Description
Hi,
not sure it's linked to #185 but i rollbacked to api-platform/admin:0.6.2
I have an API with different routes. Some of them require ROLE_USER, and others require ROLE_ADMIN.
When i login with a user that have ROLE_ADMIN, everything works well.
When i login with a user that have ROLE_USER i have "Unable to retrieve API documentation"
If i open the DevTools i can see that those routes are ok:
- /api
- /docs.jsonld
- /Entrypoint
- /all-routes-that-only-requires-ROLE_USER
All others routes just fail with a 500 Access Denied in dev or prod mode
Here are some informations about an Entity with ROLE_ADMIN:
/**
* @ApiResource(
* iri="http://schema.org/Person",
* accessControl="is_granted('ROLE_ADMIN')",
* attributes={
* "access_control"="is_granted('ROLE_ADMIN')",
* "status_code"=403,
* "pagination_client_enabled"=true,
* })
...
Here is the security part:
security:
encoders:
App\Entity\User:
algorithm: sodium
# https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
providers:
# used to reload user from session & other features (e.g. switch_user)
app_user_provider:
entity:
class: App\Entity\User
property: email
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
api_login:
pattern: ^/api/login$
anonymous: false
stateless: true
json_login:
check_path: api_login
username_path: "%login_username_path%"
password_path: "%login_password_path%"
api:
pattern: ^/api
anonymous: false
stateless: true
guard:
authenticators:
- App\Security\Authenticator
main:
anonymous: ~
# activate different ways to authenticate
# https://symfony.com/doc/current/security.html#firewalls-authentication
# https://symfony.com/doc/current/security/impersonating_user.html
# switch_user: true
# Easy way to control access for large sections of your site
# Note: Only the *first* access control that matches will be used
#access_control:
# - { path: ^/admin, roles: ROLE_ADMIN }
- { path: ^/profile, roles: ROLE_USER }
- { path: ^/api, roles: ROLE_USER }
Here is the symfony log:
[2019-08-07 16:37:14] security.DEBUG: Access denied, the user is neither anonymous, nor remember-me. {"exception":"[object] (Symfony\\Component\\Security\\Core\\Exception\\AccessDeniedException(code: 403): Access Denied. at /pathToProject/vendor/api-platform/core/src/Security/EventListener/DenyAccessListener.php:76)"} []
[2019-08-07 16:37:14] request.ERROR: Uncaught PHP Exception Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException: "Access Denied." at /pathToProject/vendor/symfony/security-http/Firewall/ExceptionListener.php line 120 {"exception":"[object] (Symfony\\Component\\HttpKernel\\Exception\\AccessDeniedHttpException(code: 0): Access Denied. at /pathToProject/vendor/symfony/security-http/Firewall/ExceptionListener.php:120, Symfony\\Component\\Security\\Core\\Exception\\AccessDeniedException(code: 403): Access Denied. at /pathToProject/vendor/api-platform/core/src/Security/EventListener/DenyAccessListener.php:76)"} []
I have even tried to add this Exception into config/packages/api_platform.yaml: (which i expect to be managed natively)
api_platform:
...
exception_to_status:
...
Symfony\Component\Security\Core\Exception\AccessDeniedException: 403
You can test the app here:
https://petkennel.myalerts.org/admin
user admin: admin@localhost / pwd
user standard: userOne@localhost / pwd
Thanks for help