You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We need to add several checks on the API to protect some specific endpoints.
Users should not be able to see personal information of any other one; we must add a voter to be able to check who is the current user trying to access to the ressource (if a token is provided) and if he effectively is allowed to see it.
Four steps:
We should split Account entity to "Profile" and "Account". Account should contain only private stuff and Profile any information that could be displayed on user's profile page
Using the event system https://api-platform.com/docs/core/events to check if the user can effectively see the "Account" entity (the action is delegated to the voter, you will need to inject it as a service with the "token storage" one (it contains the potential currently authenticated user) using dependency injections) and return a 403 if voter returned false.
Testing (behat or unit testing, I believe behat should be faster to write)
The text was updated successfully, but these errors were encountered:
We need to add several checks on the API to protect some specific endpoints.
Users should not be able to see personal information of any other one; we must add a voter to be able to check who is the current user trying to access to the ressource (if a token is provided) and if he effectively is allowed to see it.
Four steps:
The text was updated successfully, but these errors were encountered: