Fix #1646

Author: vincentchalamon

features/authorization/legacy_deny.feature

@@ -0,0 +1,96 @@
+Feature: Authorization checking
+  In order to use the API
+  As a client software user
+  I need to be authorized to access a given resource using legacy access_control attribute.
+
+  @createSchema
+  Scenario: An anonymous user retrieves a secured resource
+    When I add "Accept" header equal to "application/ld+json"
+    And I send a "GET" request to "/legacy_secured_dummies"
+    Then the response status code should be 401
+
+  Scenario: An authenticated user retrieve a secured resource
+    When I add "Accept" header equal to "application/ld+json"
+    And I add "Authorization" header equal to "Basic ZHVuZ2xhczprZXZpbg=="
+    And I send a "GET" request to "/legacy_secured_dummies"
+    Then the response status code should be 200
+    And the response should be in JSON
+
+  Scenario: A standard user cannot create a secured resource
+    When I add "Accept" header equal to "application/ld+json"
+    And I add "Content-Type" header equal to "application/ld+json"
+    And I add "Authorization" header equal to "Basic ZHVuZ2xhczprZXZpbg=="
+    And I send a "POST" request to "/legacy_secured_dummies" with body:
+    """
+    {
+        "title": "Title",
+        "description": "Description",
+        "owner": "foo"
+    }
+    """
+    Then the response status code should be 403
+
+  Scenario: An admin can create a secured resource
+    When I add "Accept" header equal to "application/ld+json"
+    And I add "Content-Type" header equal to "application/ld+json"
+    And I add "Authorization" header equal to "Basic YWRtaW46a2l0dGVu"
+    And I send a "POST" request to "/legacy_secured_dummies" with body:
+    """
+    {
+        "title": "Title",
+        "description": "Description",
+        "owner": "someone"
+    }
+    """
+    Then the response status code should be 201
+
+  Scenario: An admin can create another secured resource
+    When I add "Accept" header equal to "application/ld+json"
+    And I add "Content-Type" header equal to "application/ld+json"
+    And I add "Authorization" header equal to "Basic YWRtaW46a2l0dGVu"
+    And I send a "POST" request to "/legacy_secured_dummies" with body:
+    """
+    {
+        "title": "Special Title",
+        "description": "Description",
+        "owner": "dunglas"
+    }
+    """
+    Then the response status code should be 201
+
+  Scenario: A user cannot retrieve an item they doesn't own
+    When I add "Accept" header equal to "application/ld+json"
+    And I add "Authorization" header equal to "Basic ZHVuZ2xhczprZXZpbg=="
+    And I send a "GET" request to "/legacy_secured_dummies/1"
+    Then the response status code should be 403
+    And the response should be in JSON
+
+  Scenario: A user can retrieve an item they owns
+    When I add "Accept" header equal to "application/ld+json"
+    And I add "Authorization" header equal to "Basic ZHVuZ2xhczprZXZpbg=="
+    And I send a "GET" request to "/legacy_secured_dummies/2"
+    Then the response status code should be 200
+
+  Scenario: A user can't assign to themself an item they doesn't own
+    When I add "Accept" header equal to "application/ld+json"
+    And I add "Content-Type" header equal to "application/ld+json"
+    And I add "Authorization" header equal to "Basic YWRtaW46a2l0dGVu"
+    And I send a "PUT" request to "/legacy_secured_dummies/2" with body:
+    """
+    {
+        "owner": "kitten"
+    }
+    """
+    Then the response status code should be 403
+
+  Scenario: A user can update an item they owns and transfer it
+    When I add "Accept" header equal to "application/ld+json"
+    And I add "Content-Type" header equal to "application/ld+json"
+    And I add "Authorization" header equal to "Basic ZHVuZ2xhczprZXZpbg=="
+    And I send a "PUT" request to "/legacy_secured_dummies/2" with body:
+    """
+    {
+        "owner": "vincent"
+    }
+    """
+    Then the response status code should be 200

src/Annotation/ApiResource.php

@@ -25,6 +25,10 @@
  * @Attributes(
  *     @Attribute("accessControl", type="string"),
  *     @Attribute("accessControlMessage", type="string"),
+ *     @Attribute("security", type="string"),
+ *     @Attribute("securityMessage", type="string"),
+ *     @Attribute("securityPostDenormalize", type="string"),
+ *     @Attribute("securityPostDenormalizeMessage", type="string"),
  *     @Attribute("attributes", type="array"),
  *     @Attribute("cacheHeaders", type="array"),
  *     @Attribute("collectionOperations", type="array"),
@@ -116,6 +120,34 @@ final class ApiResource
      */
     private $accessControlMessage;
 
