我正在使用Symfony5并在应用程序ApiPlatform上JWT实施。
我有一条经典路线,通过将动态组添加到未经身份验证的用户的某些属性中,它只返回所有实体的/GET少数字段。User"anonym:read"ContextBuilder
由于用户不需要JWT token,我已将其添加到我的文件的access_control一部分:security.yml
access_control:
- { path: ^/users, roles: IS_AUTHENTICATED_ANONYMOUSLY }
这条路由也被其他不同权限的用户使用,所以它通过一个Voter.
这voter就是我阻塞的地方,我应该在$subject变量中接收的对象列表最终为空,从support投票者的函数返回 false 并因此拒绝访问。
如果我security从路由注释中撤消约束/GET,我会收到User我想要的列表,其中只有所需的字段。
我无法弄清楚为什么$subject这个对象列表为空。
User.php:
/**
* @ApiResource(
* attributes={
* "normalization_context"={"groups"={"user:read", "user:list"}},
* "denormalization_context"={"groups"={"user:write"}},
* "order"={"availabilities.start": "ASC"}
* },
* collectionOperations={
* "get"={
* "mehtod"="GET",
* "security"="is_granted('LIST', object)",
* "normalization_context"={"groups"={"user:list"}},
* },
* "post"={
* "method"="POST",
* "security_post_denormalize"="is_granted('POST', object)",
* "denormalization_context"={"groups"={"user:write"}}
* }
* },
* itemOperations={
* "get"={
* "method"="GET",
* "security"="is_granted('ROLE_USER')"
* },
* "put"={
* "method"="PUT",
* "security"="is_granted('PUT', object)"
* },
* "delete"={
* "method"="DELETE",
* "security"="is_granted('ROLE_ADMIN')"
* }
* }
* )
* @ORM\Entity(repositoryClass=UserRepository::class)
*/
class User
{
/**
* @ORM\Id
* @ORM\GeneratedValue
* @ORM\Column(type="integer")
* @Groups({"user:read", "user:list"})
*/
private $id;
/**
* @ORM\Column(type="boolean")
* @Groups({"user:read", "user:list", "user:write", "anonym:read"})
*/
private $active;
/**
* @ORM\Column(type="string", length=255, nullable=true)
* @Groups({"user:read", "user:list", "user:write", "anonym:read"})
*/
private $photo;
/**
* @ORM\Column(type="text")
* @Groups({"user:read", "user:list", "user:write"})
*/
private $description;
}
UserContextBuilder.php:
final class UserContextBuilder implements SerializerContextBuilderInterface
{
private $decorated;
private $authorizationChecker;
public function __construct(SerializerContextBuilderInterface $decorated, AuthorizationCheckerInterface $authorizationChecker)
{
$this->decorated = $decorated;
$this->authorizationChecker = $authorizationChecker;
}
public function createFromRequest(Request $request, bool $normalization, ?array $extractedAttributes = null): array
{
$context = $this->decorated->createFromRequest($request, $normalization, $extractedAttributes);
$resourceClass = $context['resource_class'] ?? null;
if (
$resourceClass === User::class && isset($context['groups']) &&
!$this->authorizationChecker->isGranted('ROLE_USER') &&
true == $normalization
) {
$context['groups'][] = 'anonym:read';
}
return $context;
}
}
UserVoter.php:
class UserVoter extends AbstractVoter
{
protected function supports($attribute, $subject)
{
return parent::supports($attribute, $subject) &&
($subject instanceof User ||
$this->arrayOf($subject, User::class));
}
protected function voteOnAttribute($attribute, $subject, TokenInterface $token)
{
/** @var User $user */
$user = $token->getUser();
if ($this->accessDecisionManager->decide($token, [GenericRoles::ROLE_ADMIN])) {
return true;
}
switch ($attribute) {
case Actions::LIST:
return $user->hasRole(GenericRoles::ROLE_USER) || !$user instanceof User;
case Actions::PUT:
return ($user->getId() == $subject->getUser()->getId() ||
$user->hasRole(GenericRoles::SOME_SPECIAL_ROLE));
case Actions::POST:
return $user->hasRole(GenericRoles::SOME_SPECIAL_ROLE);
}
return false;
}
}
如果有人知道为什么会发生这种情况,我将不胜感激