0
votes

I am trying to secure my post operation on entity by allowing it to 3 roles. ROLE_ADMIN, ROLE_USER and ROLE_LEADER. Every user have only one role.

When I was testing if it works by removing ROLE_LEADER from the code below, I found out, that a user with ROLE_LEADER can still create user.

I have tried to make some error if the changes are taking place, they are.

I have the following operation:

/**
 * @ORM\Entity(repositoryClass="App\Repository\UserRepository")
 * @ApiResource(
 *    itemOperations={
 *         "post"={"access_control"="is_granted('ROLE_ADMIN') or is_granted('ROLE_USER')", "access_control_message"="You are not owner of this user."},
 *         "delete"={"access_control"="
                is_granted('ROLE_ADMIN')
                or (is_granted('ROLE_USER') and (previous_object.getOwner() == user or previous_object.getOwner().getOwner() == user))
                or (is_granted('ROLE_LEADER') and previous_object.getOwner() == user)
            ", "access_control_message"="You are not owner of this user."},
 *     },
 * )
 */

Delete operation works as expected, however I cannot understand why I can still create a user when I am posting data from user that has ROLE_LEADER.

Thank you for your time

2
can you post your security.yaml? and keep in mind that the role system is hierarchical - Mario 2002

2 Answers

1
votes

Solution was that I have needed to move

"post"={"access_control"="is_granted('ROLE_ADMIN') or is_granted('ROLE_USER')", "access_control_message"="You are not owner of this user."},

from itemOperations to collectionOperations

0
votes

Every user that logs in, always has at least the role ROLE_USER. See the documentation for more information.

Therefore is_granted('ROLE_ADMIN') or is_granted('ROLE_USER') means any logged in user is granted access (because of or is_granted('ROLE_USER') ), which is also why your user with ROLE_LEADER can still post data (because this user will also have the role ROLE_USER).

A solution is to create another user role and use that one instead.