Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security and voters #15

Open
quentinus95 opened this issue Jul 20, 2017 · 0 comments
Open

Security and voters #15

quentinus95 opened this issue Jul 20, 2017 · 0 comments
Assignees
Labels

Comments

@quentinus95
Copy link
Member

We need to add several checks on the API to protect some specific endpoints.

Users should not be able to see personal information of any other one; we must add a voter to be able to check who is the current user trying to access to the ressource (if a token is provided) and if he effectively is allowed to see it.

Four steps:

  1. We should split Account entity to "Profile" and "Account". Account should contain only private stuff and Profile any information that could be displayed on user's profile page
  2. Create a voter (declared as a service) to check if user is allowed to see the "Account" entity: https://symfony.com/doc/current/security/voters.html
  3. Using the event system https://api-platform.com/docs/core/events to check if the user can effectively see the "Account" entity (the action is delegated to the voter, you will need to inject it as a service with the "token storage" one (it contains the potential currently authenticated user) using dependency injections) and return a 403 if voter returned false.
  4. Testing (behat or unit testing, I believe behat should be faster to write)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants