     public function onKernelRequest(RequestEvent $event): void
  71.     {
  72.         @trigger_error(sprintf('Method "%1$s::onKernelRequest" is deprecated since API Platform 2.4 and will not be available anymore in API Platform 3. Prefer calling "%1$s::onSecurity" instead.'self::class), \E_USER_DEPRECATED);
  73.         $this->onSecurityPostDenormalize($event);
  74.     }
  76.     public function onSecurity(RequestEvent $event): void
  77.     {
  78.         $this->checkSecurity($event->getRequest(), 'security'false);
  79.     }
  81.     public function onSecurityPostDenormalize(RequestEvent $event): void
  82.     {
  83.         $request $event->getRequest();
  84.         $this->checkSecurity($request'security_post_denormalize'true, [
  85.             'previous_object' => $request->attributes->get('previous_data'),
  86.         ]);
  87.     }
  89.     public function onSecurityPostValidation(ViewEvent $event): void
  90.     {
  91.         $request $event->getRequest();
  92.         $this->checkSecurity($request'security_post_validation'false, [
  93.             'previous_object' => $request->attributes->get('previous_data'),
  94.         ]);
  95.     }
  97.     /**
  98.      * @throws AccessDeniedException
  99.      */
  100.     private function checkSecurity(Request $requeststring $attributebool $backwardCompatibility, array $extraVariables = []): void
  101.     {
  102.         if (!$attributes RequestAttributesExtractor::extractAttributes($request)) {
  103.             return;
  104.         }
  106.         $resourceMetadata null;
  107.         $isGranted null;
  108.         $message $attributes[$attribute.'_message'] ?? 'Access Denied.';
  110.         if ($this->resourceMetadataFactory instanceof ResourceMetadataFactoryInterface) {
  111.             $resourceMetadata $this->resourceMetadataFactory->create($attributes['resource_class']);
  113.             $isGranted $resourceMetadata->getOperationAttribute($attributes$attributenulltrue);
  114.             if ($backwardCompatibility && null === $isGranted) {
  115.                 // Backward compatibility
  116.                 $isGranted $resourceMetadata->getOperationAttribute($attributes'access_control'nulltrue);
  117.                 if (null !== $isGranted) {
  118.                     @trigger_error('Using "access_control" attribute is deprecated since API Platform 2.4 and will not be possible anymore in API Platform 3. Use "security" attribute instead.'\E_USER_DEPRECATED);
  119.                 }
  120.             }
  122.             $message $resourceMetadata->getOperationAttribute($attributes$attribute.'_message''Access Denied.'true);
  123.         } elseif ($this->resourceMetadataFactory instanceof ResourceMetadataCollectionFactoryInterface) {
  124.             $operation $this->initializeOperation($request);
  125.             if (!$operation) {
  126.                 return;
  127.             }
  129.             switch ($attribute) {
  130.                 case 'security_post_denormalize':
  131.                     $isGranted $operation->getSecurityPostDenormalize();
  132.                     $message $operation->getSecurityPostDenormalizeMessage();
  133.                     break;
  134.                 case 'security_post_validation':
  135.                     $isGranted $operation->getSecurityPostValidation();
  136.                     $message $operation->getSecurityPostValidationMessage();
  137.                     break;
  138.                 default:
  139.                     $isGranted $operation->getSecurity();
  140.                     $message $operation->getSecurityMessage();
  141.             }
  142.         }
  144.         if (null === $isGranted) {
  145.             return;
  146.         }
  148.         $extraVariables += $request->attributes->all();
  149.         $extraVariables['object'] = $request->attributes->get('data');
  150.         $extraVariables['previous_object'] = $request->attributes->get('previous_data');
  151.         $extraVariables['request'] = $request;
  153.         if (!$this->resourceAccessChecker->isGranted($attributes['resource_class'], $isGranted$extraVariables)) {
  154.             throw new AccessDeniedException($message ?? 'Access Denied.');
  155.         }
  156.     }
  157. }
  159. class_alias(DenyAccessListener::class, \ApiPlatform\Core\Security\EventListener\DenyAccessListener::class);