子资源的安全性

时间:2019-08-12 18:46:38

标签: api-platform.com

我有一个Person实体,它有一个地址。在我的系统中,地址可以绑定到个人或组织。为了实现这一点,我在Doctrine中实现了Discriminators。

地址:


/**
 * @ORM\Entity(repositoryClass="App\Repository\AddressRepository")
 * @ORM\InheritanceType("SINGLE_TABLE")
 * @ORM\DiscriminatorColumn(name="address_owner_type", type="string")
 * @ORM\DiscriminatorMap({"person" = "PersonAddress"})
 */
abstract class Address implements EntityInterface {
  // Contents trimmed for simplicity.
}

和要附加到Person的子类:

/**
 * @ORM\Entity(repositoryClass="App\Repository\AddressRepository")
 * Class PersonAddress
 * @package App\Entity
 */
class PersonAddress extends Address
{

    /**
     * @ORM\OneToOne(targetEntity="App\Entity\Person", inversedBy="address")
     * @ORM\JoinColumn(nullable=false, onDelete="CASCADE")
     * @Constraint\NotBlank
     */
    private $person;

    public function getPerson(): ?Person
    {
        return $this->person;
    }

    public function setPerson(Person $person): self
    {
        $this->person = $person;

        return $this;
    }

}

人员:


/**
 * @ORM\Entity(repositoryClass="App\Repository\PersonRepository")
 * @see PersonVoter
 *   Includes access control logic for this entity.
 *
 * @ApiResource
 * @see api/config/api_platform/resources/person.yaml
 *   Defines Api-platform exposure.
 */
class Person implements EntityInterface
{
    // Contents trimmed for simplicity.

    /**
     * @ORM\OneToOne(targetEntity="App\Entity\PersonAddress", cascade={"persist", "remove"})
     * @JoinColumn(name="address_id", referencedColumnName="id")
     */
    private $address;

    /**
     * @return Address|null
     */
    public function getAddress()
    {
        return $this->address;
    }

    /**
     * @param PersonAddress $address
     *   The address to set.  If NULL, unsets the current address.
     *
     * @return self
     *   Returns the current instance.
     */
    public function setAddress(PersonAddress $address = null): self
    {
        if (null === $address) {
            $this->address = null;

            return $this;
        }
        $this->address = $address;

        // set the owning side of the relation if necessary
        if ($this !== $address->getPerson()) {
            $address->setPerson($this);
        }

        return $this;
    }

}

我将如何在Api平台上实现以下安全逻辑?

“如果当前经过身份验证的用户是管理员或分配给该地址的人员,则可以通过PUT请求更新地址。他们可以在PUT端点/person/{id}/address(id =人员id)处进行更新,或PUT端点/person_address/{id}(id =人员地址ID)”

我在这里寻找招。现有的身份验证机制基于JWT,并且工作正常。但是,在阻止未经授权的用户修改资源方面,我遇到很多困难。

0 个答案:

没有答案
相关问题
最新问题