Skip to content

Make hydra documentation respect access control #2719

New issue
New issue
Open
Open
Make hydra documentation respect access control#2719
Labels
enhancement
@armellarcier

Description

@armellarcier
armellarcier
opened on Apr 9, 2019

My api has public and private entries.

But the hydra and swagger documentations expose all of them.

As a result, a connected user that has access to only parts of the api will see the whole documentation which is not a good thing for security.

More importantly, the admin is broken in that case because it tries to fetch every resource in the hydra documentation.

Activity

teohhanhui

teohhanhui commented on Apr 9, 2019

@teohhanhui
teohhanhui
on Apr 9, 2019
Contributor

The documentation should be available even for operations that require authentication. There is nothing wrong with that. "Security by obscurity" is bad.

teohhanhui

teohhanhui commented on Apr 9, 2019

@teohhanhui
teohhanhui
on Apr 9, 2019
Contributor

More importantly, the admin is broken in that case because it tries to fetch every resource in the hydra documentation.

Then that's a bug in the admin.

teohhanhui
added
question
on Apr 9, 2019
armellarcier

armellarcier commented on Apr 9, 2019

@armellarcier
armellarcier
on Apr 9, 2019
Author

I agree. I first created an issue in the admin repository. I ended up overriding the documentation parser.
But still, I would like the ability to hide entrypoints from the swagger ui based on access control. It’s more of a feature request

armellarcier

armellarcier commented on Apr 9, 2019

@armellarcier
armellarcier
on Apr 9, 2019
Author

Maybe it can be done in userland?

er1z

er1z commented on May 10, 2019

@er1z
er1z
on May 10, 2019
Contributor

Just decorate documentation normalizer.

dunglas

dunglas commented on May 10, 2019

@dunglas
dunglas
on May 10, 2019
Member

It's a very frequent request. It would be nice to have it in core (with a flag to enable or disable this feature).

dunglas

dunglas commented on May 10, 2019

@dunglas
dunglas
on May 10, 2019
Member

Basically it means executing the security expression in the documentation normalizers.

armellarcier

armellarcier commented on May 11, 2019

@armellarcier
armellarcier
on May 11, 2019
Author

I really need this and I’d need some directions to push a PR quickly. @dunglas what modifications and configuration options would you like to see?

soyuka
added
enhancement
and removed
question
on May 15, 2019
dunglas

dunglas commented on May 17, 2019

@dunglas
dunglas
on May 17, 2019
Member

I suggest to inject the Security Expression executor in DocumentationNormalizer, and to security expression of every resource class before this line and of every operation here.

If the security expression can be executed (it doesn't depend of the current object but only use is_granted() for instance), then I would skip generating the documentation of not allowed operations.

The same logic must be adapted for the OpenAPI DocumentationNormalizer.

gomcodoctor

gomcodoctor commented on Nov 15, 2019

@gomcodoctor
gomcodoctor
on Nov 15, 2019

I am working on it, i wanted to decorate DocumentationNormalizer but all functions are private !

soyuka
mentioned this on Nov 15, 2019
klobastov

klobastov commented on Jun 26, 2023

@klobastov
klobastov
on Jun 26, 2023

Is there any news on this topic?

soyuka
mentioned this in 2 issues on Oct 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancement

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @dunglas@teohhanhui@armellarcier@soyuka@er1z

        Issue actions
          Make hydra documentation respect access control · Issue #2719 · api-platform/core