Symfony 3.4 访问被拒绝 - API REST(检查配置文件)
Symfony 3.4 Access Denied - API REST (Check Profile)
您好,我正在尝试使用 symfony 3.4 创建一个 api rest。
当我尝试在 http://localhost:8000/users/3 中获取(确定输入令牌)时,这告诉我:访问被拒绝......但是当我删除“@Security("is_granted('show', 'theUser')", message="Access denied")"- UserController 有效,但您可以检查所有配置文件,而不仅仅是您的...
用户控制器(获取用户操作):
*/
private $passwordEncoder;
/**
* @var JWTEncoderInterface
*/
private $jwtEncoder;
public function __construct(UserPasswordEncoderInterface $passwordEncoder, JWTEncoderInterface $jwtEncoder)
{
$this->passwordEncoder = $passwordEncoder;
$this->jwtEncoder = $jwtEncoder;
}
/**
* @Rest\View()
* @Security("is_granted('show', 'theUser')", message="Access denied")
*/
public function getUserAction(User $theUser)
{
if (null === $theUser) {
throw new NotFoundHttpException();
}
return $theUser;
}
/**
*
* @Rest\Post(
* path = "/users",
* name = "users_add"
* )
* @Rest\View(StatusCode=201)
* @ParamConverter(
* "user",
* converter="fos_rest.request_body",
* options={"deserializationContent"={"groups"={"Deserialize"}}}
* )
*/
public function postUserAction(User $user, ConstraintViolationListInterface $violations)
{
if (count($violations) > 0) {
$message = 'The user is not valid: ';
foreach ($violations as $violation) {
$message .= sprintf(
"Field %s: %s ",
$violation->getPropertyPath(),
$violation->getMessage()
);
}
throw new ResourceValidationException($message);
}
$user->setPassword(
$this->passwordEncoder->encodePassword(
$user,
$user->getPassword()
)
);
$user->setRoles([User::ROLE_USER]);
$em = $this->getDoctrine()->getManager();
$em->persist($user);
$em->flush();
return $user;
}
}`
用户投票者:
const SHOW = 'show';
/**
* Determines if the attribute and subject are supported by this voter.
*
* @param string $attribute An attribute
* @param mixed $subject The subject to secure, e.g. an object the user wants to access or any other PHP type
*
* @return bool True if the attribute and subject are supported, false otherwise
*/
protected function supports($attribute, $subject)
{
if (!in_array($attribute, [self::SHOW])) {
return false;
}
if (!$subject instanceof User) {
return false;
}
return true;
}
/**
* Perform a single access check operation on a given attribute, subject and token.
* It is safe to assume that $attribute and $subject already passed the "supports()" method check.
*
* @param string $attribute
* @param mixed $subject
* @param TokenInterface $token
*
* @return bool
*/
protected function voteOnAttribute($attribute, $subject, TokenInterface $token)
{
switch ($attribute) {
case self::SHOW:
return $this->isUserHimself(
$subject,
$token);
}
return false;
}
/**
* @param $subject
* @param TokenInterface $token
* @return bool
*/
protected function isUserHimself($subject, TokenInterface $token)
{
$authenticatedUser = $token->getUser();
if (!$authenticatedUser instanceof User) {
return false;
}
/**
* @var User $user
*/
$user = $subject;
return $authenticatedUser->getId() === $user->getId();
}
}
好的,很好!我只是删除引号:* @Security("is_granted('show', 'theUser')", message="Access denied")
至 * @Security("is_granted('show', theUser)", message="Access denied")
如果有人能解释一下@Sercurity 中你是否加引号的区别,谢谢 :)
您好,我正在尝试使用 symfony 3.4 创建一个 api rest。
当我尝试在 http://localhost:8000/users/3 中获取(确定输入令牌)时,这告诉我:访问被拒绝......但是当我删除“@Security("is_granted('show', 'theUser')", message="Access denied")"- UserController 有效,但您可以检查所有配置文件,而不仅仅是您的...
用户控制器(获取用户操作):
*/
private $passwordEncoder;
/**
* @var JWTEncoderInterface
*/
private $jwtEncoder;
public function __construct(UserPasswordEncoderInterface $passwordEncoder, JWTEncoderInterface $jwtEncoder)
{
$this->passwordEncoder = $passwordEncoder;
$this->jwtEncoder = $jwtEncoder;
}
/**
* @Rest\View()
* @Security("is_granted('show', 'theUser')", message="Access denied")
*/
public function getUserAction(User $theUser)
{
if (null === $theUser) {
throw new NotFoundHttpException();
}
return $theUser;
}
/**
*
* @Rest\Post(
* path = "/users",
* name = "users_add"
* )
* @Rest\View(StatusCode=201)
* @ParamConverter(
* "user",
* converter="fos_rest.request_body",
* options={"deserializationContent"={"groups"={"Deserialize"}}}
* )
*/
public function postUserAction(User $user, ConstraintViolationListInterface $violations)
{
if (count($violations) > 0) {
$message = 'The user is not valid: ';
foreach ($violations as $violation) {
$message .= sprintf(
"Field %s: %s ",
$violation->getPropertyPath(),
$violation->getMessage()
);
}
throw new ResourceValidationException($message);
}
$user->setPassword(
$this->passwordEncoder->encodePassword(
$user,
$user->getPassword()
)
);
$user->setRoles([User::ROLE_USER]);
$em = $this->getDoctrine()->getManager();
$em->persist($user);
$em->flush();
return $user;
}
}`
用户投票者: const SHOW = 'show';
/**
* Determines if the attribute and subject are supported by this voter.
*
* @param string $attribute An attribute
* @param mixed $subject The subject to secure, e.g. an object the user wants to access or any other PHP type
*
* @return bool True if the attribute and subject are supported, false otherwise
*/
protected function supports($attribute, $subject)
{
if (!in_array($attribute, [self::SHOW])) {
return false;
}
if (!$subject instanceof User) {
return false;
}
return true;
}
/**
* Perform a single access check operation on a given attribute, subject and token.
* It is safe to assume that $attribute and $subject already passed the "supports()" method check.
*
* @param string $attribute
* @param mixed $subject
* @param TokenInterface $token
*
* @return bool
*/
protected function voteOnAttribute($attribute, $subject, TokenInterface $token)
{
switch ($attribute) {
case self::SHOW:
return $this->isUserHimself(
$subject,
$token);
}
return false;
}
/**
* @param $subject
* @param TokenInterface $token
* @return bool
*/
protected function isUserHimself($subject, TokenInterface $token)
{
$authenticatedUser = $token->getUser();
if (!$authenticatedUser instanceof User) {
return false;
}
/**
* @var User $user
*/
$user = $subject;
return $authenticatedUser->getId() === $user->getId();
}
}
好的,很好!我只是删除引号:* @Security("is_granted('show', 'theUser')", message="Access denied")
至 * @Security("is_granted('show', theUser)", message="Access denied")
如果有人能解释一下@Sercurity 中你是否加引号的区别,谢谢 :)