Chapters
39 Chapters
|
4:45:13
|
Login to bookmark this video
-
Course Code
Subscribe to download the code!Compatible PHP versions: ^7.1.3, <8.0
Subscribe to download the code!Compatible PHP versions: ^7.1.3, <8.0
-
This Video
Subscribe to download the video!
Subscribe to download the video!
-
Subtitles
Subscribe to download the subtitles!
Subscribe to download the subtitles!
-
Course Script
Subscribe to download the script!
Subscribe to download the script!
17.
ACL & previousObject
Scroll down to the script below, click on any sentence (including terminal blocks) to jump to that spot in the video!
Subscribe to jump to this part in the video!
Keep on Learning!
If you liked what you've learned so far, dive in! Subscribe to get access to this tutorial plus video, code and script downloads.
This tutorial works great for Symfony 5 and API Platform 2.5/2.6.
What PHP libraries does this tutorial use?
// composer.json
{
"require": {
"php": "^7.1.3, <8.0",
"ext-ctype": "*",
"ext-iconv": "*",
"api-platform/core": "^2.1", // v2.4.5
"composer/package-versions-deprecated": "^1.11", // 1.11.99
"doctrine/annotations": "^1.0", // 1.13.2
"doctrine/doctrine-bundle": "^1.6", // 1.11.2
"doctrine/doctrine-migrations-bundle": "^2.0", // v2.0.0
"doctrine/orm": "^2.4.5", // v2.7.2
"nelmio/cors-bundle": "^1.5", // 1.5.6
"nesbot/carbon": "^2.17", // 2.21.3
"phpdocumentor/reflection-docblock": "^3.0 || ^4.0", // 4.3.1
"symfony/asset": "4.3.*", // v4.3.2
"symfony/console": "4.3.*", // v4.3.2
"symfony/dotenv": "4.3.*", // v4.3.2
"symfony/expression-language": "4.3.*", // v4.3.2
"symfony/flex": "^1.1", // v1.21.6
"symfony/framework-bundle": "4.3.*", // v4.3.2
"symfony/http-client": "4.3.*", // v4.3.3
"symfony/monolog-bundle": "^3.4", // v3.4.0
"symfony/security-bundle": "4.3.*", // v4.3.2
"symfony/twig-bundle": "4.3.*", // v4.3.2
"symfony/validator": "4.3.*", // v4.3.2
"symfony/webpack-encore-bundle": "^1.6", // v1.6.2
"symfony/yaml": "4.3.*" // v4.3.2
},
"require-dev": {
"hautelook/alice-bundle": "^2.5", // 2.7.3
"symfony/browser-kit": "4.3.*", // v4.3.3
"symfony/css-selector": "4.3.*", // v4.3.3
"symfony/maker-bundle": "^1.11", // v1.12.0
"symfony/phpunit-bridge": "^4.3", // v4.3.3
"symfony/stopwatch": "4.3.*", // v4.3.2
"symfony/web-profiler-bundle": "4.3.*" // v4.3.2
}
}
6 Comments
Hey :)
I faced with the '401 Unauthorized' error while trying to create the User, so I thought it might be useful to write here about the way to fix it..
I find out that the new system (after Symfony v5.3) doesn't "authenticate" user by default with
IS_AUTHENTICATED_ANONYMOUSLY, because anonymous users no longer exist. So in this case we should useis_granted('PUBLIC_ACCESS').Cheers!
Hey @Mykyta!
You're totally right! Once you switch to the new security system (
enable_authenticator_manager: trueinsecurity.yamlin Symfony 5.3/5.4 and ALWAYS activated in Symfony 6.0 and beyond),IS_AUTHENTICATED_ANONYMOUSLYis gone andPUBLIC_ACCESSreplaces it. I'll add a note about this!Cheers!
Hello, in API Platform 2.5, so, which is the best solution between :
and
?
Hey Kiuega!
Sorry for the slow reply - this message was waiting for me :).
Hmm. I think... these are identical. Though, I would go with the second one: if the object's current owner != the current user, then we already know with complete certainty that this operation should be stopped. Doing it the second way will avoid going through the deserialization process. So, it's a nice way to exit earlier and avoid unnecessary work. But unless I'm not thinking about something, in functional terms, these are identical.
Cheers!
There is something wrong, that doesn't work for me, I can't explain but found working solution. Can anyone explain?
Environment
<br />...<br />"php": ">=7.2.5",<br />"api-platform/core": "^2.5",<br />"symfony/framework-bundle": "5.1.*",<br />...<br />NOT working <b>Entity/CheeseListing.php</b>
`
/**
*/
`
Working <b>Entity/CheeseListing.php</b>, due to https://api-platform.com/docs/core/security/#executing-access-control-rules-after-denormalization
`
/**
*/
`
Hey @the_shadow!
Sorry for the slow reply! This is a good topic :).
In our tutorial, which pre-dates the "security" attribute, we used:
In API Platform 2.5 and higher, as you know, we now have
securityandsecurity_post_denormalize. Basically,access_control===security_post_denormalize. What I mean is, both of these run after denormalization, and so they work exactly the same. That's what you're seeing: you're passing the exact same expression tosecurity_post_denormalizeas I pass toaccess_controlin this tutorial and it works. For both of these,previous_objectis the object from before the JSON was deserialized andobjectis from after.The difference between
securityandsecurity_post_denormalizeis thatsecurityruns before deserialization. In this situation, theobjectvariable is the original object, before the JSON is deserialized. And there actually is no variable calledprevious_object.I hope this explains what's going on! So, you can use your solution or use
securitybut change the variable fromprevious_objecttoobject. That second solution is technically a "bit" more correct, because it will deny access even before your JSON is deserialized.Let me know if that helps!
Cheers!
"Houston: no signs of life"
Start the conversation!