1
|
|
|
<?php |
2
|
|
|
|
3
|
|
|
/* |
4
|
|
|
* This file is part of the API Platform project. |
5
|
|
|
* |
6
|
|
|
* (c) Kévin Dunglas <[email protected]> |
7
|
|
|
* |
8
|
|
|
* For the full copyright and license information, please view the LICENSE |
9
|
|
|
* file that was distributed with this source code. |
10
|
|
|
*/ |
11
|
|
|
|
12
|
|
|
declare(strict_types=1); |
13
|
|
|
|
14
|
|
|
namespace ApiPlatform\Core\GraphQl\Resolver\Stage; |
15
|
|
|
|
16
|
|
|
use ApiPlatform\Core\Metadata\Resource\Factory\ResourceMetadataFactoryInterface; |
17
|
|
|
use ApiPlatform\Core\Security\ResourceAccessCheckerInterface; |
18
|
|
|
use GraphQL\Error\Error; |
19
|
|
|
use GraphQL\Type\Definition\ResolveInfo; |
20
|
|
|
|
21
|
|
|
/** |
22
|
|
|
* Security post denormalize stage of GraphQL resolvers. |
23
|
|
|
* |
24
|
|
|
* @experimental |
25
|
|
|
* |
26
|
|
|
* @author Vincent Chalamon <[email protected]> |
27
|
|
|
*/ |
28
|
|
|
final class SecurityPostDenormalizeStage implements SecurityPostDenormalizeStageInterface |
29
|
|
|
{ |
30
|
|
|
private $resourceMetadataFactory; |
31
|
|
|
private $resourceAccessChecker; |
32
|
|
|
|
33
|
|
|
public function __construct(ResourceMetadataFactoryInterface $resourceMetadataFactory, ?ResourceAccessCheckerInterface $resourceAccessChecker) |
34
|
|
|
{ |
35
|
|
|
$this->resourceMetadataFactory = $resourceMetadataFactory; |
36
|
|
|
$this->resourceAccessChecker = $resourceAccessChecker; |
37
|
|
|
} |
38
|
|
|
|
39
|
|
|
/** |
40
|
|
|
* {@inheritdoc} |
41
|
|
|
*/ |
42
|
|
|
public function __invoke(string $resourceClass, string $operationName, array $context): void |
43
|
|
|
{ |
44
|
|
|
$resourceMetadata = $this->resourceMetadataFactory->create($resourceClass); |
45
|
|
|
|
46
|
|
|
$isGranted = $resourceMetadata->getGraphqlAttribute($operationName, 'security_post_denormalize', null, true); |
47
|
|
|
|
48
|
|
|
if (null === $isGranted) { |
49
|
|
|
// Backward compatibility |
50
|
|
|
$isGranted = $resourceMetadata->getGraphqlAttribute($operationName, 'access_control', null, true); |
51
|
|
|
if (null !== $isGranted) { |
52
|
|
|
@trigger_error('Attribute "access_control" is deprecated since API Platform 2.5, prefer using "security" attribute instead', E_USER_DEPRECATED); |
53
|
|
|
} |
54
|
|
|
} |
55
|
|
|
|
56
|
|
|
if (null !== $isGranted && null === $this->resourceAccessChecker) { |
57
|
|
|
throw new \LogicException('Cannot check security expression when SecurityBundle is not installed. Try running "composer require symfony/security-bundle".'); |
58
|
|
|
} |
59
|
|
|
|
60
|
|
|
if (null === $isGranted || $this->resourceAccessChecker->isGranted($resourceClass, (string) $isGranted, $context['extra_variables'])) { |
|
|
|
|
61
|
|
|
return; |
62
|
|
|
} |
63
|
|
|
|
64
|
|
|
/** @var ResolveInfo $info */ |
65
|
|
|
$info = $context['info']; |
66
|
|
|
throw Error::createLocatedError($resourceMetadata->getGraphqlAttribute($operationName, 'security_post_denormalize_message', 'Access Denied.'), $info->fieldNodes, $info->path); |
67
|
|
|
} |
68
|
|
|
} |
69
|
|
|
|
This check looks for calls to methods that do not seem to exist on a given type. It looks for the method on the type itself as well as in inherited classes or implemented interfaces.
This is most likely a typographical error or the method has been renamed.