Hello i am trying to create an api rest with symfony 3.4.
And when i try to GET in http://localhost:8000/users/3 (token entered for sure) that's tell me : access denied ... but when i delete "@Security("is_granted('show', 'theUser')", message="Access denied")"- of UserController that works but you can check all profiles not only yours...
USER CONTROLLER (get user action):
*/
private $passwordEncoder;
/**
* @var JWTEncoderInterface
*/
private $jwtEncoder;
public function __construct(UserPasswordEncoderInterface $passwordEncoder, JWTEncoderInterface $jwtEncoder)
{
$this->passwordEncoder = $passwordEncoder;
$this->jwtEncoder = $jwtEncoder;
}
/**
* @Rest\View()
* @Security("is_granted('show', 'theUser')", message="Access denied")
*/
public function getUserAction(User $theUser)
{
if (null === $theUser) {
throw new NotFoundHttpException();
}
return $theUser;
}
/**
*
* @Rest\Post(
* path = "/users",
* name = "users_add"
* )
* @Rest\View(StatusCode=201)
* @ParamConverter(
* "user",
* converter="fos_rest.request_body",
* options={"deserializationContent"={"groups"={"Deserialize"}}}
* )
*/
public function postUserAction(User $user, ConstraintViolationListInterface $violations)
{
if (count($violations) > 0) {
$message = 'The user is not valid: ';
foreach ($violations as $violation) {
$message .= sprintf(
"Field %s: %s ",
$violation->getPropertyPath(),
$violation->getMessage()
);
}
throw new ResourceValidationException($message);
}
$user->setPassword(
$this->passwordEncoder->encodePassword(
$user,
$user->getPassword()
)
);
$user->setRoles([User::ROLE_USER]);
$em = $this->getDoctrine()->getManager();
$em->persist($user);
$em->flush();
return $user;
}
}`
USERVOTER: const SHOW = 'show';
/**
* Determines if the attribute and subject are supported by this voter.
*
* @param string $attribute An attribute
* @param mixed $subject The subject to secure, e.g. an object the user wants to access or any other PHP type
*
* @return bool True if the attribute and subject are supported, false otherwise
*/
protected function supports($attribute, $subject)
{
if (!in_array($attribute, [self::SHOW])) {
return false;
}
if (!$subject instanceof User) {
return false;
}
return true;
}
/**
* Perform a single access check operation on a given attribute, subject and token.
* It is safe to assume that $attribute and $subject already passed the "supports()" method check.
*
* @param string $attribute
* @param mixed $subject
* @param TokenInterface $token
*
* @return bool
*/
protected function voteOnAttribute($attribute, $subject, TokenInterface $token)
{
switch ($attribute) {
case self::SHOW:
return $this->isUserHimself(
$subject,
$token);
}
return false;
}
/**
* @param $subject
* @param TokenInterface $token
* @return bool
*/
protected function isUserHimself($subject, TokenInterface $token)
{
$authenticatedUser = $token->getUser();
if (!$authenticatedUser instanceof User) {
return false;
}
/**
* @var User $user
*/
$user = $subject;
return $authenticatedUser->getId() === $user->getId();
}
}
Ok that's all good !!! I just delete the quotes in : * @Security("is_granted('show', 'theUser')", message="Access denied")
to * @Security("is_granted('show', theUser)", message="Access denied")
If someone can explain what the difference in @Sercurity when you put quotes or not thx :)
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.