Updated performAccessCheck doc #2959
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,59 @@ | ||
| <?php declare(strict_types=1); | ||
|
|
||
| namespace App\Controller; | ||
|
|
||
| use App\Security\Limitation\CustomLimitationValue; | ||
| use Ibexa\Contracts\AdminUi\Controller\Controller; | ||
| use Ibexa\Contracts\AdminUi\Permission\PermissionCheckerInterface; | ||
| use Ibexa\Contracts\Core\Repository\PermissionResolver; | ||
| use Ibexa\Contracts\User\Controller\AuthenticatedRememberedCheckTrait; | ||
| use Ibexa\Core\MVC\Symfony\Security\Authorization\Attribute; | ||
| use Symfony\Component\HttpFoundation\Request; | ||
| use Symfony\Component\HttpFoundation\Response; | ||
|
|
||
| class CustomLimitationController extends Controller | ||
| { | ||
| use AuthenticatedRememberedCheckTrait { | ||
| AuthenticatedRememberedCheckTrait::performAccessCheck as public traitPerformAccessCheck; | ||
| } | ||
|
|
||
| public function __construct( | ||
| // ..., | ||
| private readonly PermissionResolver $permissionResolver, | ||
| private readonly PermissionCheckerInterface $permissionChecker | ||
| ) { | ||
| } | ||
|
|
||
| // Controller actions... | ||
| public function customAction(Request $request): Response | ||
| { | ||
| // ... | ||
| if ($this->getCustomLimitationValue()) { | ||
| // Action only for user having the custom limitation checked | ||
| } | ||
|
|
||
| return new Response('<html><body>...</body></html>'); | ||
| } | ||
|
|
||
| private function getCustomLimitationValue(): bool | ||
| { | ||
| $hasAccess = $this->permissionResolver->hasAccess('custom_module', 'custom_function_2'); | ||
|
|
||
| if (is_bool($hasAccess)) { | ||
| return $hasAccess; | ||
| } | ||
|
|
||
| $customLimitationValues = $this->permissionChecker->getRestrictions( | ||
| $hasAccess, | ||
| CustomLimitationValue::class | ||
| ); | ||
|
|
||
| return $customLimitationValues['value'] ?? false; | ||
| } | ||
|
|
||
| public function performAccessCheck(): void | ||
| { | ||
| $this->traitPerformAccessCheck(); | ||
| $this->denyAccessUnlessGranted(new Attribute('custom_module', 'custom_function_2')); | ||
| } | ||
| } | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -34,23 +34,18 @@ | |||||||||
|
|
||||||||||
| ## Permissions for custom controllers | ||||||||||
|
|
||||||||||
| You can control access to a custom controller by implementing the [`RestrictedControllerInterface`](/api/php_api/php_api_reference/classes/Ibexa-Contracts-User-Controller-RestrictedControllerInterface.html) interface directly or, for back office controllers, by extending the [`\Ibexa\Contracts\AdminUi\Controller\Controller`](/api/php_api/php_api_reference/classes/Ibexa-Contracts-AdminUi-Controller-Controller.html) class. | ||||||||||
|
Check failure on line 37 in docs/permissions/permission_overview.md
|
||||||||||
|
|
||||||||||
| In the following example the user doesn't have access to the controller unless they have the `section/view` policy and are [logged in using the "rememeber me cookie"]([[= symfony_doc =]]/security.html#checking-to-see-if-a-user-is-logged-in). | ||||||||||
| It uses the [`AuthenticatedRememberedCheckTrait`](/api/php_api/php_api_reference/classes/Ibexa-Contracts-User-Controller-AuthenticatedRememberedCheckTrait.html) for the latter check. | ||||||||||
|
Check failure on line 40 in docs/permissions/permission_overview.md
|
||||||||||
|
Comment on lines
+39
to
+40
Contributor
There was a problem hiding this comment. In the description paragraph,
Suggested change
I still don't get why we need to use the trait directly when we extends Admin UI Controller which already uses it so Where you implements the RestrictedControllerInterface you don't inherit performAccessCheck, got to implement it, and to use the trait's one, here you need the method alias to have a method of the same name and still use it. |
||||||||||
|
|
||||||||||
| ``` php hl_lines="15-19" | ||||||||||
| [[= include_file('code_samples/back_office/limitation/src/Controller/CustomController.php', 0, 20) =]] | ||||||||||
| ``` | ||||||||||
|
|
||||||||||
| `Attribute` accepts three arguments: | ||||||||||
|
|
||||||||||
| - `module` is the policy module (for example, `content`) | ||||||||||
| - `function` is the function inside the module (for example, `read`) | ||||||||||
| - `limitations` are optional limitations to check against. Here you can provide two keys: | ||||||||||
| - `valueObject` is the object you want to check for, for example `ContentInfo`. | ||||||||||
|
|
||||||||||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe it's a front office controller and we don't want to extend that. Could it simply implements the
RestrictedControllerInterface?