Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

securityPostValidation argument on ApiResource and operations attributes is ignored when having use_symfony_listeners: true #6446

Closed
GregoireGiraud opened this issue Jul 1, 2024 · 3 comments
Closed

securityPostValidation argument on ApiResource and operations attributes is ignored when having use_symfony_listeners: true #6446

GregoireGiraud opened this issue Jul 1, 2024 · 3 comments

Comments

@GregoireGiraud
Copy link

API Platform version(s) affected: 3.3.7

Description

Hey,

I just tried to upgrade my project from 3.2.25 to 3.3.7.

In my project, I have the securityPostValidation attribute on several entities.
My tests failed, and I noticed that all security logic inside securityPostValidation was ignored and never applied.

I then tried all patch versions of api-platform/core and the bug was reproduced since 3.3.2 (and didn't occur in 3.3.0).

I noticed that adding use_symfony_listeners: false fixed the problem and that securityPostValidation was again called.

How to reproduce
Create an entity, and add this config.

#[Post(
    denormalizationContext: ['groups' => ['link_type:collection:write']],
    securityPostValidation: 'is_granted(false, object)',
)]
class LinkType
{
    #[ORM\Column(length: 255)]
    #[Gedmo\Versioned]
    #[Groups([
        'link_type:collection:read', 'link_type:item:read',
        'link_type:collection:write', 'link_type:item:write',
    ])]
    private string $name;

    public function getName(): string
    {
        return $this->name;
    }

    public function setName(string $name): static
    {
        $this->name = $name;

        return $this;
    }
}

In config/packages/api_platform.yaml

    use_symfony_listeners: false

Toggle use_symfony_listeners value and check your POST calls.
It succeeds when having value set to true while it should fail with the is_granted(false)

Possible Solution

I don't have the solution !
I'd like to keep using use_symfony_listeners: true for some time, until I replace everything that needs it.

Additional Context

Same problem when using ApiResource.operations to define my POST endpoint
@SherinBloemendaal
Copy link

Got the same problem, ended up putting use_symfony_listeners to false.

@soyuka
Copy link
Member

soyuka commented Jul 19, 2024

I'd like to keep using use_symfony_listeners: true for some time, until I replace everything that needs it.

use_symfony_listeners: true will stay forever it should be just the same if needed. I'm testing this.

soyuka added a commit to soyuka/core that referenced this issue Jul 19, 2024
@soyuka
fix(symfony): securityPostValidation when use_symfony_listeners
2d77268 
closes api-platform#6446
@soyuka soyuka mentioned this issue Jul 19, 2024
Merged
soyuka added a commit that referenced this issue Jul 19, 2024
@soyuka
fix(symfony): securityPostValidation when use_symfony_listeners (#6479)
c3e2e5b 
closes #6446
@soyuka soyuka closed this as completed Jul 19, 2024
@GregoireGiraud
Copy link
Author

Thanks a lot for the quick fix !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@soyuka @SherinBloemendaal @GregoireGiraud