fix: backport for legacy event system as well

Author: KDederichs

src/State/Provider/ReadProvider.php

@@ -106,7 +106,7 @@ public function provide(Operation $operation, array $uriVariables = [], array $c
                     ->create($relationClass)
                     ->getOperation($operation->getExtraProperties()['parent_uri_template'] ?? null);
                 try {
-                    $relation = $this->provider->provide($parentOperation, [$uriVariable->getIdentifiers()[0] => $context['request']->attributes->all()[$key]], $context);
+                    $relation = $this->provider->provide($parentOperation, [$uriVariable->getIdentifiers()[0] => $request?->attributes->all()[$key]], $context);
                 } catch (ProviderNotFoundException) {
                     $relation = null;
                 }
@@ -124,8 +124,7 @@ public function provide(Operation $operation, array $uriVariables = [], array $c
                     if (!$securityObjectName) {
                         continue;
                     }
-                    var_dump($securityObjectName);
-                    $request->attributes->set($securityObjectName, $relation);
+                    $request?->attributes->set($securityObjectName, $relation);
                 } catch (InvalidIdentifierException|InvalidUriVariableException $e) {
                     throw new NotFoundHttpException('Invalid identifier value or configuration.', $e);
                 }

src/Symfony/EventListener/DenyAccessListener.php

@@ -13,6 +13,7 @@
 
 namespace ApiPlatform\Symfony\EventListener;
 
+use ApiPlatform\Metadata\Link;
 use ApiPlatform\Metadata\Resource\Factory\ResourceMetadataCollectionFactoryInterface;
 use ApiPlatform\State\Util\OperationRequestInitiatorTrait;
 use ApiPlatform\Symfony\Security\ResourceAccessCheckerInterface;
@@ -89,17 +90,31 @@ private function checkSecurity(Request $request, string $attribute, array $extra
                 $message = $operation->getSecurityMessage();
         }
 
-        if (null === $isGranted) {
-            return;
-        }
-
         $extraVariables += $request->attributes->all();
         $extraVariables['object'] = $request->attributes->get('data');
         $extraVariables['previous_object'] = $request->attributes->get('previous_data');
         $extraVariables['request'] = $request;
 
-        if (!$this->resourceAccessChecker->isGranted($attributes['resource_class'], $isGranted, $extraVariables)) {
+        if ($isGranted && !$this->resourceAccessChecker->isGranted($attributes['resource_class'], $isGranted, $extraVariables)) {
             throw new AccessDeniedException($message ?? 'Access Denied.');
         }
+
+        if ($operation->getUriVariables()) {
+            foreach ($operation->getUriVariables() as $key => $uriVariable) {
+                if (!$uriVariable instanceof Link || !$uriVariable->getSecurity()) {
+                    continue;
+                }
+
+                $targetResource = $uriVariable->getFromClass() ?? $uriVariable->getToClass();
+
+                if (!$targetResource) {
+                    continue;
+                }
+
+                if (!$this->resourceAccessChecker->isGranted($targetResource, $uriVariable->getSecurity(), $extraVariables)) {
+                    throw new AccessDeniedException($uriVariable->getSecurityMessage() ?? 'Access Denied.');
+                }
+            }
+        }
     }
 }

src/Symfony/EventListener/ReadListener.php

@@ -16,6 +16,7 @@
 use ApiPlatform\Api\UriVariablesConverterInterface;
 use ApiPlatform\Exception\InvalidIdentifierException;
 use ApiPlatform\Exception\InvalidUriVariableException;
+use ApiPlatform\Metadata\Link;
 use ApiPlatform\Metadata\Put;
 use ApiPlatform\Metadata\Resource\Factory\ResourceMetadataCollectionFactoryInterface;
 use ApiPlatform\Metadata\Util\CloneTrait;
@@ -116,6 +117,47 @@ public function onKernelRequest(RequestEvent $event): void
             throw new NotFoundHttpException('Not Found');
         }
 
+        if ($operation->getUriVariables()) {
+            foreach ($operation->getUriVariables() as $key => $uriVariable) {
+                if (!$uriVariable instanceof Link || !$uriVariable->getSecurity()) {
+                    continue;
+                }
+
+                $relationClass = $uriVariable->getFromClass() ?? $uriVariable->getToClass();
+
+                if (!$relationClass) {
+                    continue;
+                }
+
+                $parentOperation = $this->resourceMetadataCollectionFactory
+                    ->create($relationClass)
+                    ->getOperation($operation->getExtraProperties()['parent_uri_template'] ?? null);
+                try {
+                    $relation = $this->provider->provide($parentOperation, [$uriVariable->getIdentifiers()[0] => $request->attributes->all()[$key]], $context);
+                } catch (ProviderNotFoundException) {
+                    $relation = null;
+                }
+                if (!$relation) {
+                    throw new NotFoundHttpException('Not Found');
+                }
+
+                try {
+                    $securityObjectName = $uriVariable->getSecurityObjectName();
+
+                    if (!$securityObjectName) {
+                        $securityObjectName = $uriVariable->getToProperty() ?? $uriVariable->getFromProperty();
+                    }
+
+                    if (!$securityObjectName) {
+                        continue;
+                    }
+                    $request->attributes->set($securityObjectName, $relation);
+                } catch (InvalidIdentifierException|InvalidUriVariableException $e) {
+                    throw new NotFoundHttpException('Invalid identifier value or configuration.', $e);
+                }
+            }
+        }
+
         $request->attributes->set('data', $data);
         $request->attributes->set('previous_data', $this->clone($data));
     }

tests/Symfony/EventListener/DenyAccessListenerTest.php

@@ -15,6 +15,8 @@
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\Link;
 use ApiPlatform\Metadata\Resource\Factory\ResourceMetadataCollectionFactoryInterface;
 use ApiPlatform\Metadata\Resource\ResourceMetadataCollection;
 use ApiPlatform\Symfony\EventListener\DenyAccessListener;
@@ -155,6 +157,92 @@ public function testSecurityComponentNotAvailable(): void
         $listener->onSecurity($event);
     }
 
