簡體   English   中英

Symfony 3.4 訪問被拒絕 - API REST(檢查配置文件)

[英]Symfony 3.4 Access Denied - API REST (Check Profile)

您好,我正在嘗試使用 symfony 3.4 創建 api rest。

當我嘗試在http://localhost:8000/users/3 (確定輸入的令牌)中獲取時,這告訴我:訪問被拒絕......但是當我刪除“@Security(”is_granted('show', 'theUser ')", message="Access denied")"- 有效的 UserController,但您不僅可以檢查您的所有配置文件...

用戶控制器(獲取用戶操作):

 */
private $passwordEncoder;

/**
 * @var JWTEncoderInterface
 */
private $jwtEncoder;

public function __construct(UserPasswordEncoderInterface $passwordEncoder, JWTEncoderInterface $jwtEncoder)
{
    $this->passwordEncoder = $passwordEncoder;
    $this->jwtEncoder = $jwtEncoder;
}

/**
 * @Rest\View()
 * @Security("is_granted('show', 'theUser')", message="Access denied")
 */
public function getUserAction(User $theUser)
{
    if (null === $theUser) {
        throw new NotFoundHttpException();
    }

    return $theUser;
}

/**
 *
 * @Rest\Post(
 *     path = "/users",
 *     name = "users_add"
 * )
 * @Rest\View(StatusCode=201)
 * @ParamConverter(
 *     "user",
 *     converter="fos_rest.request_body",
 *     options={"deserializationContent"={"groups"={"Deserialize"}}}
 * )
 */
public function postUserAction(User $user, ConstraintViolationListInterface $violations)
{
    if (count($violations) > 0) {
        $message = 'The user is not valid: ';
        foreach ($violations as $violation) {
            $message .= sprintf(
                "Field %s: %s ",
                $violation->getPropertyPath(),
                $violation->getMessage()
            );
        }

        throw new ResourceValidationException($message);
    }

    $user->setPassword(
        $this->passwordEncoder->encodePassword(
            $user,
            $user->getPassword()
        )
    );
    $user->setRoles([User::ROLE_USER]);

    $em = $this->getDoctrine()->getManager();
    $em->persist($user);
    $em->flush();

    return $user;
}

}`

USERVOTER: const SHOW = 'show';

/**
 * Determines if the attribute and subject are supported by this voter.
 *
 * @param string $attribute An attribute
 * @param mixed $subject The subject to secure, e.g. an object the user wants to access or any other PHP type
 *
 * @return bool True if the attribute and subject are supported, false otherwise
 */
protected function supports($attribute, $subject)
{
    if (!in_array($attribute, [self::SHOW])) {
        return false;
    }

    if (!$subject instanceof User) {
        return false;
    }

    return true;
}

/**
 * Perform a single access check operation on a given attribute, subject and token.
 * It is safe to assume that $attribute and $subject already passed the "supports()" method check.
 *
 * @param string $attribute
 * @param mixed $subject
 * @param TokenInterface $token
 *
 * @return bool
 */
protected function voteOnAttribute($attribute, $subject, TokenInterface $token)
{
    switch ($attribute) {
        case self::SHOW:
            return $this->isUserHimself(
                $subject,
                $token);
    }

    return false;
}

/**
 * @param $subject
 * @param TokenInterface $token
 * @return bool
 */
protected function isUserHimself($subject, TokenInterface $token)
{
    $authenticatedUser = $token->getUser();

        if (!$authenticatedUser instanceof User) {
        return false;
    }

    /**
     * @var User $user
     */
    $user = $subject;

    return $authenticatedUser->getId() === $user->getId();
}

}

好的,這一切都很好!!! 我只是刪除了引號: * @Security("is_granted('show', 'theUser')", message="Access denied")* @Security("is_granted('show', theUser)", message="Access denied")

如果有人可以解釋@Sercurity 在您是否加引號時有什么區別,謝謝:)

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM