Skip to content

Fixed dependency issue when SecurityBundle is not installed #3149

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 7, 2019
Merged

Fixed dependency issue when SecurityBundle is not installed #3149

merged 3 commits into from
Oct 7, 2019

Conversation

reypm
Copy link
Contributor

@reypm reypm commented Oct 4, 2019
edited
Loading

Q A
Bug fix? yes
New feature? no
BC breaks? no
Deprecations? no
Tests pass? yes
Fixed tickets api-platform/api-platform#1265
License MIT

@alanpoulain
Copy link
Member

You need to modify the code inside the stages too to handle the case when $resourceAccessChecker is null.

@reypm
Copy link
Contributor Author

reypm commented Oct 4, 2019

You need to modify the code inside the stages too to handle the case when $resourceAccessChecker is null.

What do you mean? Not following you on the word stages 🤔

@alanpoulain
Copy link
Member

The services you are modifying are "stages" (SecurityStage, SecurityPostDenormalizeStage).

@reypm
Copy link
Contributor Author

reypm commented Oct 4, 2019
edited
Loading

The services you are modifying are "stages" (SecurityStage, SecurityPostDenormalizeStage).

You mean add an extra check for null check at src/GraphQl/Resolver/Stage/SecurityStage.php and in the other stage using $resourceAccessChecker??

    if (null === $isGranted || null === $this->resourceAccessChecker || $this->resourceAccessChecker->isGranted($resourceClass, (string) $isGranted, $context['extra_variables'])) {
        return;
    }

@alanpoulain
Copy link
Member

Even before this condition but that's the idea. And make the variable in the constructor nullable.
Don't forget to add unit tests too!

@teohhanhui
Copy link
Contributor

@reypm

    if (null === $isGranted || null === $this->resourceAccessChecker || $this->resourceAccessChecker->isGranted($resourceClass, (string) $isGranted, $context['extra_variables'])) {
        return;
    }

This is wrong. We must not silently allow access if the user has specified some condition (i.e. $isGranted is not null) but $this->resourceAccessChecker is null. We should fail in this case.

@alanpoulain
Copy link
Member

Oh yes you're right @teohhanhui

@reypm
Copy link
Contributor Author

reypm commented Oct 4, 2019
edited
Loading

We should fail in this case.

@teohhanhui and by "fail" you mean throw the Error as in last line on that __invoke function? if I am following you right you want this?

/**  @var ResolveInfo $info */
$info = $context['info'];

$isGranted = $resourceMetadata->getGraphqlAttribute($operationName, 'security', null, true);
if (null === $this->resourceAccessChecker && $isGranted) {
    throw Error::createLocatedError($resourceMetadata->getGraphqlAttribute($operationName, 'security_message', 'Access Denied.'), $info->fieldNodes, $info->path);
}

if (null === $isGranted || $this->resourceAccessChecker->isGranted($resourceClass, (string) $isGranted, $context['extra_variables'])) {
    return;
}

throw Error::createLocatedError($resourceMetadata->getGraphqlAttribute($operationName, 'security_message', 'Access Denied.'), $info->fieldNodes, $info->path);

@alanpoulain yes, I will add the test once the desired solution is approved by you both :)

Sorry for not being following you guys, first time "fixing" an api-platform issue and understanding it's internal.

@teohhanhui
Copy link
Contributor

@teohhanhui and by fail you mean throw the Error as in last line on that __invoke function? I am following you right you want this?

I think we should do something like:

throw new \LogicException('Cannot check security expression when SecurityBundle is not installed. Try running "composer require symfony/security-bundle".');

as this is a configuration issue.

Or do you always want to avoid throwing exceptions at all costs, @alanpoulain? (Why?)

@alanpoulain
Copy link
Member

We can throw a LogicException, it will be converted in an Error when #3063 will be merged (and it's not an issue in the meantime if it's not the case).

@reypm
Copy link
Contributor Author

reypm commented Oct 4, 2019

@teohhanhui / @alanpoulain better now? Did I miss something else?

teohhanhui
teohhanhui reviewed Oct 4, 2019
View reviewed changes
dunglas
dunglas reviewed Oct 4, 2019
View reviewed changes
src/Bridge/Symfony/Bundle/Resources/config/graphql.xml
@@ -53,12 +53,12 @@

<service id="api_platform.graphql.resolver.stage.security" class="ApiPlatform\Core\GraphQl\Resolver\Stage\SecurityStage" public="false">
<argument type="service" id="api_platform.metadata.resource.metadata_factory" />
<argument type="service" id="api_platform.security.resource_access_checker" />
<argument type="service" id="api_platform.security.resource_access_checker" on-invalid="ignore" />
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should be null, not ignore isn't it? Or calling the constructor will still fail.

Copy link
Contributor Author

@reypm reypm Oct 4, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wonder why test are passing with this configuration? 🤔

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because the security component is installed on Travis.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, they behave the same way. The only difference is when inside a method call.

https://symfony.com/doc/current/service_container/optional_dependencies.html#ignoring-missing-dependencies

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest for consistency's sake, we should not use on-invalid="null" except in the specific cases where we need that behaviour (i.e. a method call with null value).

alanpoulain
alanpoulain reviewed Oct 5, 2019
View reviewed changes
alanpoulain
alanpoulain reviewed Oct 5, 2019
View reviewed changes
alanpoulain
alanpoulain reviewed Oct 5, 2019
View reviewed changes
alanpoulain
alanpoulain reviewed Oct 5, 2019
View reviewed changes
teohhanhui
teohhanhui suggested changes Oct 5, 2019
View reviewed changes
@alanpoulain alanpoulain changed the base branch from master to 2.5 October 7, 2019 10:04
@alanpoulain alanpoulain merged commit e25cfde into api-platform:2.5 Oct 7, 2019
@alanpoulain
Copy link
Member

I've rebased your PR for 2.5 and made some little changes. Thank you @reypm!

@reypm reypm deleted the hotfix/1265-issue branch October 7, 2019 12:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dunglas dunglas dunglas left review comments

@alanpoulain alanpoulain alanpoulain left review comments

@teohhanhui teohhanhui teohhanhui requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@reypm @alanpoulain @teohhanhui @dunglas