75 lines
2.5 KiB
PHP
75 lines
2.5 KiB
PHP
|
|
<?php
|
||
|
|
|
||
|
|
namespace App\Doctrine;
|
||
|
|
|
||
|
|
use ApiPlatform\Doctrine\Orm\Extension\QueryCollectionExtensionInterface;
|
||
|
|
use ApiPlatform\Doctrine\Orm\Extension\QueryItemExtensionInterface;
|
||
|
|
use ApiPlatform\Doctrine\Orm\Util\QueryNameGeneratorInterface;
|
||
|
|
use ApiPlatform\Metadata\Operation;
|
||
|
|
use App\Entity\Bucket;
|
||
|
|
use App\Entity\User;
|
||
|
|
use Doctrine\ORM\QueryBuilder;
|
||
|
|
use Symfony\Bundle\SecurityBundle\Security;
|
||
|
|
|
||
|
|
/**
|
||
|
|
* Scopes every Bucket read to the authenticated owner. A Bucket has no direct
|
||
|
|
* owner column — ownership is transitive via its Scenario — so this JOINs the
|
||
|
|
* `scenario` relation and appends `WHERE scenario.owner = :currentUser`.
|
||
|
|
* Non-owned rows become unresolvable, so API Platform's provider 404s naturally
|
||
|
|
* on item reads and silently filters them out of collections — no 403, no
|
||
|
|
* existence oracle.
|
||
|
|
*/
|
||
|
|
final class BucketOwnerExtension implements QueryCollectionExtensionInterface, QueryItemExtensionInterface
|
||
|
|
{
|
||
|
|
public function __construct(
|
||
|
|
private readonly Security $security,
|
||
|
|
) {
|
||
|
|
}
|
||
|
|
|
||
|
|
public function applyToCollection(
|
||
|
|
QueryBuilder $queryBuilder,
|
||
|
|
QueryNameGeneratorInterface $queryNameGenerator,
|
||
|
|
string $resourceClass,
|
||
|
|
?Operation $operation = null,
|
||
|
|
array $context = [],
|
||
|
|
): void {
|
||
|
|
$this->addOwnerWhere($queryBuilder, $queryNameGenerator, $resourceClass);
|
||
|
|
}
|
||
|
|
|
||
|
|
public function applyToItem(
|
||
|
|
QueryBuilder $queryBuilder,
|
||
|
|
QueryNameGeneratorInterface $queryNameGenerator,
|
||
|
|
string $resourceClass,
|
||
|
|
array $identifiers,
|
||
|
|
?Operation $operation = null,
|
||
|
|
array $context = [],
|
||
|
|
): void {
|
||
|
|
$this->addOwnerWhere($queryBuilder, $queryNameGenerator, $resourceClass);
|
||
|
|
}
|
||
|
|
|
||
|
|
private function addOwnerWhere(
|
||
|
|
QueryBuilder $queryBuilder,
|
||
|
|
QueryNameGeneratorInterface $queryNameGenerator,
|
||
|
|
string $resourceClass,
|
||
|
|
): void {
|
||
|
|
// This extension fires for every resource's queries — only act on Bucket.
|
||
|
|
if (Bucket::class !== $resourceClass) {
|
||
|
|
return;
|
||
|
|
}
|
||
|
|
|
||
|
|
$user = $this->security->getUser();
|
||
|
|
if (!$user instanceof User) {
|
||
|
|
return;
|
||
|
|
}
|
||
|
|
|
||
|
|
$rootAlias = $queryBuilder->getRootAliases()[0];
|
||
|
|
$scenarioAlias = $queryNameGenerator->generateJoinAlias('scenario');
|
||
|
|
$param = $queryNameGenerator->generateParameterName('currentUser');
|
||
|
|
|
||
|
|
$queryBuilder
|
||
|
|
->innerJoin(\sprintf('%s.scenario', $rootAlias), $scenarioAlias)
|
||
|
|
->andWhere(\sprintf('%s.owner = :%s', $scenarioAlias, $param))
|
||
|
|
->setParameter($param, $user);
|
||
|
|
}
|
||
|
|
}
|