vendor/api-platform/core/src/Symfony/EventListener/DenyAccessListener.php line 39

  1. <?php
  3. /*
  4.  * This file is part of the API Platform project.
  5.  *
  6.  * (c) Kévin Dunglas <dunglas@gmail.com>
  7.  *
  8.  * For the full copyright and license information, please view the LICENSE
  9.  * file that was distributed with this source code.
  10.  */
  12. declare(strict_types=1);
  14. namespace ApiPlatform\Symfony\EventListener;
  16. use ApiPlatform\Metadata\Resource\Factory\ResourceMetadataCollectionFactoryInterface;
  17. use ApiPlatform\Symfony\Security\ResourceAccessCheckerInterface;
  18. use ApiPlatform\Util\OperationRequestInitiatorTrait;
  19. use ApiPlatform\Util\RequestAttributesExtractor;
  20. use Symfony\Component\HttpFoundation\Request;
  21. use Symfony\Component\HttpKernel\Event\RequestEvent;
  22. use Symfony\Component\HttpKernel\Event\ViewEvent;
  23. use Symfony\Component\Security\Core\Exception\AccessDeniedException;
  25. /**
  26.  * Denies access to the current resource if the logged user doesn't have sufficient permissions.
  27.  *
  28.  * @author Kévin Dunglas <dunglas@gmail.com>
  29.  */
  30. final class DenyAccessListener
  31. {
  32.     use OperationRequestInitiatorTrait;
  34.     public function __construct(?ResourceMetadataCollectionFactoryInterface $resourceMetadataCollectionFactory null, private readonly ?ResourceAccessCheckerInterface $resourceAccessChecker null)
  35.     {
  36.         $this->resourceMetadataCollectionFactory $resourceMetadataCollectionFactory;
  37.     }
  39.     public function onSecurity(RequestEvent $event): void
  40.     {
  41.         $this->checkSecurity($event->getRequest(), 'security');
  42.     }
  44.     public function onSecurityPostDenormalize(RequestEvent $event): void
  45.     {
  46.         $request $event->getRequest();
  47.         $this->checkSecurity($request'security_post_denormalize', [
  48.             'previous_object' => $request->attributes->get('previous_data'),
  49.         ]);
  50.     }
  52.     public function onSecurityPostValidation(ViewEvent $event): void
  53.     {
  54.         $request $event->getRequest();
  55.         $this->checkSecurity($request'security_post_validation', [
  56.             'previous_object' => $request->attributes->get('previous_data'),
  57.         ]);
  58.     }
  60.     /**
  61.      * @throws AccessDeniedException
  62.      */
  63.     private function checkSecurity(Request $requeststring $attribute, array $extraVariables = []): void
  64.     {
  65.         if (!$this->resourceAccessChecker || !$attributes RequestAttributesExtractor::extractAttributes($request)) {
  66.             return;
  67.         }
  69.         $operation $this->initializeOperation($request);
  70.         if (!$operation) {
  71.             return;
  72.         }
  74.         switch ($attribute) {
  75.             case 'security_post_denormalize':
  76.                 $isGranted $operation->getSecurityPostDenormalize();
  77.                 $message $operation->getSecurityPostDenormalizeMessage();
  78.                 break;
  79.             case 'security_post_validation':
  80.                 $isGranted $operation->getSecurityPostValidation();
  81.                 $message $operation->getSecurityPostValidationMessage();
  82.                 break;
  83.             default:
  84.                 $isGranted $operation->getSecurity();
  85.                 $message $operation->getSecurityMessage();
  86.         }
  88.         if (null === $isGranted) {
  89.             return;
  90.         }
  92.         $extraVariables += $request->attributes->all();
  93.         $extraVariables['object'] = $request->attributes->get('data');
  94.         $extraVariables['previous_object'] = $request->attributes->get('previous_data');
  95.         $extraVariables['request'] = $request;
  97.         if (!$this->resourceAccessChecker->isGranted($attributes['resource_class'], $isGranted$extraVariables)) {
  98.             throw new AccessDeniedException($message ?? 'Access Denied.');
  99.         }
  100.     }
  101. }