Merge commit from fork

soyuka · vinceAmstoutz · web-flow · commit dc4fc84ba93e · 2025-01-17T14:45:31.000+01:00
Co-authored-by: Vincent Amstoutz &lt;vincent.amstoutz@les-tilleuls.coop&gt;
diff --git a/features/graphql/query.feature b/features/graphql/query.feature
@@ -677,3 +677,20 @@ Feature: GraphQL query support
     Then the response status code should be 200
     And the header "Content-Type" should be equal to "application/json"
     And the JSON node "data.getSecurityAfterResolver.name" should be equal to "test"
+
+
+  Scenario: Call security after resolver with 403 error (ensure /2 does not match securityAfterResolver)
+    When I send the following GraphQL request:
+    """"
+    {
+      getSecurityAfterResolver(id: "/security_after_resolvers/2") {
+        name
+      }
+    }
+    """
+    Then the response status code should be 200
+    And the response should be in JSON
+    And the header "Content-Type" should be equal to "application/json"
+    And the JSON node "errors[0].extensions.status" should be equal to 403
+    And the JSON node "errors[0].message" should be equal to "Access Denied."
+    And the JSON node "data.getSecurityAfterResolver.name" should not exist
diff --git a/src/Symfony/Security/State/AccessCheckerProvider.php b/src/Symfony/Security/State/AccessCheckerProvider.php
@@ -53,7 +53,7 @@ public function provide(Operation $operation, array $uriVariables = [], array $c
 
                 $isGranted = $operation->getSecurityAfterResolver();
                 $message = $operation->getSecurityMessageAfterResolver();
-                // no break
+                break;
             default:
                 $isGranted = $operation->getSecurity();
                 $message = $operation->getSecurityMessage();
diff --git a/tests/Fixtures/TestBundle/ApiResource/Issue6427/SecurityAfterResolverResolver.php b/tests/Fixtures/TestBundle/ApiResource/Issue6427/SecurityAfterResolverResolver.php
@@ -23,6 +23,13 @@ final class SecurityAfterResolverResolver implements QueryItemResolverInterface
      */
     public function __invoke($item, array $context): SecurityAfterResolver
     {
+        $idUrl = $context['args']['id'];
+
+        if (str_contains($idUrl, '2')) {
+            // Unknown to simulate a 403 error
+            return new SecurityAfterResolver('2', 'nonexistent');
+        }
+
         return new SecurityAfterResolver('1', 'test');
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,13 @@ final class SecurityAfterResolverResolver implements QueryItemResolverInterface`
`23`	`23`	`*/`
`24`	`24`	`public function __invoke($item, array $context): SecurityAfterResolver`
`25`	`25`	`{`
	`26`	`+ $idUrl = $context['args']['id'];`
	`27`	`+`
	`28`	`+ if (str_contains($idUrl, '2')) {`
	`29`	`+ // Unknown to simulate a 403 error`
	`30`	`+ return new SecurityAfterResolver('2', 'nonexistent');`
	`31`	`+ }`
	`32`	`+`
`26`	`33`	`return new SecurityAfterResolver('1', 'test');`
`27`	`34`	`}`
`28`	`35`	`}`