Revert "fix: backport for legacy event system as well"

This reverts commit 16f14c8.

Author: KDederichs

src/Symfony/EventListener/DenyAccessListener.php

@@ -13,7 +13,6 @@
 
 namespace ApiPlatform\Symfony\EventListener;
 
-use ApiPlatform\Metadata\Link;
 use ApiPlatform\Metadata\Resource\Factory\ResourceMetadataCollectionFactoryInterface;
 use ApiPlatform\State\Util\OperationRequestInitiatorTrait;
 use ApiPlatform\Symfony\Security\ResourceAccessCheckerInterface;
@@ -90,31 +89,17 @@ private function checkSecurity(Request $request, string $attribute, array $extra
                 $message = $operation->getSecurityMessage();
         }
 
+        if (null === $isGranted) {
+            return;
+        }
+
         $extraVariables += $request->attributes->all();
         $extraVariables['object'] = $request->attributes->get('data');
         $extraVariables['previous_object'] = $request->attributes->get('previous_data');
         $extraVariables['request'] = $request;
 
-        if ($isGranted && !$this->resourceAccessChecker->isGranted($attributes['resource_class'], $isGranted, $extraVariables)) {
+        if (!$this->resourceAccessChecker->isGranted($attributes['resource_class'], $isGranted, $extraVariables)) {
             throw new AccessDeniedException($message ?? 'Access Denied.');
         }
-
-        if ($operation->getUriVariables()) {
-            foreach ($operation->getUriVariables() as $key => $uriVariable) {
-                if (!$uriVariable instanceof Link || !$uriVariable->getSecurity()) {
-                    continue;
-                }
-
-                $targetResource = $uriVariable->getFromClass() ?? $uriVariable->getToClass();
-
-                if (!$targetResource) {
-                    continue;
-                }
-
-                if (!$this->resourceAccessChecker->isGranted($targetResource, $uriVariable->getSecurity(), $extraVariables)) {
-                    throw new AccessDeniedException($uriVariable->getSecurityMessage() ?? 'Access Denied.');
-                }
-            }
-        }
     }
 }

src/Symfony/EventListener/ReadListener.php

@@ -16,7 +16,6 @@
 use ApiPlatform\Api\UriVariablesConverterInterface;
 use ApiPlatform\Exception\InvalidIdentifierException;
 use ApiPlatform\Exception\InvalidUriVariableException;
-use ApiPlatform\Metadata\Link;
 use ApiPlatform\Metadata\Put;
 use ApiPlatform\Metadata\Resource\Factory\ResourceMetadataCollectionFactoryInterface;
 use ApiPlatform\Metadata\Util\CloneTrait;
@@ -117,47 +116,6 @@ public function onKernelRequest(RequestEvent $event): void
             throw new NotFoundHttpException('Not Found');
         }
 
-        if ($operation->getUriVariables()) {
-            foreach ($operation->getUriVariables() as $key => $uriVariable) {
-                if (!$uriVariable instanceof Link || !$uriVariable->getSecurity()) {
-                    continue;
-                }
-
-                $relationClass = $uriVariable->getFromClass() ?? $uriVariable->getToClass();
-
-                if (!$relationClass) {
-                    continue;
-                }
-
-                $parentOperation = $this->resourceMetadataCollectionFactory
-                    ->create($relationClass)
-                    ->getOperation($operation->getExtraProperties()['parent_uri_template'] ?? null);
-                try {
-                    $relation = $this->provider->provide($parentOperation, [$uriVariable->getIdentifiers()[0] => $request->attributes->all()[$key]], $context);
-                } catch (ProviderNotFoundException) {
-                    $relation = null;
-                }
-                if (!$relation) {
-                    throw new NotFoundHttpException('Not Found');
-                }
-
-                try {
-                    $securityObjectName = $uriVariable->getSecurityObjectName();
-
-                    if (!$securityObjectName) {
-                        $securityObjectName = $uriVariable->getToProperty() ?? $uriVariable->getFromProperty();
-                    }
-
-                    if (!$securityObjectName) {
-                        continue;
-                    }
-                    $request->attributes->set($securityObjectName, $relation);
-                } catch (InvalidIdentifierException|InvalidUriVariableException $e) {
-                    throw new NotFoundHttpException('Invalid identifier value or configuration.', $e);
-                }
-            }
-        }
-
         $request->attributes->set('data', $data);
         $request->attributes->set('previous_data', $this->clone($data));
     }

tests/Symfony/EventListener/DenyAccessListenerTest.php

@@ -15,8 +15,6 @@
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Get;
-use ApiPlatform\Metadata\GetCollection;
-use ApiPlatform\Metadata\Link;
 use ApiPlatform\Metadata\Resource\Factory\ResourceMetadataCollectionFactoryInterface;
 use ApiPlatform\Metadata\Resource\ResourceMetadataCollection;
 use ApiPlatform\Symfony\EventListener\DenyAccessListener;
@@ -157,92 +155,6 @@ public function testSecurityComponentNotAvailable(): void
         $listener->onSecurity($event);
     }
 