+    /**
+     * @see https://github.com/Haehnchen/idea-php-annotation-plugin/issues/112
+     *
+     * @var string
+     */
+    private $security;
+
+    /**
+     * @see https://github.com/Haehnchen/idea-php-annotation-plugin/issues/112
+     *
+     * @var string
+     */
+    private $securityMessage;
+
+    /**
+     * @see https://github.com/Haehnchen/idea-php-annotation-plugin/issues/112
+     *
+     * @var string
+     */
+    private $securityPostDenormalize;
+
+    /**
+     * @see https://github.com/Haehnchen/idea-php-annotation-plugin/issues/112
+     *
+     * @var string
+     */
+    private $securityPostDenormalizeMessage;
+
     /**
      * @see https://github.com/Haehnchen/idea-php-annotation-plugin/issues/112
      *

src/Bridge/Symfony/Bundle/Resources/config/security.xml

@@ -18,8 +18,10 @@
             <argument type="service" id="api_platform.metadata.resource.metadata_factory" />
             <argument type="service" id="api_platform.security.resource_access_checker" />
 
-            <!-- This listener must be executed only when the current object is available -->
-            <tag name="kernel.event_listener" event="kernel.request" method="onKernelRequest" priority="1" />
+            <!-- This method must be executed only when the current object is available, before deserialization -->
+            <tag name="kernel.event_listener" event="kernel.request" method="onSecurity" priority="3" />
+            <!-- This method must be executed only when the current object is available, after deserialization -->
+            <tag name="kernel.event_listener" event="kernel.request" method="onSecurityPostDenormalize" priority="1" />
         </service>
     </services>
 

src/EventListener/ReadListener.php

@@ -115,6 +115,6 @@ public function onKernelRequest(GetResponseEvent $event): void
         }
 
         $request->attributes->set('data', $data);
-        $request->attributes->set('previous_data', \is_object($data) ? clone $data : $data);
+        $request->attributes->set('previous_data', \is_object($data) && (new \ReflectionClass(\get_class($data)))->isCloneable() ? clone $data : $data);
     }
 }

src/GraphQl/Resolver/Factory/CollectionResolverFactory.php

@@ -95,9 +95,12 @@ public function __invoke(string $resourceClass = null, string $rootClass = null,
                 $collection = $this->collectionDataProvider->getCollection($resourceClass, null, $dataProviderContext);
             }
 
-            $this->canAccess($this->resourceAccessChecker, $resourceMetadata, $resourceClass, $info, [
+            $this->canAccess($this->resourceAccessChecker, $resourceMetadata, $resourceClass, $info, 'security', [
                 'object' => $collection,
-                'previous_object' => \is_object($collection) ? clone $collection : $collection,
+            ], $operationName ?? 'query');
+            $this->canAccess($this->resourceAccessChecker, $resourceMetadata, $resourceClass, $info, 'security_post_denormalize', [
+                'object' => $collection,
+                'previous_object' => \is_object($collection) && (new \ReflectionClass(\get_class($collection)))->isCloneable() ? clone $collection : $collection,
             ], $operationName ?? 'query');
 
             if (!$this->paginationEnabled) {

src/GraphQl/Resolver/Factory/ItemMutationResolverFactory.php

@@ -96,13 +96,17 @@ public function __invoke(string $resourceClass = null, string $rootClass = null,
                     throw Error::createLocatedError(sprintf('Item "%s" did not match expected type "%s".', $args['input']['id'], $resourceMetadata->getShortName()), $info->fieldNodes, $info->path);
                 }
             }
-            $previousItem = \is_object($item) ? clone $item : $item;
+            $previousItem = \is_object($item) && (new \ReflectionClass(\get_class($item)))->isCloneable() ? clone $item : $item;
+
+            $this->canAccess($this->resourceAccessChecker, $resourceMetadata, $resourceClass, $info, 'security', [
+                'object' => $item,
+            ], $operationName);
 
             $inputMetadata = $resourceMetadata->getGraphqlAttribute($operationName, 'input', null, true);
             $inputClass = null;
             if (\is_array($inputMetadata) && \array_key_exists('class', $inputMetadata)) {
                 if (null === $inputMetadata['class']) {
-                    $this->canAccess($this->resourceAccessChecker, $resourceMetadata, $resourceClass, $info, [
+                    $this->canAccess($this->resourceAccessChecker, $resourceMetadata, $resourceClass, $info, 'security', [
                         'object' => $item,
                         'previous_object' => $previousItem,
                     ], $operationName);
@@ -121,7 +125,7 @@ public function __invoke(string $resourceClass = null, string $rootClass = null,
 
