Fix #1646

vincentchalamon · vincentchalamon · commit 7d183aea90d8 · 2019-08-19T15:32:57.000+02:00
diff --git a/core/graphql.md b/core/graphql.md
@@ -783,7 +783,7 @@ For the previous page, you would add the `startCursor` from the current page as
 How do you know when you have reached the last page? It is the aim of the property `hasNextPage` or `hasPreviousPage` in `pageInfo`.
 When it is false, you know it is the last page and moving forward or backward will give you an empty result.
 
-## Security (`access_control`)
+## Security
 
 To add a security layer to your queries and mutations, follow the [security](security.md) documentation.
 
@@ -802,17 +802,17 @@ use ApiPlatform\Core\Annotation\ApiResource;
 
 /**
  * @ApiResource(
- *     attributes={"access_control"="is_granted('ROLE_USER')"},
+ *     attributes={"security"="is_granted('ROLE_USER')"},
  *     collectionOperations={
- *         "post"={"access_control"="is_granted('ROLE_ADMIN')", "access_control_message"="Only admins can add books."}
+ *         "post"={"security"="is_granted('ROLE_ADMIN')", "security_message"="Only admins can add books."}
  *     },
  *     itemOperations={
- *         "get"={"access_control"="is_granted('ROLE_USER') and object.owner == user", "access_control_message"="Sorry, but you are not the book owner."}
+ *         "get"={"security"="is_granted('ROLE_USER') and object.owner == user", "security_message"="Sorry, but you are not the book owner."}
  *     },
  *     graphql={
- *         "query"={"access_control"="is_granted('ROLE_USER') and object.owner == user"},
- *         "delete"={"access_control"="is_granted('ROLE_ADMIN')"},
- *         "create"={"access_control"="is_granted('ROLE_ADMIN')"}
+ *         "query"={"security"="is_granted('ROLE_USER') and object.owner == user"},
+ *         "delete"={"security"="is_granted('ROLE_ADMIN')"},
+ *         "create"={"security"="is_granted('ROLE_ADMIN')"}
  *     }
  * )
  */
diff --git a/core/operations.md b/core/operations.md
@@ -468,7 +468,7 @@ class Question
 
 ### Access Control of Subresources
 
-The `subresourceOperations` attribute also allows you to add an access control on each path with the attribute `access_control`.
+The `subresourceOperations` attribute also allows you to add an access control on each path with the attribute `security`.
 
 ```php
 <?php
@@ -479,7 +479,7 @@ The `subresourceOperations` attribute also allows you to add an access control o
  * @ApiResource(
  *     subresourceOperations={
  *          "api_questions_answer_get_subresource"= {
- *              "access_control"="has_role('ROLE_AUTHENTICATED')"
+ *              "security"="has_role('ROLE_AUTHENTICATED')"
  *          }
  *      }
  * )
diff --git a/core/security.md b/core/security.md
@@ -24,13 +24,13 @@ use Symfony\Component\Validator\Constraints as Assert;
  * Secured resource.
  *
  * @ApiResource(
- *     attributes={"access_control"="is_granted('ROLE_USER')"},
+ *     attributes={"security"="is_granted('ROLE_USER')"},
  *     collectionOperations={
  *         "get",
- *         "post"={"access_control"="is_granted('ROLE_ADMIN')"}
+ *         "post"={"security"="is_granted('ROLE_ADMIN')"}
  *     },
  *     itemOperations={
- *         "get"={"access_control"="is_granted('ROLE_USER') and object.owner == user"},
+ *         "get"={"security"="is_granted('ROLE_USER') and object.owner == user"},
  *         "put"={"access_control"="is_granted('ROLE_USER') and previous_object.owner == user"},
  *     }
  * )
@@ -78,7 +78,7 @@ if you really need to.
 ## Configuring the Access Control Message
 
 By default when API requests are denied, you will get the "Access Denied" message.
-You can change it by configuring the "access\_control\_message" attribute.
+You can change it by configuring the "security\_message" attribute.
 
 For example:
 
@@ -93,12 +93,12 @@ use ApiPlatform\Core\Annotation\ApiResource;
 /**
  * ...
  * @ApiResource(
- *     attributes={"access_control"="is_granted('ROLE_USER')"},
+ *     attributes={"security"="is_granted('ROLE_USER')"},
  *     collectionOperations={
- *         "post"={"access_control"="is_granted('ROLE_ADMIN')", "access_control_message"="Only admins can add books."}
+ *         "post"={"security"="is_granted('ROLE_ADMIN')", "security_message"="Only admins can add books."}
  *     },
  *     itemOperations={
- *         "get"={"access_control"="is_granted('ROLE_USER') and object.owner == user", "access_control_message"="Sorry, but you are not the book owner."}
+ *         "get"={"security"="is_granted('ROLE_USER') and object.owner == user", "security_message"="Sorry, but you are not the book owner."}
  *     }
  * )
  */
@@ -114,17 +114,62 @@ Alternatively, using YAML:
 # api/config/api_platform/resources.yaml
 App\Entity\Book:
     attributes:
-        access_control: 'is_granted("ROLE_USER")'
+        security: 'is_granted("ROLE_USER")'
     collectionOperations:
         post:
             method: 'POST'
-            access_control: 'is_granted("ROLE_ADMIN")'
-            access_control_message: 'Only admins can add books.'
+            security: 'is_granted("ROLE_ADMIN")'
+            security_message: 'Only admins can add books.'
     itemOperations:
         get:
             method: 'GET'
-            access_control: 'is_granted("ROLE_USER") and object.owner == user'
-            access_control_message: 'Sorry, but you are not the book owner.'
+            security: 'is_granted("ROLE_USER") and object.owner == user'
+            security_message: 'Sorry, but you are not the book owner.'
+    # ...
+```
+
+## Execute security after denormalization
+
+The "security" attribute is executed before the object denormalization. For some cases, it might be useful to execute
+a security after the denormalization.
+To do so, prefer using "late\_security", which allows you to use the "previous\_object" as the denormalized object:
+
+```php
+<?php
+// src/Entity/Book.php
+
+namespace App\Entity;
+
+use ApiPlatform\Core\Annotation\ApiResource;
+
+/**
+ * ...
+ * @ApiResource(
+ *     attributes={"security"="is_granted('ROLE_USER')"},
+ *     itemOperations={
+ *         "get",
+ *         "put"={"late_security"="is_granted("ROLE_USER") and previous_object.owner == user"}
+ *     }
+ * )
+ */
+class Book
+{
+    // ...
+}
+```
+
+Alternatively, using YAML:
+
+```yaml
+# api/config/api_platform/resources.yaml
+App\Entity\Book:
+    attributes:
+        security: 'is_granted("ROLE_USER")'
+    itemOperations:
+        get: ~
+        put:
+            method: 'PUT'
+            late_security: 'is_granted("ROLE_USER") and previous_object.owner == user'
     # ...
 ```
 
