-
-
Notifications
You must be signed in to change notification settings - Fork 868
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Apply DenyAccessListener before deserialization #2710
Apply DenyAccessListener before deserialization #2710
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please update PR description as changing the DenyAccessListener priority is a BC break.
d2c237e
to
05a8754
Compare
05a8754
to
4b6c142
Compare
Changing a priority is not a BC break. |
But as the behavior is changed by changing this priority, I think it's a BC break, as users will get a 403 instead of a 400 in some cases now. |
But because the previous behavior was wrong it's a bug fix :p. |
This will break my security voters 😑 |
@norkunas Can you please give us more insight on your use case ? |
I am checking in security voters if a user can make an action based if he is a member of a company and has permissions for it. class CompanyUpgradeRequest {
public $company;
} protected function voteOnAttribute($attribute, $subject, TokenInterface $token): bool {
switch ($attribute) {
case self::CREATE:
return $this->companyPermissionChecker->hasPermission($token->getUser(), $subject->company, 'upgrade');
}
} But probably I'll rewrite these later with a validator constraint. Maybe I'm not only who depends on this now 🤔 |
Indeed using a validation constraint for that would be cleaner. It’s not a code BC break, but it’s still a BC break. It needs at least to be documented in the changelog. |
Definitely! We have 3 behavior changes in recent PRs on master which are in the same case. I'm going to add these in the changelog soon! |
I think this is just shifting the problem instead of solving it. The application likely needs both before AND after states to be able to make an authorization decision, i.e. we need to know what the user is trying to do before we can say whether it should be allowed or not. |
If you base on the request, it should be validation instead of security. Otherwise, could you please provide an example to explain your point? |
Well, I can only speak from my personal experience. I've been trying to disprove my point that validation cannot be separated from authorization. So far, I still don't see how. The dilemma is:
So it seems to me that validation and authorization are interdependent (in some / many cases?). |
There are serialization groups for that. For example, if you want to restrict a field to specific users roles, you can decorate the ContextBuilder and dynamically change the serialization context (as explained here). |
No, it's not something straightforward like that. Authorization can be as complex as the business logic requires. Same for validation. It's the interdependence between the two that's troublesome, and requires access to both "before" and "after" states. |
Here is an example from my old API Platform-based (probably 2.1?) project: https://gist.github.com/teohhanhui/994ab0d0bab439302ef96ac080568a8f |
So this is a specific use case that can be handled by a customer listener/subscriber? |
If |
Maybe relevant: #2454 (I wanted to check permissions to create an item, based on its passed properties - e.g. only allow some role to create "root" items in a hierarchy of related objects) |
Might be that we should have 2 listeners? One pre-normalization for authentification guards, one after for object related guards? But wait isn't the second one part of the item validation process? |
Another listener is indeed a solution. Deprecating this listener and replacing it by an event subscriber is also an option. WDYT? |
So, a validator that uses the |
4b6c142
to
cfab483
Compare
I tend to agree here. We should check on the existing data, and let the validator check the new one. |
cfab483
to
95bf084
Compare
It is also a good option indeed. Maybe harder to discover and it might be easy to fall in the trap of checking "again" against the wrong data. Edit: |
I like |
closing in favor of #2779 |
I agree with @vincentchalamon that the priority is not the expected one.
The access control must be checked against the data read from the DB in the first place.
We have been discussing this during the EU-FOSSA Hackathon and couldn't really imagine a scenario where this would not be the expected behavior
ping @dunglas