fix: Fixing READ security

Author: philipsorst

src/Security/AccessCheckerProvider.php

@@ -54,47 +54,24 @@ public function provide(Operation $operation, array $uriVariables = [], array $c
 
         /* Check if operation is allowed without data */
         if (null === $this->event) {
-            if (CrudOperation::LIST === $crudOperation) {
-                if (!$this->authorizationChecker->isGranted(CrudOperation::LIST->value, $operation->getClass())) {
-                    throw new AccessDeniedException();
-                }
-            }
-
-            if (CrudOperation::CREATE === $crudOperation) {
-                if (!$this->authorizationChecker->isGranted(CrudOperation::CREATE->value, $operation->getClass())) {
+            if (in_array($crudOperation, [CrudOperation::LIST, CrudOperation::CREATE], true)) {
+                if (!$this->authorizationChecker->isGranted($crudOperation->value, $operation->getClass())) {
                     throw new AccessDeniedException();
                 }
             }
         }
 
         $data = $this->decorated->provide($operation, $uriVariables, $context);
 
-        $crudOperation = match ($operation::class) {
-            GetCollection::class => CrudOperation::LIST,
-            Post::class => CrudOperation::CREATE,
-            Get::class => CrudOperation::READ,
-            Put::class, Patch::class => CrudOperation::UPDATE,
-            Delete::class => CrudOperation::DELETE,
-            default => null,
-        };
-
         if (null === $this->event) {
-            if (CrudOperation::DELETE === $crudOperation) {
-                if (!$this->authorizationChecker->isGranted(CrudOperation::DELETE->value, $data)) {
-                    throw new AccessDeniedException();
-                }
-            }
-        }
-
-        /* Check if operation is allowed with data after denormalization */
-        if (in_array($this->event, ['post_denormalize', 'post_validate'], true)) {
-            if (CrudOperation::CREATE === $crudOperation) {
-                if (!$this->authorizationChecker->isGranted(CrudOperation::CREATE->value, $data)) {
+            if (in_array($crudOperation, [CrudOperation::DELETE, CrudOperation::READ], true)) {
+                if (!$this->authorizationChecker->isGranted($crudOperation->value, $data)) {
                     throw new AccessDeniedException();
                 }
             }
-            if (CrudOperation::UPDATE === $crudOperation) {
-                if (!$this->authorizationChecker->isGranted(CrudOperation::UPDATE->value, $data)) {
+        } elseif (in_array($this->event, ['post_denormalize', 'post_validate'], true)) {
+            if (in_array($crudOperation, [CrudOperation::CREATE, CrudOperation::UPDATE], true)) {
+                if (!$this->authorizationChecker->isGranted($crudOperation->value, $data)) {
                     throw new AccessDeniedException();
                 }
             }

