8000 Authentication fail if onr route require higher Autorization, so you will have this error: "Unable to retrieve API documentation." · Issue #193 · api-platform/admin · GitHub
[go: up one dir, main page]

Skip to content
Authentication fail if onr route require higher Autorization, so you will have this error: "Unable to retrieve API documentation." #193
Closed
@Rebolon

Description

@Rebolon

Hi,

not sure it's linked to #185 but i rollbacked to api-platform/admin:0.6.2
I have an API with different routes. Some of them require ROLE_USER, and others require ROLE_ADMIN.
When i login with a user that have ROLE_ADMIN, everything works well.
When i login with a user that have ROLE_USER i have "Unable to retrieve API documentation"

If i open the DevTools i can see that those routes are ok:

  • /api
  • /docs.jsonld
  • /Entrypoint
  • /all-routes-that-only-requires-ROLE_USER

All others routes just fail with a 500 Access Denied in dev or prod mode

Here are some informations about an Entity with ROLE_ADMIN:

/**
 * @ApiResource(
 *     iri="http://schema.org/Person",
 *     accessControl="is_granted('ROLE_ADMIN')",
 *     attributes={
 *          "access_control"="is_granted('ROLE_ADMIN')",
 *          "status_code"=403,
 *          "pagination_client_enabled"=true,
 *     })
... 

Here is the security part:

security:
    encoders:
        App\Entity\User:
            algorithm: sodium

    # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
    providers:
        # used to reload user from session & other features (e.g. switch_user)
        app_user_provider:
            entity:
                class: App\Entity\User
                property: email
    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false

        api_login:
            pattern: ^/api/login$
            anonymous: false
            stateless: true
            json_login:
                check_path: api_login
                username_path: "%login_username_path%"
                password_path: "%login_password_path%"

        api:
            pattern: ^/api
            anonymous: false
            stateless: true
            guard:
                authenticators:
                    - App\Security\Authenticator
        main:
            anonymous: ~

            # activate different ways to authenticate
            # https://symfony.com/doc/current/security.html#firewalls-authentication

            # https://symfony.com/doc/current/security/impersonating_user.html
            # switch_user: true

    # Easy way to control access for large sections of your site
    # Note: Only the *first* access control that matches will be used
    #access_control:
    #    - { path: ^/admin, roles: ROLE_ADMIN }
        - { path: ^/profile, roles: ROLE_USER }
        - { path: ^/api, roles: ROLE_USER }

Here is the symfony log:

[2019-08-07 16:37:14] security.DEBUG: Access denied, the user is neither anonymous, nor remember-me. {"exception":"[object] (Symfony\\Component\\Security\\Core\\Exception\\AccessDeniedException(code: 403): Access Denied. at /pathToProject/vendor/api-platform/core/src/Security/EventListener/DenyAccessListener.php:76)"} []
[2019-08-07 16:37:14] request.ERROR: Uncaught PHP Exception Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException: "Access Denied." at /pathToProject/vendor/symfony/security-http/Firewall/ExceptionListener.php line 120 {"exception":"[object] (Symfony\\Component\\HttpKernel\\Exception\\AccessDeniedHttpException(code: 0): Access Denied. at /pathToProject/vendor/symfony/security-http/Firewall/ExceptionListener.php:120, Symfony\\Component\\Security\\Core\\Exception\\AccessDeniedException(code: 403): Access Denied. at /pathToProject/vendor/api-platform/core/src/Security/EventListener/DenyAccessListener.php:76)"} []

I have even tried to add this Exception into config/packages/api_platform.yaml: (which i expect to be managed natively)

api_platform:
  ...
  exception_to_status:
    ...
    Symfony\Component\Security\Core\Exception\AccessDeniedException: 403

You can test the app here:
https://petkennel.myalerts.org/admin
user admin: admin@localhost / pwd
user standard: userOne@localhost / pwd

Thanks for help

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions

      0