owner check not working with JWT auth - api-platform.com

I'm following the example / documentation closely trying to set up a resource that only its owner can access, and I get this error:
"hydra:description": "Notice: Undefined property:
ApiPlatform\Core\Bridge\Doctrine\Orm\Paginator::$owner",
JWT authentication per se seems to work fine.
my resource is defined like this:
/**
* #ORM\Entity
* #ApiResource(
* attributes={"access_control"="is_granted('ROLE_USER') and object.owner == user"},
* collectionOperations={"get"},
* itemOperations={"get"},
* )
*/
Security and user provider and everything is set up exactly as in the api-platform or Symfony documentation.
The property owner is defined as:
/**
* #var User The owner
*
* #ORM\ManyToOne(targetEntity=User::class)
*/
public $owner;
What am I doing wrong?

I think this would work on your itemOperation GET, but not on your collectionOperation. The reason is that "object" in this case will the the collection of User objects, which is represented as the Paginator class.

#ahaaje is correct.
But you can still achieve what you're looking for by implementing an "extension". This would allow you to filter the collection with only items that belong to your user.
Official documentation is here.

Related

Get Info Api Request

currently i'm struggle with the identifier because i not need it.
i only need an get request without anything and returning some system infos.
/**
* #ApiResource(
* itemOperations={
* "info"={
* "method"="GET",
* "path"="/system/info",
* "controller"=GetInfo::class,
* "read"=false
* }
* },
* collectionOperations={
*
* }
* )
*/
thats my current config but it always requires an identifier.
It sounds as if you're after not an ApiPlatform resource, but simply a standard endpoint.
Have a look at this documentation from Symfony on how to define a route.
To me it sounds like you're after something like this:
config/routes.yaml
system_info:
path: /system/info
method: GET
controller: App\System\Info
With controller:
namespace App\System;
class Info
{
public function __invoke(): JsonResponse
{
return new JsonResponse(['pc' => 'master race']);
}
}
Remember that ApiPlatform is supposed to be working with Resources (aka: DTO's and Entities), and as you're use-case does not do either, you end up struggling to make it work.

How can I "validate" DELETE request in api-platform

I want to check the entity variable and check if it is allowed to delete the entity. For example if the owner entity of the association is linked to another entity, I want to make the deletion impossible.
I've looked in the documentation of api-platform bu I could not find any help regarding my problems. Either you give the right to delete or not. I could not find how to control it (equivalent to validation for POST, PUT and PATCH).
You can use the access control feature of Api-Platform and Symfony Expression Language to achieve what you want. This way you can write pretty complex expressions.
I hope this example makes it clear.
user is the currently logged in user.
object is the resource user is trying to delete.
/**
* #ApiResource(
* itemOperations={
* "delete"={
* "access_control"="is_granted('ROLE_USER') and object.getUsers().contains(user),
* }
* }
* )
*/
class Entity
{
/**
* #var ArrayCollection
*
* #ORM\OneToMany(targetEntity="User", inversedBy="entities")
* #ORM\JoinTable(name="entity_users")
*/
private $users;
/**
* #return ArrayCollection
*/
public function getUsers(): ArrayCollection
{
return $this->users;
}
}
In this case only users who are stored in users Array of Entity can delete this resource.

Disable /api/entities route to get the list

When creating an entity with #ApiResource, you get 5 routes:
GET /api/entities
POST /api/entities
GET /api/entities/{id}
DELETE /api/entities/{id}
PUT /api/entities/{id}
How can I disable the first route ?
Thanks.
You should customize the collectionOperations attribute in your #ApiResource annotation
/**
* #ApiResource(
* collectionOperations={}
* )
*/
For more information: https://api-platform.com/docs/core/operations/#enabling-and-disabling-operations

Joomla! 3.xx *onUserLogout* event not working

I have successfully implemented the onUserAuthenticate event to implement my custom authentication API inside the Joomla! site that I am working on.
Now I want to also have some custom code run on the onUserLogout event.
I have added the following code to the custom authentication plugin file.
But this method is not getting fired/invoked while the previous one(onUserAuthenticate) is working just fine.
/**
* Method to handle the SSO logout
*
* #param array $user Holds the user data.
* #param array $options Array holding options (client, ...).
*
* #return boolean Always returns true.
*
* #since 1.6
*/
public function onUserLogout($user, $options = array()) {
if (JFactory::getApplication()->isSite()) {
// Set the cookie to expired date.
setcookie('customAuth', '123', time() - (60 * 60 * 24 * 365), '/', '.customdomain.org');
}
return true;
}
Okay so I was getting it all wrong.
So I was adding the aforementioned method inside the same plugin file that handled the onUserAuthenticate.
For Joomla! the login is a separate process which has its respective events like onUserAuthenticate.
But it seems like the event onUserLogout has to be inside the plugin with the type of user.
So I created a separate plugin inside the user plugin type directory, installed it, and enabled it....And voila!! it worked.
This had me scratching my head for quite a while.

Symfony 2 - Set UniqueEntity message

I have a Symfony 2/Doctrine 2 entity with a UniqueEntity constraint. As show in the documentation, it should be possible to set a custom error message. I tied the following syntax, but that dose not work:
/**
* #ORM\Entity
* #ORM\Table(name="User")
* #UniqueEntity("email", message="Your E-Mail adress has already been registered")
*/
class User
What is the correct notation for the UniqueEntity constraint message? Or is the documentation simply wrong?
If you use only fields option in this annotaion, it can be used as the default option (the only option without name). However when you specify additional settings, you have to specify fields property.
/**
* #ORM\Entity
* #ORM\Table(name="User")
* #UniqueEntity(
* fields={"email"},
* message="Your E-Mail adress has already been registered"
* )
*/
class User

Resources