+    public function testIsGrantedLink(): void
+    {
+        $request = new Request([], [], ['_api_resource_class' => 'Foo', '_api_operation_name' => 'get_collection']);
+
+        $eventProphecy = $this->prophesize(RequestEvent::class);
+        $eventProphecy->getRequest()->willReturn($request)->shouldBeCalled();
+        $event = $eventProphecy->reveal();
+
+        $resourceMetadataFactoryProphecy = $this->prophesize(ResourceMetadataCollectionFactoryInterface::class);
+        $resourceMetadataFactoryProphecy->create('Foo')->shouldBeCalled()->willReturn(new ResourceMetadataCollection('Foo', [
+            new ApiResource(
+                uriTemplate: '/bars/{barId}/foos',
+                operations: [
+                    'get_collection' => new GetCollection(uriVariables: [
+                        'barId' => new Link(toProperty: 'bar', fromClass: 'Bar', security: 'is_granted("some_voter", "bar")'),
+                    ], ),
+                ],
+            ),
+        ]));
+
+        $resourceAccessCheckerProphecy = $this->prophesize(ResourceAccessCheckerInterface::class);
+        $resourceAccessCheckerProphecy->isGranted('Bar', 'is_granted("some_voter", "bar")', Argument::type('array'))->willReturn(true)->shouldBeCalled();
+
+        $listener = $this->getListener($resourceMetadataFactoryProphecy->reveal(), $resourceAccessCheckerProphecy->reveal());
+        $listener->onSecurity($event);
+    }
+
+    public function testIsNotGrantedLink(): void
+    {
+        $this->expectException(AccessDeniedException::class);
+
+        $request = new Request([], [], ['_api_resource_class' => 'Foo', '_api_operation_name' => 'get_collection']);
+
+        $eventProphecy = $this->prophesize(RequestEvent::class);
+        $eventProphecy->getRequest()->willReturn($request)->shouldBeCalled();
+        $event = $eventProphecy->reveal();
+
+        $resourceMetadataFactoryProphecy = $this->prophesize(ResourceMetadataCollectionFactoryInterface::class);
+        $resourceMetadataFactoryProphecy->create('Foo')->shouldBeCalled()->willReturn(new ResourceMetadataCollection('Foo', [
+            new ApiResource(
+                uriTemplate: '/bars/{barId}/foos',
+                operations: [
+                    'get_collection' => new GetCollection(uriVariables: [
+                        'barId' => new Link(toProperty: 'bar', fromClass: 'Bar', security: 'is_granted("some_voter", "bar")'),
+                    ], ),
+                ],
+            ),
+        ]));
+
+        $resourceAccessCheckerProphecy = $this->prophesize(ResourceAccessCheckerInterface::class);
+        $resourceAccessCheckerProphecy->isGranted('Bar', 'is_granted("some_voter", "bar")', Argument::type('array'))->willReturn(false)->shouldBeCalled();
+
+        $listener = $this->getListener($resourceMetadataFactoryProphecy->reveal(), $resourceAccessCheckerProphecy->reveal());
+        $listener->onSecurity($event);
+    }
+
+    public function testSecurityMessageLink(): void
+    {
+        $this->expectException(AccessDeniedException::class);
+        $this->expectExceptionMessage('You are not admin.');
+
+        $request = new Request([], [], ['_api_resource_class' => 'Foo', '_api_operation_name' => 'get_collection']);
+
+        $eventProphecy = $this->prophesize(RequestEvent::class);
+        $eventProphecy->getRequest()->willReturn($request)->shouldBeCalled();
+        $event = $eventProphecy->reveal();
+
+        $resourceMetadataFactoryProphecy = $this->prophesize(ResourceMetadataCollectionFactoryInterface::class);
+        $resourceMetadataFactoryProphecy->create('Foo')->shouldBeCalled()->willReturn(new ResourceMetadataCollection('Foo', [
+            new ApiResource(
+                uriTemplate: '/bars/{barId}/foos',
+                operations: [
+                    'get_collection' => new GetCollection(uriVariables: [
+                        'barId' => new Link(toProperty: 'bar', fromClass: 'Bar', security: 'is_granted("some_voter", "bar")', securityMessage: 'You are not admin.'),
+                    ], ),
+                ],
+            ),
+        ]));
+
+        $resourceAccessCheckerProphecy = $this->prophesize(ResourceAccessCheckerInterface::class);
+        $resourceAccessCheckerProphecy->isGranted('Bar', 'is_granted("some_voter", "bar")', Argument::type('array'))->willReturn(false)->shouldBeCalled();
+
+        $listener = $this->getListener($resourceMetadataFactoryProphecy->reveal(), $resourceAccessCheckerProphecy->reveal());
+        $listener->onSecurity($event);
+    }
+
     private function getListener(ResourceMetadataCollectionFactoryInterface $resourceMetadataCollectionFactory, ResourceAccessCheckerInterface $resourceAccessChecker = null): DenyAccessListener
     {
         if (null === $resourceAccessChecker) {