Chapters

39 Chapters | 4:45:13 |

01

Hello API Security + API Docs on Production?

8:55
02

API Auth 101: Session? Cookies? Tokens?

4:05
03

Login with json_login

6:27
04

Authentication Errors

5:55
05

Login Success & the Session

4:28
06

On Authentication Success

7:40
07

Logout & Passing API Data to JS on Page Load

8:49
08

SameSite Cookies & CSRF Attacks

8:06
09

ApiResource access_control

6:03
10

Bootstrapping a Test Suite

4:29
11

Backport the API Platform 2.5 Test Tools

5:01
12

Api Tests & Assertions

6:51
13

Logging in Inside the Test

6:57
14

Resetting the Database Between Tests

4:51
15

Base Test Class full of Goodies

8:30
16

ACL: Only Owners can PUT a CheeseListing

9:23
17

ACL & previousObject

8:04
18

Access Control & Voters

8:25
19

Adding the plainPassword Field

7:31
20

Data Persister: Encoding the Plain Password

8:03
21

Validation Groups

5:44
22

Conditional Field Setup

6:42
23

Testing, Updating Roles & Refreshing Data

9:22
24

Context Builder & Service Decoration

6:50
25

Context Builder: Dynamic Fields/Groups

7:47
26

Automatic Serialization Groups

5:59
27

Resource Metadata Factory: Dynamic ApiResource Options

8:45
28

Dynamic Groups without Caching

10:34
29

Custom Normalizer: Object-by-Object Dynamic Fields

9:30
30

Diving into the Normalizer Internals

4:49
31

A "Normalizer Aware" Normalizer

6:49
32

Normalizer & Completely Custom Fields

7:32
33

Locking down the CheeseListing.owner Field

8:16
34

Custom Validator

5:40
35

Security Logic in the Validator

6:46
36

Auto-set the Owner: Entity Listener

9:46
37

Query Extension: Auto-Filter a Collection

9:37
38

Automatic 404 on Unpublished Items

5:26
39

Filtering Related Collections

10:50

This tutorial has a new version, check it out!

> Symfony 5 > API Platform Part 2: Security

Buy Access to Course

18.

Access Control & Voters

Autoplay

Keep on Learning!

If you liked what you've learned so far, dive in! Subscribe to get
access to this tutorial plus video, code and script downloads.

Start your All-Access Pass

Buy just this tutorial for $12.00

Previous Chapter

Next Chapter

With a Subscription, click any sentence in the script to jump to that part of the video!

The access control system in API Platform instantly gives you a lot of power: you can check for a simple role or write more complex logic and... it works!

But... it's also ugly. And... it can get even uglier! What if I said that a user should be able to update a CheeseListing if they are the owner of the CheeseListing or they are an admin user. We could... maybe add an or to the expression... and then we might need parentheses... No, that's not something I want to hack into my annotation expression. Instead, let's use a voter!

Generating the Voter

Voters technically have nothing to do with API Platform... but they do work super well as a way to keep your API Platform access controls clean and predictable. Find your terminal and run:

php bin/console make:voter

Call it CheeseListingVoter. I commonly have one voter for each entity or "resource" that has complex access rules. This creates src/Security/Voter/CheeseListingVoter.php.

            Copy Code

                            Show All Lines

                        42 lines
            |
            src/Security/Voter/CheeseListingVoter.php
        
                Show Lines

                                                    // ... lines 1 - 4
                            
            use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
        
            use Symfony\Component\Security\Core\Authorization\Voter\Voter;
        
            use Symfony\Component\Security\Core\User\UserInterface;
        
            class CheeseListingVoter extends Voter
        
            {
        
                protected function supports($attribute, $subject)
        
                {
        
                    // replace with your own logic
        
                    // https://symfony.com/doc/current/security/voters.html
        
                    return in_array($attribute, ['POST_EDIT', 'POST_VIEW'])
        
                        && $subject instanceof \App\Entity\BlogPost;
        
                }
        
                Show Lines

                                                    // ... lines 18 - 40
                            
            }

Updating access_control

Before we dive into the new class, go to CheeseListing. Instead of saying is_granted('ROLE_USER') and previous_object.getOwner() == user, simplify to is_granted('EDIT', previous_object).