                 $context += $resourceMetadata->getGraphqlAttribute($operationName, 'denormalization_context', [], true);
                 $item = $this->normalizer->denormalize($args['input'], $inputClass ?: $resourceClass, ItemNormalizer::FORMAT, $context);
-                $this->canAccess($this->resourceAccessChecker, $resourceMetadata, $resourceClass, $info, [
+                $this->canAccess($this->resourceAccessChecker, $resourceMetadata, $resourceClass, $info, 'security_post_denormalize', [
                     'object' => $item,
                     'previous_object' => $previousItem,
                 ], $operationName);
@@ -135,7 +139,7 @@ public function __invoke(string $resourceClass = null, string $rootClass = null,
                 return [$wrapFieldName => $this->normalizer->normalize($persistResult ?? $item, ItemNormalizer::FORMAT, $normalizationContext)] + $data;
             }
 
-            $this->canAccess($this->resourceAccessChecker, $resourceMetadata, $resourceClass, $info, [
+            $this->canAccess($this->resourceAccessChecker, $resourceMetadata, $resourceClass, $info, 'security_post_denormalize', [
                 'object' => $item,
                 'previous_object' => $previousItem,
             ], $operationName);

src/GraphQl/Resolver/ItemResolver.php

@@ -69,9 +69,12 @@ public function __invoke($source, $args, $context, ResolveInfo $info)
 
         $resourceClass = $this->getObjectClass($item);
         $resourceMetadata = $this->resourceMetadataFactory->create($resourceClass);
-        $this->canAccess($this->resourceAccessChecker, $resourceMetadata, $resourceClass, $info, [
+        $this->canAccess($this->resourceAccessChecker, $resourceMetadata, $resourceClass, $info, 'security', [
             'object' => $item,
-            'previous_object' => clone $item,
+        ], 'query');
+        $this->canAccess($this->resourceAccessChecker, $resourceMetadata, $resourceClass, $info, 'security_post_denormalize', [
+            'object' => $item,
+            'previous_object' => \is_object($item) && (new \ReflectionClass(\get_class($item)))->isCloneable() ? clone $item : $item,
         ], 'query');
 
         $normalizationContext = $resourceMetadata->getGraphqlAttribute('query', 'normalization_context', [], true);

src/GraphQl/Resolver/ResourceAccessCheckerTrait.php

@@ -30,17 +30,29 @@ trait ResourceAccessCheckerTrait
     /**
      * @throws Error
      */
-    public function canAccess(?ResourceAccessCheckerInterface $resourceAccessChecker, ResourceMetadata $resourceMetadata, string $resourceClass, ResolveInfo $info, $extraVariables = [], string $operationName = null): void
+    public function canAccess(?ResourceAccessCheckerInterface $resourceAccessChecker, ResourceMetadata $resourceMetadata, string $resourceClass, ResolveInfo $info, string $attribute, $extraVariables = [], string $operationName = null): void
     {
+        if ('access_control' === $attribute) {
+            @trigger_error('Sending "access_control" attribute is deprecated since API Platform 2.4 and will not be possible anymore in API Platform 3. Use "security" or "security_post_denormalize" attributes instead.', E_USER_DEPRECATED);
+        }
+
         if (null === $resourceAccessChecker) {
             return;
         }
 
-        $isGranted = $resourceMetadata->getGraphqlAttribute($operationName ?? '', 'access_control', null, true);
+        $isGranted = $resourceMetadata->getGraphqlAttribute($operationName ?? '', $attribute, null, true);
+        if (null === $isGranted) {
+            // Backward compatibility
+            $isGranted = $resourceMetadata->getGraphqlAttribute($operationName ?? '', 'access_control', null, true);
+            if (null !== $isGranted) {
+                @trigger_error('Using "access_control" attribute is deprecated since API Platform 2.4 and will not be possible anymore in API Platform 3. Use "security" attribute instead.', E_USER_DEPRECATED);
+            }
+        }
+
         if (null === $isGranted || $resourceAccessChecker->isGranted($resourceClass, $isGranted, $extraVariables)) {
             return;
         }
 
