I am trying to secure my post operation on entity by allowing it to 3 roles. ROLE_ADMIN, ROLE_USER and ROLE_LEADER. Every user have only one role.
When I was testing if it works by removing ROLE_LEADER from the code below, I found out, that a user with ROLE_LEADER can still create user.
I have tried to make some error if the changes are taking place, they are.
I have the following operation:
/**
* @ORM\Entity(repositoryClass="App\Repository\UserRepository")
* @ApiResource(
* itemOperations={
* "post"={"access_control"="is_granted('ROLE_ADMIN') or is_granted('ROLE_USER')", "access_control_message"="You are not owner of this user."},
* "delete"={"access_control"="
is_granted('ROLE_ADMIN')
or (is_granted('ROLE_USER') and (previous_object.getOwner() == user or previous_object.getOwner().getOwner() == user))
or (is_granted('ROLE_LEADER') and previous_object.getOwner() == user)
", "access_control_message"="You are not owner of this user."},
* },
* )
*/
Delete operation works as expected, however I cannot understand why I can still create a user when I am posting data from user that has ROLE_LEADER.
Thank you for your time