            Copy Code

                            Show All Lines

                        211 lines
            |
            src/Entity/CheeseListing.php
        
                Show Lines

                                                    // ... lines 1 - 16
                            
            /**
        
             * @ApiResource(
        
             *     itemOperations={
        
                Show Lines

                                                    // ... lines 20 - 22
                            
             *          "put"={
        
             *              "access_control"="is_granted('EDIT', previous_object)",
        
                Show Lines

                                                    // ... line 25
                            
             *          },
        
                Show Lines

                                                    // ... line 27
                            
             *     },
        
                Show Lines

                                                    // ... lines 29 - 39
                            
             * )
        
                Show Lines

                                                    // ... lines 41 - 50
                            
             */
        
            class CheeseListing
        
                Show Lines

                                                    // ... lines 53 - 211

This... deserves some explanation. The word EDIT... well... I just invented that. We could use EDIT or MANAGE or CHEESE_LISTING_EDIT... it's any word that describes the "intention" of the "access" you want to check: I want to check to see if the current user can "edit" this CheeseListing. This string will be passed to the voter and, in a minute, we'll see how to use it. We're also passing previous_object as the second argument. Thanks to this, the voter will also receive the CheeseListing that we're deciding access on.

How Voters Work

Here's how the voter system works: whenever you call is_granted(), Symfony loops through all of the "voters" in the system and asks each one:

Hey! Lovely request we're having, isn't it? Do you happen to know how to decide whether or not the current user has EDIT access to this CheeseListing object?

Symfony itself comes with basically two core voters. The first knows how to decide access when you call is_granted() and pass it ROLE_ something, like ROLE_USER or ROLE_ADMIN. It determines that by looking at the roles on the authenticated user. The second voter knows how to decide access if you call is_granted() and pass it one of the IS_AUTHENTICATED_ strings: IS_AUTHENTICATED_FULLY, IS_AUTHENTICATED_REMEMBERED or IS_AUTHENTICATED_ANONYMOUSLY.

Now that we've created a class and made it extend Symfony's Voter base class, our app has a third voter. This means that, whenever someone calls is_granted(), Symfony will call the supports() method and pass it the $attribute - that's the string EDIT, or ROLE_USER - and the $subject, which will be the CheeseListing object in our case.

Coding the Voter

Our job here is to answer the question: do we know how to decide access for this $attribute and $subject combination? Or should another voter handle this?

We're going to design our voter to decide access if the $attribute is EDIT - and we may support other strings later... like maybe DELETE - and if $subject is an instanceof CheeseListing.

            Copy Code

                            Show All Lines

                        43 lines
            |
            src/Security/Voter/CheeseListingVoter.php
        
                Show Lines

                                                    // ... lines 1 - 9
                            
            class CheeseListingVoter extends Voter
        
            {
        
                protected function supports($attribute, $subject)
        
                {
        
                    // replace with your own logic
        
                    // https://symfony.com/doc/current/security/voters.html
        
                    return in_array($attribute, ['EDIT'])
        
                        && $subject instanceof CheeseListing;
        
                }
        
                Show Lines

                                                    // ... lines 19 - 41
                            
            }

If anything else is passed - like ROLE_ADMIN - supports() will return false and Symfony will know to ask a different voter.

But if we return true from supports(), Symfony will call voteOnAttribute() and pass us the same $attribute string - EDIT - the same $subject - CheeseListing object - and a $token, which contains the authenticated User object. Our job in this method is clear: return true if the user should have access or false if they should not.

Let's start by helping my editor: add @var CheeseListing $subject to hint to it that $subject will definitely be a CheeseListing.

After this, the generated code has a switch-case statement - a nice example for a voter that handles two different attributes for the same object. I'll delete the second case, but leave the switch-case statement in case we do want to support another attribute later.

So, if $attribute is equal to EDIT, let's put our security business logic. If $subject->getOwner() === $user, return true! Access granted. Otherwise, return false.

            Copy Code

                            Show All Lines

                        43 lines
            |
            src/Security/Voter/CheeseListingVoter.php
        
                Show Lines

                                                    // ... lines 1 - 19
                            
                protected function voteOnAttribute($attribute, $subject, TokenInterface $token)
        
                {
        
                Show Lines

                                                    // ... lines 22 - 27
                            
                    /** @var CheeseListing $subject */
        
                Show Lines

                                                    // ... line 29
                            
                    // ... (check conditions and return true to grant permission) ...
        
                    switch ($attribute) {
        
                        case 'EDIT':
        
                            if ($subject->getOwner() === $user) {
        
                                return true;
        
                            }
        
                            return false;
        
                    }
        
                    return false;
        
                }
        
                Show Lines

                                                    // ... lines 42 - 43

That's it! Oh, in case we make a typo and pass some other attribute to is_granted(), the end of this function always return false to deny access. That's cool, but let's make this mistake super obvious. Throw a big exception:

Unhandled attribute "%s"

and pass that $attribute.

            Copy Code

                            Show All Lines

                        43 lines
            |
            src/Security/Voter/CheeseListingVoter.php
        
                Show Lines

                                                    // ... lines 1 - 19
                            
                protected function voteOnAttribute($attribute, $subject, TokenInterface $token)
        
                {
        
                Show Lines

                                                    // ... lines 22 - 39
                            
                    throw new \Exception(sprintf('Unhandled attribute "%s"', $attribute));
        
                }
        
                Show Lines

                                                    // ... lines 42 - 43

I love it! Our access_control is simple: is_granted('EDIT', previous_object). If we've done our job, this will call our voter and everything will work just like before. And hey! We can check that by running out test!

php bin/phpunit --filter=testUpdateCheeseListing

Scroll up... all green!

Also allowing Admin Access

But... I had a different motivation originally for refactoring this into a voter: I want to also allow "admin" users to be able to edit any CheeseListing. For that, we'll check to see if the user has some ROLE_ADMIN role.

To check if a user has a role from inside a voter, we could call the getRoles() method on the User object... but that won't work if you're using the role hierarchy feature in security.yaml. A more robust option - and my preferred way of doing this - is to use the Security service.

Add public function __construct() with one argument: Security $security. I'll hit Alt + Enter -> Initialize Fields to create that property and set it

            Copy Code

                            Show All Lines

                        55 lines
            |
            src/Security/Voter/CheeseListingVoter.php
        
                Show Lines

                                                    // ... lines 1 - 7
                            
            use Symfony\Component\Security\Core\Security;
        
                Show Lines

                                                    // ... lines 9 - 10
                            
            class CheeseListingVoter extends Voter
        
            {
        
                private $security;
        
                public function __construct(Security $security)
        
                {
        
                    $this->security = $security;
        
                }
        
                Show Lines

                                                    // ... lines 19 - 53
                            
            }

Inside voteOnAttribute, for the EDIT attribute, if $this->security->isGranted('ROLE_ADMIN'), return true.

            Copy Code

                            Show All Lines

                        55 lines
            |
            src/Security/Voter/CheeseListingVoter.php
        
                Show Lines

                                                    // ... lines 1 - 27
                            
                protected function voteOnAttribute($attribute, $subject, TokenInterface $token)
        
                {
        
                Show Lines

                                                    // ... lines 30 - 38
                            
                    switch ($attribute) {
        
                        case 'EDIT':
        
                Show Lines

                                                    // ... lines 41 - 44
                            
                            if ($this->security->isGranted('ROLE_ADMIN')) {
        
                                return true;
        
                            }
        
                Show Lines

                                                    // ... lines 48 - 49
                            
                    }
        
                Show Lines

                                                    // ... lines 51 - 52
                            
                }
        
                Show Lines

                                                    // ... lines 54 - 55

That's lovely. I don't have a test for this... but you could add one in CheeseListingResourceTest by creating a third user, giving them ROLE_ADMIN, logging in and trying to edit the CheeseListing. Or you could unit test the voter itself if your logic is getting pretty crazy.

Let's at least make sure we didn't break anything. Go tests go!

php bin/phpunit --filter=testUpdateCheeseListing

All good.

I love voters, and this is the way I handle access controls in API Platform. Sure, if you're just checking for a role, no problem: use is_granted('ROLE_ADMIN'). But if your logic gets any more complex, use a voter.

Next, our API still requires an API client to POST an encoded version of a user's password when creating a new User resource. That's crazy! Let's learn how to "hook" into the "saving" process so we can intercept the plain text password and encode it.

41 Comments

Sort By

Tac-Tacelosky 2 years ago

Is source code that runs with a more current version of Symfony available? Given that this is about security, it'd be great to see code that works with 6.0 / PHP 8, neither of which you can use with this code base.

Also, I can't figure out how to load fixtures -- are they in the repo? I just want to download the code, install it, and see it run.

1 | Reply |

weaverryan SFCASTS Tac-Tacelosky 2 years ago edited

Hey Tac-Tacelosky !

API Platform 3 should come out sometime this summer - we're waiting on that before we give the tutorials a facelift for newer php and symfony version. I know, it's not ideal until then :).

About the fixtures, there are no fixtures for this course: you just start with an empty database. We DO introduce data fixtures before episode 3, so you'll see some fixtures there (they load with the normal bin/console doctrine:fixtures:load).

