You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In the Symfony security 5.2 (well, introduced in 5.1) "authenticator" system, anonymous users are gone, which means that when a user is not authenticated, there will be no "token" in the security system.
This causes a problem in API Platform: if an anonymous users tries to access an operation that is protected with a security attribute, they will get:
The current token must be set to use the "access_control" attribute (is the URL behind a firewall?
Solution
Fortunately, I think the solution is pretty simple :). In ResourceAccessChecker, a null token needs to be allowed, which would just pass a nulltoken and user variables into the expression.
In order to set that argument, there is no parameter in Symfony that just says "the user is on the old/new system". I think the best way would be to, in a compiler pass, check for the existence of the security.authenticator.manager service. If that service exists, then the user is on the "new" system.
Sorry I can't create a PR for lack of time at the moment - but hopefully this description will help someone :).
Cheers!
The text was updated successfully, but these errors were encountered:
Description
Hi!
In the Symfony security 5.2 (well, introduced in 5.1) "authenticator" system, anonymous users are gone, which means that when a user is not authenticated, there will be no "token" in the security system.
This causes a problem in API Platform: if an anonymous users tries to access an operation that is protected with a
security
attribute, they will get:Solution
Fortunately, I think the solution is pretty simple :). In ResourceAccessChecker, a
null
token needs to be allowed, which would just pass anull
token
anduser
variables into the expression.The only tricky part is that we probably (?) want to continue to throw the above exception for users that are using the "old" security system. If that is the case, then a new constructor flag will need to be passed to
ResourceAccessChecker
that tells it if this exception should be thrown (basically, this flag would be true if the "old" system is used and false if the "new" system is used). A similar thing is done in the core of Symfony: https://github.com/symfony/symfony/blob/494ef421c554a78b38c6779c4b7deb9a20d89923/src/Symfony/Component/Security/Core/Authorization/AuthorizationChecker.php#L52In order to set that argument, there is no parameter in Symfony that just says "the user is on the old/new system". I think the best way would be to, in a compiler pass, check for the existence of the
security.authenticator.manager
service. If that service exists, then the user is on the "new" system.Sorry I can't create a PR for lack of time at the moment - but hopefully this description will help someone :).
Cheers!
The text was updated successfully, but these errors were encountered: