I am building a symfony 4 cmf. I am using API Platform. In the page.php entity, i have added the following
<?php
namespace App\Entity;
use ApiPlatform\Core\Annotation\ApiResource;
use Doctrine\Common\Collections\ArrayCollection;
use Doctrine\Common\Collections\Collection;
use Doctrine\ORM\Mapping as ORM;
use Symfony\Component\Serializer\Annotation\Groups;
/**
* @ApiResource(
* normalizationContext={"groups"={"read"}},
* denormalizationContext={"groups"={"write"}},
* collectionOperations={"get"},
* itemOperations={
* "get",
* "put"={"security"="is_granted('ROLE_ADMIN')"},
* }
* )
* @ORM\Entity(repositoryClass="App\Repository\PageRepository")
*/
class Page
{
/**
* @ORM\Id()
* @ORM\GeneratedValue()
* @ORM\Column(type="integer")
*/
private $id;
/**
* @ORM\Column(type="string", length=255)
* @Groups("write")
*/
private $route;
/**
* @ORM\Column(type="string", length=255)
* @Groups({"read", "write"})
*/
private $name;
.....
NOTE In my normal back office controllers, i'm already using voters, and IS_GRANTED. I'm trying to say that my access control is working perfectly at other places except in my API PLATFORM entities.
Right now, even though i've added the ROLE_ADMIN to the PUT method, I authenticate with a ROLE_USER only user, and i'm being able to PUT the page. This means that it is not taking my ROLE in the is_granted section of the ApiPlatform annotation into consideration.
Any idea why?