Cheers!

| Reply |

Tac-Tacelosky weaverryan 2 years ago

I have the start and final working locally with Symfony 6, and am going through the tutorial. A challenge is that this is about security, and security has changed between Symfony 4.3 and 6. OK if I put the source code with Symfony 6 on github?

| Reply |

weaverryan SFCASTS Tac-Tacelosky 2 years ago

No problem at all - in fact, that would be super great :).

> A challenge is that this is about security, and security has changed between Symfony 4.3 and 6

That's definitely true. Fortunately, the biggest changes - to custom authenticators - I think isn't something that affects this tutorial... which is lucky!

Cheers!

| Reply |

Tac-Tacelosky weaverryan 2 years ago

I've updated all the dependencies and recipes: https://github.com/tacman/a...

BUT tests don't work (likely because of the backporting of apiplatform 2.5 testing client).

1 | Reply |

weaverryan SFCASTS Tac-Tacelosky 2 years ago

Ah, cool - thanks Tac!

About the tests... yes, that's very possible. You could (if you want to) delete that src/ApiPlatform directory entirely, then update a few use statements around the app to point to the REAL API platform classes, since your app nicely uses v2.6.

But anyways, thanks - it's nice to have resources like this. Oh, and soon I can share that we will update our comments system to be "in house" - and one of the features we want to add is the ability to "highlight" extra helpful comments from users, like this one :).

Cheers!

| Reply |

Tac-Tacelosky weaverryan 2 years ago

I'm likely using the wrong version of something (PHPUnit?), as I'm getting tripped up on self::$container. Sigh. And $client. What is the correct base class for the tests? I tried use ApiPlatform\Core\Bridge\Symfony\Bundle\Test\ApiTestCase;

| Reply |

weaverryan SFCASTS Tac-Tacelosky 2 years ago edited

Change that self::$container to static::getContainer() - that's a newer way for newer Symfony versions. I think your base class is good!

About $client, it should be, I believe, the normal $client = static::createClient();.

Cheers!

| Reply |

Tac-Tacelosky weaverryan 2 years ago

I'm getting pretty close... BUT still not working. Perhaps I'm not setting the client correctly?

1) App\Tests\Functional\CheeseListingResourceTest::testCreateCheeseListing
not passing the correct owner
Failed asserting that the Response status code is 400.
HTTP/1.1 422 Unprocessable Content

| Reply |

weaverryan SFCASTS Tac-Tacelosky 2 years ago edited

Hmm, I think that the test line should just change to look for a 422 status code:


$this->assertResponseStatusCodeSame(422, 'not passing the correct owner');

It looks like I WAS testing for a 400 status code previously, but I can't remember why. 422 actually makes more sense: passing the wrong owner fails due to the IsValidOwner constraint, so that's a validation error. The status code changed at some point in API Platform 2.6 - https://symfonycasts.com/screencast/api-platform-security/validator-logic#comment-5574495978

So, just change that line - I think you're good!

Cheers!

| Reply |

teh_policer 4 years ago

Hmmm It was a bit confusing after they added security and security_post_denormalize. We need to use just "object" with security. And to be exactly the same with this video, one can use security_post_denormalize with previous_object.

1 | Reply |

weaverryan SFCASTS teh_policer 4 years ago edited

Hey teh_policer!

Hmm, it sounds like maybe my description of how things should look in API Platform 2.5 was not very clear? Is that correct? I was thinking that the ACL should look like this in 2.5:


(2.4)
"access_control"="is_granted('ROLE_USER') and previous_object.getOwner() == user",

(2.5)
"security"="is_granted('ROLE_USER') and object.getOwner() == user",

Did you find that the 2.5 version code above didn't work? Or was it just confusing? Let me know - I'd like to make this more clear if I can :).

Thanks!

1 | Reply |

Sung L. 5 years ago edited

I wonder how to do a UserVoter. For User entity itemOperations, I can do"put" = { "access_control" = "(is_granted('ROLE_USER') and object == user) or is_granted('ROLE_ADMIN')" }. But if I want to use Voter, I am not sure what to compare $user object with in switch statement. I think I can compare $user->getId() with $subject->getId(), but I am not sure that's the best option.


// in voteOnAttribute function
switch($attribute) {
    case 'EDIT':
        //Is comparing ID safe???
        if ($subject->getId() == $user->getId()) {
             return true;
        }
}

Thanks!

1 | Reply |

weaverryan SFCASTS Sung L. 5 years ago edited

Hey Sung L. !

Good question. So... comparing the id's is absolutely a safe thing to do - it will check if the currently-authenticated user's id is equal to the id of the user being edited. This is totally safe. A more interesting question is actually this: is comparing the objects safe: $subject === $user. The answer to that is also "yes" - if the currently-authenticated user is the same as the user being modified, then $subjectand $user will literally be the same object in memory (e.g. if you changed the email on $subject, then it would also be changed on $user because they are actually the same object). This is true simply because this is how Doctrine works: the security system will initially query for the currently-authenticated user. Later, when API Platform queries for that same User, Doctrine returns the same object (instead of making a 2nd query and returning a separate object with the same data).

I may have over-answered your question... or missed it entirely. Let me know ;)

Cheers!

1 | Reply |

Sung L. weaverryan 5 years ago

Thanks for your detailed explanation to my question. I appreciate it!

| Reply |

ties8 2 years ago edited

Hello, if i have an entity, lets say PrivateCheeseListing, which relates to PrivateCheese, and it outputs PrivateCheeses data when i call PrivateCheeseListing, if i have a PrivateCheese item owned by me and another one PrivateCheese owned by someone else, which i have no access to, it is still possible for me to take the IRI "/api/cheese/123", which i have no access to, create a CheeseListing with it, so the JSON contains "cheese": "/api/private_cheese/123" and API Platform will not check if i have access to the related resource and saves it anyways. Is it possible to easily implement a check so that api platform checks the security i configured before relating and saving the item? Or will i have to write a Persister for each and every entity which checks each and every relation?

Again for clarity
If i call GET /api/private_cheese/123
I will have a 404 returned.

If i POST to /api/private_cheese_listing with:


{
  "cheese": "/api/private_cheese/123",
}

This will return:


{
  "@id": "/api/private_cheese_listing/123"
  "cheese": {
    "@id": "/api/private_cheese/123",
    "personal_info": "i am exposed ohn no"
  }
}

| Reply |

weaverryan SFCASTS ties8 2 years ago edited

Hi Alex T.!

I think I understand! I believe what you are asking about is covered in this section - https://symfonycasts.com/sc... - and the answer is "do this with a validator". This gets a bit tricky. I should not be able to create a new PirvateCheeseListing (or modify a PrivateCheeseListing) and relate it to a PrivateCheese that someone else owns. That should NOT be allowed, for security reasons. But, the tool to solve this problem is actually the validation system: the user is trying to send "invalid data"... it's just invalid due to security reasons. So, it's a situation where validation & security work together.

Specifically, I would add a custom validator, put it on PrivateCheeseListing, and then it would validate that all of the related PrivateCheese objects ARE owned by the current user.

Let me know if that helps!

Cheers!

1 | Reply |

Ahmed O. 3 years ago edited

Hello, is there a simple way to pass both object and previous_object to the Voter? (to grant by property transition)
To have something like:
<blockquote>is_granted('ROLE_PUBLISHER') and previous_object.isPusblished() == false and object.isPublished() == true</blockquote>
(Please don't mind the example I need this for a complex case).

The way I implemented is by passing the previous_object to the Voter, then getting the object from the database using the EntityManager inside the Voter, which I don't think is the best approach.

(also I wonder if this a validation case and not security)

Thanks!

| Reply |

weaverryan SFCASTS Ahmed O. 3 years ago edited

Hey Ahmed O. !

I've never done this before but, yes, you CAN do this :). But, before I say how, I would usually handle this in a custom validator because it is not a matter of "whether or not the user can perform this action". It is more of a "given this user, this is an invalid value for this field". We do something like that here: https://symfonycasts.com/screencast/api-platform-security/validator-logic. The tricky part is getting the original data so you can see if the field has changed. There is an example of how to fetch the original data from the unit of work here - https://stackoverflow.com/questions/17306635/symfony2-form-validator-comparing-old-and-new-values-before-flush#answers - the example is old, but the important part is still relevant :).

Now, about the voter (if you choose to go this direction). You can pass anything to the 2nd argument of is_granted. For example:


is_granted('CAN_PUBLISH, { "previous": "previous_object", "object": object })

(if I messed up my syntax above, apologies!). In this situation, the $subject that's passed to your voter would be an array, which is a bit rare, but TOTALLY legal. You can then read the keys off of that.

Cheers!

| Reply |

Ahmed O. weaverryan 3 years ago

I suspected that it's a validation case, thanks a lot!

| Reply |

csc 3 years ago

How can I do filter automatic in GET collectionOperations by owner == user logged (Security) ?

| Reply |

weaverryan SFCASTS csc 3 years ago edited

Hey Cesar C. !

Excellent question! You an find info about that a bit later in this tutorial :) https://symfonycasts.com/sc...

Cheers!

| Reply |

Anton B. 3 years ago

Sorry, but why we should taking care about the access using Exception throwing, whether we are not handling the possible typo in the support method?

| Reply |

Victor SFCASTS Anton B. 3 years ago

Hey Anton,

Just a sanity check. Nothing big, as we will deny access for those cases, but it's kind of an edge case, i.e. this kind of things is not implemented and so it may lead to potential bugs in the future. But as I say, it's just a sanity check to notify developer about possible problem "earlier".

Cheers!

| Reply |

Jean-tilapin 3 years ago

Hi!
Is it safe and recommended to get the Request in a Voter? For example, with Ajax I'm sending a small object {user: "user IRI", object: "object IRI"}. For editing or deleting, no problem: a classic voter does the job with $object->getOwner(). But for creating...? How can I be sure that the sent user's IRI is actually the logged in user's IRI?
I read on StackOverflow that I can add in my Voter "private $requestStack" then use "$this->requestStack->getMasterRequest()->get('user')" (to get the user IRI of the sent object), but it doesn't seem to work, and a "dd($this->requestStack->getMasterRequest()" doesn't return anything so I'm not sure what to do.

Edit: ...or should I delete the user part of the sent datas and use a Custom Symfony Controller to create the relationship between the object and the user?

| Reply |

Victor SFCASTS Jean-tilapin 3 years ago

Hey Xav,

You can inject whatever you want in your services, just literally any services. Yeah, Request service is a bit special, and to inject it - you would need to inject RequestStack instead, and then get the actual current request via getMasterRequest() for example. So injecting the RequestStack is the correct way get the request in your services.

To get access to the current user (logged in user) - you can inject another service called Symfony\Component\Security\Core\Security service which has getUser() method that will return the current user if it exist or null.

You will be able to use those objects to do whatever business logic you need.

I hope this helps.

Cheers!

| Reply |

Jean-tilapin Victor 3 years ago

Thank you!
I had a hard time to figure what was wrong with what I was doing. Actually, I didn't need the requestStack, but I needed to add "security_post_denormalize" in my Api Platform Configuration. Not sure I've understood why, though. Anyway, it seems to work now...

Is there a simple way of debugging a voter? I wanted it to return errors at different steps of the voting process, and I couldn't manage to do that. For example, throw an explicit error if there's no $user, or return the $subject, or the "$this->requestStack->getMasterRequest()", or understand why the voter abstains whereas it shouldn't (that was my problem for a long time until I added security_post_denormalize). I tried to dump those vars but nothing appeared in the debugging tools. I must have missed something.

PS: could you please write something about Subresources Voters...?It seems that I have now to understand why "api/users/{id}/agendas" doesn't care at all about my voters....

| Reply |

Victor SFCASTS Jean-tilapin 3 years ago

Hey Xav,

Take a look at Symfony Web Developer Toolbar, it should help with debugging voters as well, but only those what was called, so make sure you call isGranted() in the controller or is_granted() Twig function in a twig template of the page you're on. Otherwise, simple dd(); or dump(); die; in the voter helps as well. Or just inject logger service into the voter and log things to watch them later in logs.

I hope this helps!

Cheers!

| Reply |

Gediminas N. 3 years ago

In a voter, Why does $subject->getOwner() === $user bring back true when $token->getUser() is an object and $subject->getOwner() is an Iri "/api/users/1"?

| Reply |

weaverryan SFCASTS Gediminas N. 3 years ago edited

Hey Gediminas N.!

Excellent question! All of your assumptions are correct, except for:

$subject->getOwner() is an IRI "/api/users/1"

So, $subject as you know is a CheeseListing object. This means that $subject->getOwner() is actually calling CheeseListing::getOwner() which returns a User object, not an IRI string.

The confusing part is probably that if you make a request to /api/cheeses, you get back JSON like this:


{
    "title": "..."
    "owner": "/api/users/1"
}

This is a key feature of API Platform: when it sees that the CheeseListing.owner property is a User object, and it knows that User object is an API Resource, it converts the User object into an IRI string: /api/users/1.

The same thing happens when you send data. If you, for example, sent a POST request to /api/cheeses with this data:


{
    "title": "..."
    "owner": "/api/users/1"
}

... API Platform would transform the /api/users/1 into a User object (by querying the database for the User object with id 1) before ultimately setting that object into the owner property of CheeseListing.

Does that help? Or did I confuse thing more? ;)

Cheers!

1 | Reply |

Gediminas N. weaverryan 3 years ago

Perfectly answered question!

Cheers!

| Reply |

julien_bonnier 3 years ago edited

My voters use constants for their roles.

const EDIT_POST = 'EDIT_POST';

Is there anyway to use these inside the annotation the same way we would do in a controller?
I've been trying a couple of things, but nothing worked so far.

Using Symfony 5.2.1 with PHP 7.4 and API Platform 2.5.9

| Reply |

weaverryan SFCASTS julien_bonnier 3 years ago edited

Hey julien_bonnier!

Hmm. I think in annotations in general you can have things like MyClass::EDIT_POST. The problem is that, when you need to reference the constant, you're not actually writing "annotations" - you're inside a "string" in annotations - specifically the "string security expression". So, I don't think that any normal annotation tricks would work here.

So, I think what you need to do is use an expression language trick - specifically the constant function - https://symfony.com/doc/current/components/expression_language/syntax.html#working-with-functions - but I don't think it will feel very nice, unfortunately - I think you would need something like constant("My\Full\Class::EDIT_POST") to use it. On the bright side, it would work and if you ever changed the constant (or removed it) the code would continue to function (or, explode with a clear error in the case of removing it).

Let me know if that helps!

Cheers!

| Reply |

lexhartman 4 years ago

Hey, not really on topic but i was wondering how you guys "styled" the command line outputs? With the nice red/ green backgorund. I thought i saw it somewhere here on SFCasts but i can't find it anymore. I'm getting annoyed by mine own simple output... aarggh. Please let me know, thanks!

| Reply |

sadikoff SFCASTS lexhartman 4 years ago edited

Hey lexhartman

Good question, as I know we do nothing with it, I mean it's default behaviour in osx/linux terminals, there is some difficulties only with windows terminals, but I think it's possible there too

Cheers!

| Reply |

Phil 4 years ago

Heyho
Liked your post. I ran into one problem though:
On POST requests the $subject parameter on the supports method will always be null. So there seems to be now way to use this approach for create requests out of the box or did I miss something?

Cheers and looking forward to feedback on this
Phil

| Reply |

weaverryan SFCASTS Phil 4 years ago edited

Hey @Phil!

Yea, "creates" are always (even outside of an API) a "different animal". That's because the only thing you know is that the user wants to "create a CheeseListing". And so, depending on your needs, you have 2 options:

1) Block access with a role - e.g. is_granted('ROLE_CHEESE_LISTING_CREATE'). That works for simple cases where it makes sense to assign a role to any user who can create cheese listings.

2) Invent a new "attribute" (like we do in this chapter), but with no subject: is_granted('CREATE_CHEESE_LISTING'). You would then, in a custom voter, have a supports like this:


    protected function supports($attribute, $subject)
    {
        return in_array($attribute, ['CREATE_CHEESE_LISTING'])
            && $subject === null;
    }

Then, in voteOnAttribute, you can use whatever logic you need to figure out if the current user should be able to create a cheese listing.

Let me know if that's what you were looking for!

Cheers!

| Reply |

Vincent 4 years ago

Hey,

How to use Voter with paginated collection operation ? On the support method, subject is an instance of ApiPlatform\Core\Bridge\Doctrine\Orm\Paginator and can't do anything to check if subject is an instance of my resource.

And more generally, if $subject is an array of resources, what is the best practice ? Checking if the first array element in an instance of the resource ?

Thanks !

| Reply |

MolloKhan SFCASTS Vincent 4 years ago edited

Hey Vincent

In that case I think what you need to is to check if the user has access to such operation, instead of checking on object by object basis

Cheers!

| Reply |

This tutorial works great for Symfony 5 and API Platform 2.5/2.6.

Symfony 4 API Platform 2.4

What PHP libraries does this tutorial use?

