core icon indicating copy to clipboard operation
core copied to clipboard

Published 20 hours ago verified publisher icon api-platform

feat(Serializer): Allow to validate security in input DTOs

Open voodooism opened this issue 1 year ago • 6 comments

Q A
Branch? main
License MIT
Doc PR don't think we need it for the feature, but ready to add

Shortly, this pull request introduces security functionality for attributes in input DTOs for the API platform.

I've noticed that the current API platform lacks security functionality for attributes in input DTOs. Although it's possible in ApiResource to check if an attribute is accessible for the current user, like this:

    #[ApiProperty(security: "is_granted('ROLE_ADMIN')")]
    public $adminOnlyProperty;

Unfortunately, this functionality is not available for input DTOs.

This pull request aims to introduce a feature allowing the checking of user roles for certain properties within input DTOs. In my project, this capability is crucial for controlling access to specific properties based on user roles and enhancing security and data integrity. This enhancement can also be beneficial for other users of the platform who require similar role-based access control for their APIs.

voodooism avatar Nov 20 '23 15:11 voodooism

@soyuka @dunglas have a look please

voodooism avatar Nov 20 '23 15:11 voodooism

Instead of this we should just consider inputs and outputs as resources so that they take the exact same path as a resource would and therefore you'd get all the features. I need to dig deeper I think there's something easier to be done here.

soyuka avatar Nov 22 '23 13:11 soyuka

Instead of this we should just consider inputs and outputs as resources so that they take the exact same path as a resource would and therefore you'd get all the features. I need to dig deeper I think there's something easier to be done here.

We can, but it looks a bit strange to me. We already have an ApiResource and would like to use DTO for it, and the fact we have to consider our DTO as API resources confuses me a lot :(

I mean, what is the difference then between input/output DTO and ApiResources if we consider both as ApiResources?

voodooism avatar Nov 22 '23 14:11 voodooism

@soyuka could you please have a look at the previous comment and https://github.com/api-platform/core/pull/5994?

voodooism avatar Dec 06 '23 11:12 voodooism

I don't think this is right, actually look at this:

https://github.com/api-platform/core/blob/cbc803cab81bc6acbe74c4db4eba63bc8539aa16/src/Serializer/AbstractItemNormalizer.php#L436-L452

The call at:

        $propertyMetadata = $this->propertyMetadataFactory->create($context['resource_class'], $attribute, $options);

can probably just be something like:

        $propertyMetadata = $this->propertyMetadataFactory->create($inputClass, $attribute, $options);

There are helpers to get getInputClass look at the code there, also it's either input either output according to the normalization phase :).

I'd like to see this introduced as a new feature on the main branch. Sorry for the delay.

soyuka avatar Dec 19 '23 18:12 soyuka

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Feb 17 '24 23:02 stale[bot]