Merge pull request #2811 from weaverryan/backport-original-data

dunglas · web-flow · commit e43e9c343819 · 2019-05-21T10:28:23.000+02:00
Backport original_data access control variable to 2.4 as a bug fix
diff --git a/features/authorization/deny.feature b/features/authorization/deny.feature
@@ -58,15 +58,39 @@ Feature: Authorization checking
     """
     Then the response status code should be 201
 
-  Scenario: An user cannot retrieve an item he doesn't own
+  Scenario: A user cannot retrieve an item he doesn't own
     When I add "Accept" header equal to "application/ld+json"
     And I add "Authorization" header equal to "Basic ZHVuZ2xhczprZXZpbg=="
     And I send a "GET" request to "/secured_dummies/1"
     Then the response status code should be 403
     And the response should be in JSON
 
-  Scenario: An user can retrieve an item he owns
+  Scenario: A user can retrieve an item he owns
     When I add "Accept" header equal to "application/ld+json"
     And I add "Authorization" header equal to "Basic ZHVuZ2xhczprZXZpbg=="
     And I send a "GET" request to "/secured_dummies/2"
     Then the response status code should be 200
+
+  Scenario: A user can't assign him an item he doesn't own
+    When I add "Accept" header equal to "application/ld+json"
+    And I add "Content-Type" header equal to "application/ld+json"
+    And I add "Authorization" header equal to "Basic YWRtaW46a2l0dGVu"
+    And I send a "PUT" request to "/secured_dummies/2" with body:
+    """
+    {
+        "owner": "kitten"
+    }
+    """
+    Then the response status code should be 403
+
+  Scenario: A user can update an item he owns and transfer it
+    When I add "Accept" header equal to "application/ld+json"
+    And I add "Content-Type" header equal to "application/ld+json"
+    And I add "Authorization" header equal to "Basic ZHVuZ2xhczprZXZpbg=="
+    And I send a "PUT" request to "/secured_dummies/2" with body:
+    """
+    {
+        "owner": "vincent"
+    }
+    """
+    Then the response status code should be 200
diff --git a/src/EventListener/ReadListener.php b/src/EventListener/ReadListener.php
@@ -115,5 +115,6 @@ public function onKernelRequest(GetResponseEvent $event): void
         }
 
         $request->attributes->set('data', $data);
+        $request->attributes->set('previous_data', \is_object($data) ? clone $data : $data);
     }
 }
diff --git a/src/Security/EventListener/DenyAccessListener.php b/src/Security/EventListener/DenyAccessListener.php
@@ -50,8 +50,6 @@ public function __construct(ResourceMetadataFactoryInterface $resourceMetadataFa
     }
 
     /**
-     * Sets the applicable format to the HttpFoundation Request.
-     *
      * @throws AccessDeniedException
      */
     public function onKernelRequest(GetResponseEvent $event): void
@@ -71,6 +69,7 @@ public function onKernelRequest(GetResponseEvent $event): void
 
         $extraVariables = $request->attributes->all();
         $extraVariables['object'] = $request->attributes->get('data');
+        $extraVariables['previous_object'] = $request->attributes->get('previous_data');
         $extraVariables['request'] = $request;
 
         if (!$this->resourceAccessChecker->isGranted($attributes['resource_class'], $isGranted, $extraVariables)) {
diff --git a/tests/EventListener/ReadListenerTest.php b/tests/EventListener/ReadListenerTest.php
@@ -153,6 +153,7 @@ public function testRetrieveCollectionPost()
         $listener->onKernelRequest($event->reveal());
 
         $this->assertFalse($request->attributes->has('data'));
+        $this->assertFalse($request->attributes->has('previous_data'));
     }
 
     public function testRetrieveCollectionGet()
@@ -178,6 +179,7 @@ public function testRetrieveCollectionGet()
         $listener->onKernelRequest($event->reveal());
 
         $this->assertSame([], $request->attributes->get('data'));
+        $this->assertFalse($request->attributes->has('previous_data'));
     }
 
     public function testRetrieveItem()
@@ -205,6 +207,7 @@ public function testRetrieveItem()
         $listener->onKernelRequest($event->reveal());
 
         $this->assertSame($data, $request->attributes->get('data'));
+        $this->assertEquals($data, $request->attributes->get('previous_data'));
     }
 
     public function testRetrieveItemNoIdentifier()
@@ -257,6 +260,7 @@ public function testRetrieveSubresource()
         $listener->onKernelRequest($event->reveal());
 
         $this->assertSame($data, $request->attributes->get('data'));
+        $this->assertSame($data, $request->attributes->get('previous_data'));
     }
 
     public function testRetrieveSubresourceNoDataProvider()
diff --git a/tests/Fixtures/TestBundle/Document/SecuredDummy.php b/tests/Fixtures/TestBundle/Document/SecuredDummy.php
@@ -30,7 +30,8 @@
  *         "post"={"access_control"="has_role('ROLE_ADMIN')"}
  *     },
  *     itemOperations={
- *         "get"={"access_control"="has_role('ROLE_USER') and object.getOwner() == user"}
+ *         "get"={"access_control"="has_role('ROLE_USER') and object.getOwner() == user"},
+ *         "put"={"access_control"="has_role('ROLE_USER') and previous_object.getOwner() == user"},
  *     },
  *     graphql={
  *         "query"={},
diff --git a/tests/Fixtures/TestBundle/Entity/SecuredDummy.php b/tests/Fixtures/TestBundle/Entity/SecuredDummy.php
@@ -29,7 +29,8 @@
  *         "post"={"access_control"="has_role('ROLE_ADMIN')"}
  *     },
  *     itemOperations={
- *         "get"={"access_control"="has_role('ROLE_USER') and object.getOwner() == user"}
+ *         "get"={"access_control"="has_role('ROLE_USER') and object.getOwner() == user"},
+ *         "put"={"access_control"="has_role('ROLE_USER') and previous_object.getOwner() ==  user"},
  *     },
  *     graphql={
  *         "query"={},

Original file line number	Diff line number	Diff line change
`@@ -115,5 +115,6 @@ public function onKernelRequest(GetResponseEvent $event): void`
`115`	`115`	`}`
`116`	`116`
`117`	`117`	`$request->attributes->set('data', $data);`
	`118`	`+ $request->attributes->set('previous_data', \is_object($data) ? clone $data : $data);`
`118`	`119`	`}`
`119`	`120`	`}`
Original file line number	Diff line number	Diff line change
`@@ -153,6 +153,7 @@ public function testRetrieveCollectionPost()`
`153`	`153`	`$listener->onKernelRequest($event->reveal());`
`154`	`154`
`155`	`155`	`$this->assertFalse($request->attributes->has('data'));`
	`156`	`+ $this->assertFalse($request->attributes->has('previous_data'));`
`156`	`157`	`}`
`157`	`158`
`158`	`159`	`public function testRetrieveCollectionGet()`
`@@ -178,6 +179,7 @@ public function testRetrieveCollectionGet()`
`178`	`179`	`$listener->onKernelRequest($event->reveal());`
`179`	`180`
`180`	`181`	`$this->assertSame([], $request->attributes->get('data'));`
	`182`	`+ $this->assertFalse($request->attributes->has('previous_data'));`
`181`	`183`	`}`
`182`	`184`
`183`	`185`	`public function testRetrieveItem()`
`@@ -205,6 +207,7 @@ public function testRetrieveItem()`
`205`	`207`	`$listener->onKernelRequest($event->reveal());`
`206`	`208`
`207`	`209`	`$this->assertSame($data, $request->attributes->get('data'));`
	`210`	`+ $this->assertEquals($data, $request->attributes->get('previous_data'));`
`208`	`211`	`}`
`209`	`212`
`210`	`213`	`public function testRetrieveItemNoIdentifier()`
`@@ -257,6 +260,7 @@ public function testRetrieveSubresource()`
`257`	`260`	`$listener->onKernelRequest($event->reveal());`
`258`	`261`
`259`	`262`	`$this->assertSame($data, $request->attributes->get('data'));`
	`263`	`+ $this->assertSame($data, $request->attributes->get('previous_data'));`
`260`	`264`	`}`
`261`	`265`
`262`	`266`	`public function testRetrieveSubresourceNoDataProvider()`