// composer.json
{
    "require": {
        "php": "^7.1.3, <8.0",
        "ext-ctype": "*",
        "ext-iconv": "*",
        "api-platform/core": "^2.1", // v2.4.5
        "composer/package-versions-deprecated": "^1.11", // 1.11.99
        "doctrine/annotations": "^1.0", // 1.13.2
        "doctrine/doctrine-bundle": "^1.6", // 1.11.2
        "doctrine/doctrine-migrations-bundle": "^2.0", // v2.0.0
        "doctrine/orm": "^2.4.5", // v2.7.2
        "nelmio/cors-bundle": "^1.5", // 1.5.6
        "nesbot/carbon": "^2.17", // 2.21.3
        "phpdocumentor/reflection-docblock": "^3.0 || ^4.0", // 4.3.1
        "symfony/asset": "4.3.*", // v4.3.2
        "symfony/console": "4.3.*", // v4.3.2
        "symfony/dotenv": "4.3.*", // v4.3.2
        "symfony/expression-language": "4.3.*", // v4.3.2
        "symfony/flex": "^1.1", // v1.21.6
        "symfony/framework-bundle": "4.3.*", // v4.3.2
        "symfony/http-client": "4.3.*", // v4.3.3
        "symfony/monolog-bundle": "^3.4", // v3.4.0
        "symfony/security-bundle": "4.3.*", // v4.3.2
        "symfony/twig-bundle": "4.3.*", // v4.3.2
        "symfony/validator": "4.3.*", // v4.3.2
        "symfony/webpack-encore-bundle": "^1.6", // v1.6.2
        "symfony/yaml": "4.3.*" // v4.3.2
    },
    "require-dev": {
        "hautelook/alice-bundle": "^2.5", // 2.7.3
        "symfony/browser-kit": "4.3.*", // v4.3.3
        "symfony/css-selector": "4.3.*", // v4.3.3
        "symfony/maker-bundle": "^1.11", // v1.12.0
        "symfony/phpunit-bridge": "^4.3", // v4.3.3
        "symfony/stopwatch": "4.3.*", // v4.3.2
        "symfony/web-profiler-bundle": "4.3.*" // v4.3.2
    }
}

Previous Chapter

Next Chapter

Access Control & Voters

Share this awesome video!

Keep on Learning!

Generating the Voter

Updating access_control

How Voters Work

Coding the Voter

Also allowing Admin Access

41 Comments

Delete comment?

What PHP libraries does this tutorial use?

Show Lines	// ... lines 1 - 4
	use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
	use Symfony\Component\Security\Core\Authorization\Voter\Voter;
	use Symfony\Component\Security\Core\User\UserInterface;

	class CheeseListingVoter extends Voter
	{
	protected function supports($attribute, $subject)
	{
	// replace with your own logic
	// https://symfony.com/doc/current/security/voters.html
	return in_array($attribute, ['POST_EDIT', 'POST_VIEW'])
	&& $subject instanceof \App\Entity\BlogPost;
	}
Show Lines	// ... lines 18 - 40
	}

Show Lines	// ... lines 1 - 16
	/**
	* @ApiResource(
	* itemOperations={
Show Lines	// ... lines 20 - 22
	* "put"={
	* "access_control"="is_granted('EDIT', previous_object)",
Show Lines	// ... line 25
	* },
Show Lines	// ... line 27
	* },
Show Lines	// ... lines 29 - 39
	* )
Show Lines	// ... lines 41 - 50
	*/
	class CheeseListing
Show Lines	// ... lines 53 - 211

Show Lines	// ... lines 1 - 9
	class CheeseListingVoter extends Voter
	{
	protected function supports($attribute, $subject)
	{
	// replace with your own logic
	// https://symfony.com/doc/current/security/voters.html
	return in_array($attribute, ['EDIT'])
	&& $subject instanceof CheeseListing;
	}
Show Lines	// ... lines 19 - 41
	}

Show Lines	// ... lines 1 - 19
	protected function voteOnAttribute($attribute, $subject, TokenInterface $token)
	{
Show Lines	// ... lines 22 - 27
	/** @var CheeseListing $subject */
Show Lines	// ... line 29
	// ... (check conditions and return true to grant permission) ...
	switch ($attribute) {
	case 'EDIT':
	if ($subject->getOwner() === $user) {
	return true;
	}

	return false;
	}

	return false;
	}
Show Lines	// ... lines 42 - 43

Show Lines	// ... lines 1 - 7
	use Symfony\Component\Security\Core\Security;
Show Lines	// ... lines 9 - 10
	class CheeseListingVoter extends Voter
	{
	private $security;

	public function __construct(Security $security)
	{
	$this->security = $security;
	}
Show Lines	// ... lines 19 - 53
	}

Show Lines	// ... lines 1 - 27
	protected function voteOnAttribute($attribute, $subject, TokenInterface $token)
	{
Show Lines	// ... lines 30 - 38
	switch ($attribute) {
	case 'EDIT':
Show Lines	// ... lines 41 - 44
	if ($this->security->isGranted('ROLE_ADMIN')) {
	return true;
	}
Show Lines	// ... lines 48 - 49
	}
Show Lines	// ... lines 51 - 52
	}
Show Lines	// ... lines 54 - 55