-        throw Error::createLocatedError($resourceMetadata->getGraphqlAttribute($operationName ?? '', 'access_control_message', 'Access Denied.'), $info->fieldNodes, $info->path);
+        throw Error::createLocatedError($resourceMetadata->getGraphqlAttribute($operationName ?? '', 'security_message', 'Access Denied.'), $info->fieldNodes, $info->path);
     }
 }

src/Security/EventListener/DenyAccessListener.php

@@ -18,6 +18,7 @@
 use ApiPlatform\Core\Security\ResourceAccessChecker;
 use ApiPlatform\Core\Security\ResourceAccessCheckerInterface;
 use ApiPlatform\Core\Util\RequestAttributesExtractor;
+use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpKernel\Event\GetResponseEvent;
 use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverInterface;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
@@ -52,31 +53,55 @@ public function __construct(ResourceMetadataFactoryInterface $resourceMetadataFa
         @trigger_error(sprintf('Passing an instance of "%s" or null as second argument of "%s" is deprecated since API Platform 2.2 and will not be possible anymore in API Platform 3. Pass an instance of "%s" and no extra argument instead.', ExpressionLanguage::class, self::class, ResourceAccessCheckerInterface::class), E_USER_DEPRECATED);
     }
 
+    public function onKernelRequest(GetResponseEvent $event): void
+    {
+        @trigger_error(sprintf('Method "%1$s::onKernelRequest" is deprecated since API Platform 2.4 and will not be available anymore in API Platform 3. Prefer calling "%1$s::onSecurity" instead.', self::class), E_USER_DEPRECATED);
+        $this->onSecurityPostDenormalize($event);
+    }
+
+    public function onSecurity(GetResponseEvent $event): void
+    {
+        $this->checkSecurity($event->getRequest(), 'security', false);
+    }
+
+    public function onSecurityPostDenormalize(GetResponseEvent $event): void
+    {
+        $request = $event->getRequest();
+        $this->checkSecurity($request, 'security_post_denormalize', true, [
+            'previous_object' => $request->attributes->get('previous_data'),
+        ]);
+    }
+
     /**
      * @throws AccessDeniedException
      */
-    public function onKernelRequest(GetResponseEvent $event): void
+    private function checkSecurity(Request $request, string $attribute, bool $backwardCompatibility, array $extraVariables = []): void
     {
-        $request = $event->getRequest();
         if (!$attributes = RequestAttributesExtractor::extractAttributes($request)) {
             return;
         }
 
         $resourceMetadata = $this->resourceMetadataFactory->create($attributes['resource_class']);
 
-        $isGranted = $resourceMetadata->getOperationAttribute($attributes, 'access_control', null, true);
+        $isGranted = $resourceMetadata->getOperationAttribute($attributes, $attribute, null, true);
+        if ($backwardCompatibility && null === $isGranted) {
+            // Backward compatibility
+            $isGranted = $resourceMetadata->getOperationAttribute($attributes, 'access_control', null, true);
+            if (null !== $isGranted) {
+                @trigger_error('Using "access_control" attribute is deprecated since API Platform 2.4 and will not be possible anymore in API Platform 3. Use "security" attribute instead.', E_USER_DEPRECATED);
+            }
+        }
 
         if (null === $isGranted) {
             return;
         }
 
-        $extraVariables = $request->attributes->all();
+        $extraVariables += $request->attributes->all();
         $extraVariables['object'] = $request->attributes->get('data');
-        $extraVariables['previous_object'] = $request->attributes->get('previous_data');
         $extraVariables['request'] = $request;
 
         if (!$this->resourceAccessChecker->isGranted($attributes['resource_class'], $isGranted, $extraVariables)) {
-            throw new AccessDeniedException($resourceMetadata->getOperationAttribute($attributes, 'access_control_message', 'Access Denied.', true));
+            throw new AccessDeniedException($resourceMetadata->getOperationAttribute($attributes, $attribute.'_message', 'Access Denied.', true));
         }
     }
 }

src/Security/ResourceAccessChecker.php

@@ -45,13 +45,13 @@ public function __construct(ExpressionLanguage $expressionLanguage = null, Authe
     public function isGranted(string $resourceClass, string $expression, array $extraVariables = []): bool
     {
         if (null === $this->tokenStorage || null === $this->authenticationTrustResolver) {
-            throw new \LogicException('The "symfony/security" library must be installed to use the "access_control" attribute.');
+            throw new \LogicException('The "symfony/security" library must be installed to use the "security" attribute.');
         }
         if (null === $token = $this->tokenStorage->getToken()) {
-            throw new \LogicException('The current token must be set to use the "access_control" attribute (is the URL behind a firewall?).');
+            throw new \LogicException('The current token must be set to use the "security" attribute (is the URL behind a firewall?).');
         }
         if (null === $this->expressionLanguage) {
-            throw new \LogicException('The "symfony/expression-language" library must be installed to use the "access_control".');
+            throw new \LogicException('The "symfony/expression-language" library must be installed to use the "security".');
         }
 
         return (bool) $this->expressionLanguage->evaluate($expression, array_merge($extraVariables, $this->getVariables($token)));