-    public function testIsGrantedLink(): void
-    {
-        $request = new Request([], [], ['_api_resource_class' => 'Foo', '_api_operation_name' => 'get_collection']);
-
-        $eventProphecy = $this->prophesize(RequestEvent::class);
-        $eventProphecy->getRequest()->willReturn($request)->shouldBeCalled();
-        $event = $eventProphecy->reveal();
-
-        $resourceMetadataFactoryProphecy = $this->prophesize(ResourceMetadataCollectionFactoryInterface::class);
-        $resourceMetadataFactoryProphecy->create('Foo')->shouldBeCalled()->willReturn(new ResourceMetadataCollection('Foo', [
-            new ApiResource(
-                uriTemplate: '/bars/{barId}/foos',
-                operations: [
-                    'get_collection' => new GetCollection(uriVariables: [
-                        'barId' => new Link(toProperty: 'bar', fromClass: 'Bar', security: 'is_granted("some_voter", "bar")'),
-                    ], ),
-                ],
-            ),
-        ]));
-
-        $resourceAccessCheckerProphecy = $this->prophesize(ResourceAccessCheckerInterface::class);
-        $resourceAccessCheckerProphecy->isGranted('Bar', 'is_granted("some_voter", "bar")', Argument::type('array'))->willReturn(true)->shouldBeCalled();
-
-        $listener = $this->getListener($resourceMetadataFactoryProphecy->reveal(), $resourceAccessCheckerProphecy->reveal());
-        $listener->onSecurity($event);
-    }
-
-    public function testIsNotGrantedLink(): void
-    {
-        $this->expectException(AccessDeniedException::class);
-
-        $request = new Request([], [], ['_api_resource_class' => 'Foo', '_api_operation_name' => 'get_collection']);
-
-        $eventProphecy = $this->prophesize(RequestEvent::class);
-        $eventProphecy->getRequest()->willReturn($request)->shouldBeCalled();
-        $event = $eventProphecy->reveal();
-
-        $resourceMetadataFactoryProphecy = $this->prophesize(ResourceMetadataCollectionFactoryInterface::class);
-        $resourceMetadataFactoryProphecy->create('Foo')->shouldBeCalled()->willReturn(new ResourceMetadataCollection('Foo', [
-            new ApiResource(
-                uriTemplate: '/bars/{barId}/foos',
-                operations: [
-                    'get_collection' => new GetCollection(uriVariables: [
-                        'barId' => new Link(toProperty: 'bar', fromClass: 'Bar', security: 'is_granted("some_voter", "bar")'),
-                    ], ),
-                ],
-            ),
-        ]));
-
-        $resourceAccessCheckerProphecy = $this->prophesize(ResourceAccessCheckerInterface::class);
-        $resourceAccessCheckerProphecy->isGranted('Bar', 'is_granted("some_voter", "bar")', Argument::type('array'))->willReturn(false)->shouldBeCalled();
-
-        $listener = $this->getListener($resourceMetadataFactoryProphecy->reveal(), $resourceAccessCheckerProphecy->reveal());
-        $listener->onSecurity($event);
-    }
-
-    public function testSecurityMessageLink(): void
-    {
-        $this->expectException(AccessDeniedException::class);
-        $this->expectExceptionMessage('You are not admin.');
-
-        $request = new Request([], [], ['_api_resource_class' => 'Foo', '_api_operation_name' => 'get_collection']);
-
-        $eventProphecy = $this->prophesize(RequestEvent::class);
-        $eventProphecy->getRequest()->willReturn($request)->shouldBeCalled();
-        $event = $eventProphecy->reveal();
-
-        $resourceMetadataFactoryProphecy = $this->prophesize(ResourceMetadataCollectionFactoryInterface::class);
-        $resourceMetadataFactoryProphecy->create('Foo')->shouldBeCalled()->willReturn(new ResourceMetadataCollection('Foo', [
-            new ApiResource(
-                uriTemplate: '/bars/{barId}/foos',
-                operations: [
-                    'get_collection' => new GetCollection(uriVariables: [
-                        'barId' => new Link(toProperty: 'bar', fromClass: 'Bar', security: 'is_granted("some_voter", "bar")', securityMessage: 'You are not admin.'),
-                    ], ),
-                ],
-            ),
-        ]));
-
-        $resourceAccessCheckerProphecy = $this->prophesize(ResourceAccessCheckerInterface::class);
-        $resourceAccessCheckerProphecy->isGranted('Bar', 'is_granted("some_voter", "bar")', Argument::type('array'))->willReturn(false)->shouldBeCalled();
-
-        $listener = $this->getListener($resourceMetadataFactoryProphecy->reveal(), $resourceAccessCheckerProphecy->reveal());
-        $listener->onSecurity($event);
-    }
-
     private function getListener(ResourceMetadataCollectionFactoryInterface $resourceMetadataCollectionFactory, ResourceAccessCheckerInterface $resourceAccessChecker = null): DenyAccessListener
     {
         if (null === $resourceAccessChecker) {