buckets/src/Doctrine/BucketOwnerExtension.php

75 lines
2.5 KiB
PHP
Raw Normal View History

<?php
namespace App\Doctrine;
use ApiPlatform\Doctrine\Orm\Extension\QueryCollectionExtensionInterface;
use ApiPlatform\Doctrine\Orm\Extension\QueryItemExtensionInterface;
use ApiPlatform\Doctrine\Orm\Util\QueryNameGeneratorInterface;
use ApiPlatform\Metadata\Operation;
use App\Entity\Bucket;
use App\Entity\User;
use Doctrine\ORM\QueryBuilder;
use Symfony\Bundle\SecurityBundle\Security;
/**
* Scopes every Bucket read to the authenticated owner. A Bucket has no direct
* owner column ownership is transitive via its Scenario so this JOINs the
* `scenario` relation and appends `WHERE scenario.owner = :currentUser`.
* Non-owned rows become unresolvable, so API Platform's provider 404s naturally
* on item reads and silently filters them out of collections no 403, no
* existence oracle.
*/
final class BucketOwnerExtension implements QueryCollectionExtensionInterface, QueryItemExtensionInterface
{
public function __construct(
private readonly Security $security,
) {
}
public function applyToCollection(
QueryBuilder $queryBuilder,
QueryNameGeneratorInterface $queryNameGenerator,
string $resourceClass,
?Operation $operation = null,
array $context = [],
): void {
$this->addOwnerWhere($queryBuilder, $queryNameGenerator, $resourceClass);
}
public function applyToItem(
QueryBuilder $queryBuilder,
QueryNameGeneratorInterface $queryNameGenerator,
string $resourceClass,
array $identifiers,
?Operation $operation = null,
array $context = [],
): void {
$this->addOwnerWhere($queryBuilder, $queryNameGenerator, $resourceClass);
}
private function addOwnerWhere(
QueryBuilder $queryBuilder,
QueryNameGeneratorInterface $queryNameGenerator,
string $resourceClass,
): void {
// This extension fires for every resource's queries — only act on Bucket.
if (Bucket::class !== $resourceClass) {
return;
}
$user = $this->security->getUser();
if (!$user instanceof User) {
return;
}
$rootAlias = $queryBuilder->getRootAliases()[0];
$scenarioAlias = $queryNameGenerator->generateJoinAlias('scenario');
$param = $queryNameGenerator->generateParameterName('currentUser');
$queryBuilder
->innerJoin(\sprintf('%s.scenario', $rootAlias), $scenarioAlias)
->andWhere(\sprintf('%s.owner = :%s', $scenarioAlias, $param))
->setParameter($param, $user);
}
}