[Link] Start Link Security

Author: KDederichs

src/Metadata/Link.php

@@ -16,7 +16,7 @@
 #[\Attribute(\Attribute::TARGET_PROPERTY | \Attribute::TARGET_METHOD | \Attribute::TARGET_PARAMETER)]
 final class Link
 {
-    public function __construct(private ?string $parameterName = null, private ?string $fromProperty = null, private ?string $toProperty = null, private ?string $fromClass = null, private ?string $toClass = null, private ?array $identifiers = null, private ?bool $compositeIdentifier = null, private ?string $expandedValue = null)
+    public function __construct(private ?string $parameterName = null, private ?string $fromProperty = null, private ?string $toProperty = null, private ?string $fromClass = null, private ?string $toClass = null, private ?array $identifiers = null, private ?bool $compositeIdentifier = null, private ?string $expandedValue = null, private ?string $security = null, private ?string $securityMessage = null)
     {
         // For the inverse property shortcut
         if ($this->parameterName && class_exists($this->parameterName)) {
@@ -128,6 +128,35 @@ public function withExpandedValue(string $expandedValue): self
         return $self;
     }
 
+    public function getSecurity(): ?string
+    {
+        return $this->security;
+    }
+
+    public function getSecurityMessage(): ?string
+    {
+        return $this->securityMessage;
+    }
+
+
+
+    public function withSecurity(?string $security): self
+    {
+        $self = clone $this;
+        $self->security = $security;
+
+        return $self;
+    }
+
+    public function withSecurityMessage(?string $securityMessage): self
+    {
+        $self = clone $this;
+        $self->securityMessage = $securityMessage;
+
+        return $self;
+    }
+
+
     public function withLink(self $link): self
     {
         $self = clone $this;
@@ -164,6 +193,14 @@ public function withLink(self $link): self
             $self->expandedValue = $expandedValue;
         }
 
+        if (!$self->getSecurity() && ($security = $link->getSecurity())) {
+            $self->security = $security;
+        }
+
+        if (!$self->getSecurityMessage() && ($securityMessage = $link->getSecurityMessage())) {
+            $self->securityMessage = $securityMessage;
+        }
+
         return $self;
     }
 }

src/Symfony/EventListener/DenyAccessListener.php

@@ -13,6 +13,7 @@
 
 namespace ApiPlatform\Symfony\EventListener;
 
+use ApiPlatform\Metadata\Link;
 use ApiPlatform\Metadata\Resource\Factory\ResourceMetadataCollectionFactoryInterface;
 use ApiPlatform\Symfony\Security\ResourceAccessCheckerInterface;
 use ApiPlatform\Util\OperationRequestInitiatorTrait;
@@ -97,5 +98,17 @@ private function checkSecurity(Request $request, string $attribute, array $extra
         if (!$this->resourceAccessChecker->isGranted($attributes['resource_class'], $isGranted, $extraVariables)) {
             throw new AccessDeniedException($message ?? 'Access Denied.');
         }
+
+        if ($operation->getUriVariables()) {
+            foreach ($operation->getUriVariables() as $key => $uriVariable) {
+                if (!$uriVariable instanceof Link || !$uriVariable->getSecurity()) {
+                    continue;
+                }
+
+                if (!$this->resourceAccessChecker->isGranted($uriVariable->getToProperty(), $uriVariable->getSecurity(), $extraVariables)) {
+                    throw new AccessDeniedException($uriVariable->getSecurityMessage() ?? 'Access Denied.');
+                }
+            }
+        }
     }
 }

src/Symfony/EventListener/ReadListener.php

@@ -14,10 +14,13 @@
 namespace ApiPlatform\Symfony\EventListener;
 
 use ApiPlatform\Api\UriVariablesConverterInterface;
+use ApiPlatform\Doctrine\Orm\State\ItemProvider;
 use ApiPlatform\Exception\InvalidIdentifierException;
 use ApiPlatform\Exception\InvalidUriVariableException;
 use ApiPlatform\Metadata\HttpOperation;
 use ApiPlatform\Metadata\Put;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\Link;
 use ApiPlatform\Metadata\Resource\Factory\ResourceMetadataCollectionFactoryInterface;
 use ApiPlatform\Serializer\SerializerContextBuilderInterface;
 use ApiPlatform\State\ProviderInterface;
@@ -104,6 +107,24 @@ public function onKernelRequest(RequestEvent $event): void
             throw new NotFoundHttpException('Not Found');
         }
 
+        if ($operation->getUriVariables()) {
+            foreach ($operation->getUriVariables() as $key => $uriVariable) {
+                if (!$uriVariable instanceof Link || !$uriVariable->getSecurity()) {
+                    continue;
+                }
+                $operationUriVariables = $uriVariable->getIdentifiers();
+                $relationClass = $uriVariable->getFromClass();
+                try {
+                    //$uriVariables = $this->getOperationUriVariables($operation, $parameters, $resourceClass);
+                    $tmp = $this->provider->provide(new Get(uriVariables: $operationUriVariables, class: $relationClass, provider: ItemProvider::class), ['id' => $parameters[$key]], $context);
+                    $request->attributes->set($uriVariable->getToProperty(), $tmp);
+                } catch (InvalidIdentifierException|InvalidUriVariableException $e) {
+                    throw new NotFoundHttpException('Invalid identifier value or configuration.', $e);
+                }
+            }
+        }
+
+
         $request->attributes->set('data', $data);
         $request->attributes->set('previous_data', $this->clone($data));
     }