tests/Acceptance/GroupEndpointTest.php

@@ -0,0 +1,47 @@
+<?php
+
+namespace Dontdrinkandroot\ApiPlatformBundle\Tests\Acceptance;
+
+use Dontdrinkandroot\ApiPlatformBundle\Tests\TestApp\DataFixtures\Group\GroupOne;
+use Dontdrinkandroot\ApiPlatformBundle\Tests\TestApp\DataFixtures\Group\GroupTwo;
+use Dontdrinkandroot\ApiPlatformBundle\Tests\TestApp\DataFixtures\User\UserOne;
+use Dontdrinkandroot\ApiPlatformBundle\Tests\TestApp\DataFixtures\User\UserTwo;
+use Dontdrinkandroot\ApiPlatformBundle\Tests\TestApp\Entity\Group;
+use Symfony\Component\HttpFoundation\Response;
+
+class GroupEndpointTest extends AbstractAcceptanceTest
+{
+    public function testReadProtected(): void
+    {
+        $client = self::createClient();
+        $referenceRepository = self::loadFixtures([GroupOne::class, GroupTwo::class]);
+        $group2 = $referenceRepository->getReference(GroupTwo::class, Group::class);
+        $response = $this->jsonGet(
+            $client,
+            sprintf("/groups/%d", $group2->getId()),
+        );
+        self::assertEquals(Response::HTTP_UNAUTHORIZED, $response->getStatusCode());
+
+        $response = $this->jsonGet(
+            $client,
+            sprintf("/groups/%d", $group2->getId()),
+            [],
+            $this->addBasicAuthorizationHeader(UserOne::USERNAME, UserOne::PASSWORD)
+        );
+        self::assertEquals(Response::HTTP_FORBIDDEN, $response->getStatusCode());
+    }
+
+    public function testReadAccessibleForGroupMember(): void
+    {
+        $client = self::createClient();
+        $referenceRepository = self::loadFixtures([GroupOne::class, GroupTwo::class]);
+        $group2 = $referenceRepository->getReference(GroupTwo::class, Group::class);
+        $response = $this->jsonGet(
+            $client,
+            sprintf("/groups/%d", $group2->getId()),
+            [],
+            $this->addBasicAuthorizationHeader(UserTwo::USERNAME, UserTwo::PASSWORD)
+        );
+        self::assertEquals(Response::HTTP_OK, $response->getStatusCode());
+    }
+}

tests/TestApp/Repository/GroupRepository.php

@@ -13,6 +13,6 @@ class GroupRepository extends ServiceEntityRepository
 {
     public function __construct(ManagerRegistry $registry)
     {
-        parent::__construct($registry, GroupRepository::class);
+        parent::__construct($registry, Group::class);
     }
 }

tests/TestApp/Security/AdminVoter.php

@@ -5,21 +5,17 @@
 use Override;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\Authorization\Voter\Voter;
+use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
 
-/**
- * @extends Voter<string,mixed>
- */
-class AdminVoter extends Voter
+class AdminVoter implements VoterInterface
 {
     #[Override]
-    protected function supports(string $attribute, mixed $subject): bool
+    public function vote(TokenInterface $token, mixed $subject, array $attributes)
     {
-        return true;
-    }
+        if (in_array('ROLE_ADMIN', $token->getRoleNames(), true)) {
+            return Voter::ACCESS_GRANTED;
+        }
 
-    #[Override]
-    protected function voteOnAttribute(string $attribute, $subject, TokenInterface $token): bool
-    {
-        return in_array('ROLE_ADMIN', $token->getRoleNames(), true);
+        return Voter::ACCESS_ABSTAIN;
     }
 }

tests/TestApp/Security/GroupVoter.php

@@ -0,0 +1,32 @@
+<?php
+
+namespace Dontdrinkandroot\ApiPlatformBundle\Tests\TestApp\Security;
+
+use Dontdrinkandroot\ApiPlatformBundle\Tests\TestApp\Entity\Group;
+use Dontdrinkandroot\ApiPlatformBundle\Tests\TestApp\Entity\User;
+use Dontdrinkandroot\Common\CrudOperation;
+use Override;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authorization\Voter\Voter;
+
+/**
+ * @extends Voter<'READ',Group>
+ */
+class GroupVoter extends Voter
+{
+    #[Override]
+    protected function supports(string $attribute, mixed $subject): bool
+    {
+        return CrudOperation::READ->value === $attribute && $subject instanceof Group;
+    }
+
+    #[Override]
+    protected function voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token): bool
+    {
+        if (!($user = $token->getUser()) instanceof User) {
+            return false;
+        }
+
+        return $user->groups->contains($subject);
+    }
+}

tests/TestApp/Security/UserClassVoter.php tests/TestApp/Security/UserVoter.phptests/TestApp/Security/UserClassVoter.php renamed to tests/TestApp/Security/UserVoter.php

@@ -11,7 +11,7 @@
 /**
  * @extends Voter<'READ',User>
  */
-class UserClassVoter extends Voter
+class UserVoter extends Voter
 {
     #[Override]
     protected function supports(string $attribute, $subject): bool