Jira issue originally created by user shne:
I'm making an access control system and would like to automatically filter all queries based current user, targetEntity type and query type. Query type is relevant as different permissions are needed by the user for SELECT, UPDATE, DELETE and INSERT queries.
I can access the first two things in my filter easily enough, but I cannot find a way to have the filter know what type of query the filter is being applied to.
Comment created by @beberlei:
The Filter API only makes sense for SELECT clauses. Doctrine itself does not use DQL to do updates internally, so you need to use other mechanisms (EventListener) to prevent this operations if they are not allowed for a user.
Comment created by shne:
But I can make custom DQL to update rows and would like to automatically filter this too.
e.g. $em->createQuery("UPDATE SomeEntity se SET se.field = "updated!")->execute();
The lifecycle events preUpdate etc. are not called when doing custom DQL queries.
Maybe it is bad practice and discouraged to do updates, inserts and deletes as custom DQL queries, but I would like to ensure that the other people in my organization can't accidentally bypass the Access Control, even if they make use of such bad practice.
And if the filter API only makes sense for Select statements, why are filters applied to update/delete/etc. statements too?
Well, they are applied to DQL UPDATE/DELETE. But not not UPDATE/DELETE that works through the internals of Doctrine. So yes, you can use it to filter DQL DELETE/UPDATE, but doctrine does not do that internally.
So you have to have two strategies, a DQL/SQL Filter - and Lifecycle events.
Which is fine by me. I already implemented the checks using lifecycle events before opening this issue. The access control is automatically handled when using the entitymanager and not custom DQL.
Now I would also like to filter the custom DQL, but currently I can't, because as originally stated, the filter needs to know which type of query it is being applied to.