vendor/api-platform/core/src/Symfony/Security/ResourceAccessChecker.php line 39

Open in your IDE?
  1. <?php
  3. /*
  4. * This file is part of the API Platform project.
  5. *
  6. * (c) Kévin Dunglas <dunglas@gmail.com>
  7. *
  8. * For the full copyright and license information, please view the LICENSE
  9. * file that was distributed with this source code.
  10. */
  12. declare(strict_types=1);
  14. namespace ApiPlatform\Symfony\Security;
  16. use Symfony\Component\ExpressionLanguage\ExpressionLanguage;
  17. use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverInterface;
  18. use Symfony\Component\Security\Core\Authentication\Token\NullToken;
  19. use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
  20. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  21. use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
  22. use Symfony\Component\Security\Core\Role\Role;
  23. use Symfony\Component\Security\Core\Role\RoleHierarchyInterface;
  25. /**
  26. * Checks if the logged user has sufficient permissions to access the given resource.
  27. *
  28. * @author Kévin Dunglas <dunglas@gmail.com>
  29. */
  30. final class ResourceAccessChecker implements ResourceAccessCheckerInterface
  31. {
  32. private $expressionLanguage;
  33. private $authenticationTrustResolver;
  34. private $roleHierarchy;
  35. private $tokenStorage;
  36. private $authorizationChecker;
  37. private $exceptionOnNoToken;
  39. public function __construct(ExpressionLanguage $expressionLanguage = null, AuthenticationTrustResolverInterface $authenticationTrustResolver = null, RoleHierarchyInterface $roleHierarchy = null, TokenStorageInterface $tokenStorage = null, AuthorizationCheckerInterface $authorizationChecker = null, bool $exceptionOnNoToken = true)
  40. {
  41. $this->expressionLanguage = $expressionLanguage;
  42. $this->authenticationTrustResolver = $authenticationTrustResolver;
  43. $this->roleHierarchy = $roleHierarchy;
  44. $this->tokenStorage = $tokenStorage;
  45. $this->authorizationChecker = $authorizationChecker;
  47. if (5 < \func_num_args()) {
  48. $this->exceptionOnNoToken = $exceptionOnNoToken;
  49. trigger_deprecation('api-platform/core', '2.7', 'The $exceptionOnNoToken parameter in "%s()" is deprecated and will always be false in 3.0, you should stop using it.', __METHOD__);
  50. }
  51. }
  53. public function isGranted(string $resourceClass, string $expression, array $extraVariables = []): bool
  54. {
  55. if (null === $this->tokenStorage || null === $this->authenticationTrustResolver) {
  56. throw new \LogicException('The "symfony/security" library must be installed to use the "security" attribute.');
  57. }
  58. if (null === $token = $this->tokenStorage->getToken()) {
  59. if ($this->exceptionOnNoToken) {
  60. throw new \LogicException('The current token must be set to use the "security" attribute (is the URL behind a firewall?).');
  61. }
  63. if (class_exists(NullToken::class)) {
  64. $token = new NullToken();
  65. }
  66. }
  67. if (null === $this->expressionLanguage) {
  68. throw new \LogicException('The "symfony/expression-language" library must be installed to use the "security" attribute.');
  69. }
  71. $variables = array_merge($extraVariables, [
  72. 'trust_resolver' => $this->authenticationTrustResolver,
  73. 'auth_checker' => $this->authorizationChecker, // needed for the is_granted expression function
  74. ]);
  76. if ($token) {
  77. $variables = array_merge($variables, $this->getVariables($token));
  78. }
  80. return (bool) $this->expressionLanguage->evaluate($expression, $variables);
  81. }
  83. /**
  84. * @copyright Fabien Potencier <fabien@symfony.com>
  85. *
  86. * @see https://github.com/symfony/symfony/blob/master/src/Symfony/Component/Security/Core/Authorization/Voter/ExpressionVoter.php
  87. */
  88. private function getVariables(TokenInterface $token): array
  89. {
  90. return [
  91. 'token' => $token,
  92. 'user' => $token->getUser(),
  93. 'roles' => $this->getEffectiveRoles($token),
  94. ];
  95. }
  97. /**
  98. * @return string[]
  99. */
  100. private function getEffectiveRoles(TokenInterface $token): array
  101. {
  102. if (null === $this->roleHierarchy) {
  103. return method_exists($token, 'getRoleNames') ? $token->getRoleNames() : array_map('strval', $token->getRoles()); // @phpstan-ignore-line
  104. }
  106. if (method_exists($this->roleHierarchy, 'getReachableRoleNames')) {
  107. return $this->roleHierarchy->getReachableRoleNames($token->getRoleNames());
  108. }
  110. return array_map(static function (Role $role): string {
  111. return $role->getRole(); // @phpstan-ignore-line
  112. }, $this->roleHierarchy->getReachableRoles($token->getRoles())); // @phpstan-ignore-line
  113. }
  114. }
  116. class_alias(ResourceAccessChecker::class, \ApiPlatform\Core\Security\ResourceAccessChecker::class);