Reputation: 2873
owner check not working with JWT auth
I'm following the example / documentation closely trying to set up a resource that only its owner can access, and I get this error:
"hydra:description": "Notice: Undefined property: ApiPlatform\Core\Bridge\Doctrine\Orm\Paginator::$owner",
JWT authentication per se seems to work fine.
my resource is defined like this:
/**
* @ORM\Entity
* @ApiResource(
* attributes={"access_control"="is_granted('ROLE_USER') and object.owner == user"},
* collectionOperations={"get"},
* itemOperations={"get"},
* )
*/
Security and user provider and everything is set up exactly as in the api-platform or Symfony documentation.
The property owner is defined as:
/**
* @var User The owner
*
* @ORM\ManyToOne(targetEntity=User::class)
*/
public $owner;
What am I doing wrong?
Upvotes: 1
Views: 952
Answers (2)
Reputation: 11
@ahaaje is correct.
But you can still achieve what you're looking for by implementing an "extension". This would allow you to filter the collection with only items that belong to your user.
Official documentation is here.
Upvotes: 0
Reputation: 81
I think this would work on your itemOperation GET, but not on your collectionOperation. The reason is that "object" in this case will the the collection of User objects, which is represented as the Paginator class.
Upvotes: 1
Related Questions
- Keycloak cannot verify user information with a valid token
- Verify JWT Token error 'secretOrPrivateKey must have a value'
- Why this API is forbidden for an user having a JWT token containing the "correct" authority?
- JWT[ RSA ], api owner shared private key
- API PLATFORM jwt access ignored
- Json Web Token issuer validation not working
- check user validation in Asp.net core with jwt authorization
- In JWT Authorization, check if user has role Admin
- How to distinguish between invalid token and lack of permission in rest
- JWT Verification Failing