I have been looking at Extensions and Filters and I am trying to figure out the best way to limit what users see depending on who they are.
I am using Security Voters for Items, so I only need to solve what comes through on Collections as the voter will deny access if someone tries to access something they shouldn't.
I have Projects, Organisations and Users. Projects belong to a user and an organisation, Users can belong to many organisations.
I have an endpoint for /projects which I can limit the results by using an Extension and only revealing projects for that user.
However, I also need an admin endpoint for projects where I want them to be able to see any project. However, an admin may also have their own projects so I need them to be able to control what they see.
Rather than using an Extension, can I use a filter and check if that user has access to the value they are trying to filter by? This would mean that whenever someone requests /projects they can provide a query value (e.g. /projects?organisation=/api/organisation/1 or leave it empty to show all - /projects).
How can I check that user actually has access to that organisation? If the user has a ROLE_ADMIN I want to allow them to use any organisation (or none at all). If they have ROLE_USER they must provide a value for organisation and I need my voter to check they belong to the organisation.
I have been looking at Extensions and Filters and I am trying to figure out the best way to limit what users see depending on who they are.
I am using Security Voters for Items, so I only need to solve what comes through on Collections as the voter will deny access if someone tries to access something they shouldn't.
I have Projects, Organisations and Users. Projects belong to a user and an organisation, Users can belong to many organisations.
I have an endpoint for /projects which I can limit the results by using an Extension and only revealing projects for that user.
However, I also need an admin endpoint for projects where I want them to be able to see any project. However, an admin may also have their own projects so I need them to be able to control what they see.
Rather than using an Extension, can I use a filter and check if that user has access to the value they are trying to filter by? This would mean that whenever someone requests /projects they can provide a query value (e.g. /projects?organisation=/api/organisation/1 or leave it empty to show all - /projects).
How can I check that user actually has access to that organisation? If the user has a ROLE_ADMIN I want to allow them to use any organisation (or none at all). If they have ROLE_USER they must provide a value for organisation and I need my voter to check they belong to the organisation.