ManyToMany itemOperations "access_control"

Question

Thats the code from the docu

// https://api-platform.com/docs/core/security/#security
itemOperations={
     "get"={"access_control"="is_granted('ROLE_USER') and object.owner == user"}
 }

how can i get that realized with many to many, i tried many different expressions but everytime i get a error.

<?php
// api/src/Entity/Book.php

use ApiPlatform\Core\Annotation\ApiResource;
use Doctrine\ORM\Mapping as ORM;
use Symfony\Component\Validator\Constraints as Assert;

/**
 * Secured resource.
 *
 * @ApiResource(
 *     itemOperations={
 *         "get"={"access_control"="is_granted('ROLE_USER') and object.users == user"}
 *     }
 * )
 * @ORM\Entity
 */
class Book
{
    // ...

    /**
     * @var User The owner
     *
     * @ORM\ManyToMany(targetEntity="App\Entity\User", mappedBy="book", cascade={"persist"})
     */
    public $users;

    // ...
}

Answer 1

nYou cant in those cases where the target relation is a collection. In this case, users collection.

For these cases, you should create a subscriber with PRE_SERIALIZE event and throw Access Denied exception there.

You have to do something like this. As you say you have a ManyToMany relation, I guess that you have an intermediate entity between book and user, so you should use that repository for find user <-> book then.

<?php

namespace App\EventSubscriber;

use ApiPlatform\Core\EventListener\EventPriorities;
use App\Entity\User;
use App\Entity\Book;
use App\Repository\UserRepository;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpKernel\Event\GetResponseForControllerResultEvent;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
use Symfony\Component\HttpKernel\KernelEvents;
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;

class ChatMessagePreSerializeSubscriber implements EventSubscriberInterface
{
    private $tokenStorage;
    private $userRepository;
    private $authorizationChecker;

    public function __construct(
        TokenStorageInterface $tokenStorage,
        UserRepository $userRepository,
        AuthorizationCheckerInterface $authorizationChecker
    ) {
        $this->tokenStorage = $tokenStorage;
        $this->userRepository = $userRepository;
        $this->authorizationChecker = $authorizationChecker;
    }

    /**
     * {@inheritdoc}
     */
    public static function getSubscribedEvents()
    {
        return [
            KernelEvents::VIEW => ['bookPreSerialize', EventPriorities::PRE_SERIALIZE],
        ];
    }

    public function bookPreSerialize(GetResponseForControllerResultEvent $event)
    {
        $book = $event->getControllerResult();
        $method = $event->getRequest()->getMethod();

        if (!$book instanceof Book || (Request::METHOD_GET !== $method)) {
            return;
        }

        $currentUser = $this->tokenStorage->getToken()->getUser();
        if (!$currentUser instanceof User)
            return;

        $user = $this->userRepository->findOneBy(['id' => $currentUser->getId(), 'book' => $book]);
        if (!$user instanceof User)
            throw new AccessDeniedHttpException();
    }
}

Answer 2

Here is something I did for a resource that is ManytoOne related to intermediate entity Events ManytoOne related to one Organizer, with Users ManyToMany related to Organizers (collection).

I transform the collection to Array and use "in" operator to compare data. For a more sophisticated operation you should look at Doctrine Extension as it's describe in API Platform doc.

#[ApiResource(
    operations: [
        new GetCollection(),
        new Post(),
        new Get(security: "object.getEvent().getOrganizer() in user.getOrganizers().toArray()"),
        new Patch(),
        new Delete()
    ]
)]