Skip to content

Security and voters #15

Description

@quentinus95

We need to add several checks on the API to protect some specific endpoints.

Users should not be able to see personal information of any other one; we must add a voter to be able to check who is the current user trying to access to the ressource (if a token is provided) and if he effectively is allowed to see it.

Four steps:

  1. We should split Account entity to "Profile" and "Account". Account should contain only private stuff and Profile any information that could be displayed on user's profile page
  2. Create a voter (declared as a service) to check if user is allowed to see the "Account" entity: https://symfony.com/doc/current/security/voters.html
  3. Using the event system https://api-platform.com/docs/core/events to check if the user can effectively see the "Account" entity (the action is delegated to the voter, you will need to inject it as a service with the "token storage" one (it contains the potential currently authenticated user) using dependency injections) and return a 403 if voter returned false.
  4. Testing (behat or unit testing, I believe behat should be faster to write)

Metadata

Metadata

Assignees

Labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions