From d2d9e7129eb7e691d89b588e669fa29befb41b21 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Desjardins=20J=C3=A9r=C3=B4me?= Date: Wed, 17 Oct 2018 14:55:29 +0200 Subject: [PATCH 1/2] Update security doc Add sentence to redirect to extension to restrict a collection --- core/security.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/core/security.md b/core/security.md index 49c90ca9f18..15e98538427 100644 --- a/core/security.md +++ b/core/security.md @@ -120,3 +120,6 @@ App\Entity\Book: access_control_message: 'Sorry, but you are not the book owner.' # ... ``` + +Into access control expression for collection, `object` property is not available. +For add restriction on this, you need implement [a extension](extensions.md) to make a custom query. From a5401212bc4694d96935fcad0e60fb2b57cd3c01 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20Dunglas?= Date: Mon, 5 Nov 2018 09:12:50 +0100 Subject: [PATCH 2/2] Update security.md --- core/security.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/core/security.md b/core/security.md index 15e98538427..ab5e763f61b 100644 --- a/core/security.md +++ b/core/security.md @@ -121,5 +121,7 @@ App\Entity\Book: # ... ``` -Into access control expression for collection, `object` property is not available. -For add restriction on this, you need implement [a extension](extensions.md) to make a custom query. +In access control expressions for collection, the `object` variable contains the list of resources that will be serialized. +To remove entries from a collection, you should implement [a Doctrine extension](extensions.md) to customize the generated DQL query (e.g. add `WHERE` clauses depending of the currently connected user) instead of using access control expressions. + +If you use [custom data providers](data-providers.md), you'll have to implement the filtering logic accordingly to the persistence layer you rely on.