fix(graphql): security after resolver (#6444)

soyuka · web-flow · commit 25c5f222dbe2 · 2024-07-01T15:14:14.000+02:00
fixes #6427
diff --git a/features/graphql/query.feature b/features/graphql/query.feature
@@ -664,3 +664,16 @@ Feature: GraphQL query support
     And the header "Content-Type" should be equal to "application/json"
     And the JSON node "data.dummyDifferentGraphQlSerializationGroup.name" should be equal to "Name #1"
     And the JSON node "data.dummyDifferentGraphQlSerializationGroup.title" should be equal to "Title #1"
+
+  Scenario: Call security after resolver
+    When I send the following GraphQL request:
+    """
+    {
+      getSecurityAfterResolver(id: "/security_after_resolvers/1") {
+        name
+      }
+    }
+    """
+    Then the response status code should be 200
+    And the header "Content-Type" should be equal to "application/json"
+    And the JSON node "data.getSecurityAfterResolver.name" should be equal to "test"
diff --git a/src/Metadata/GraphQl/Operation.php b/src/Metadata/GraphQl/Operation.php
@@ -41,6 +41,8 @@ public function __construct(
         protected ?array $extraArgs = null,
         protected ?array $links = null,
         protected ?bool $validateAfterResolver = null,
+        protected ?string $securityAfterResolver = null,
+        protected ?string $securityMessageAfterResolver = null,
 
         ?string $shortName = null,
         ?string $class = null,
@@ -209,4 +211,30 @@ public function withValidateAfterResolver(bool $validateAfterResolver = true): s
 
         return $self;
     }
+
+    public function getSecurityAfterResolver(): ?string
+    {
+        return $this->securityAfterResolver;
+    }
+
+    public function withSecurityAfterResolver(string $securityAfterResolver): self
+    {
+        $self = clone $this;
+        $self->securityAfterResolver = $securityAfterResolver;
+
+        return $self;
+    }
+
+    public function getSecurityMessageAfterResolver(): ?string
+    {
+        return $this->securityMessageAfterResolver;
+    }
+
+    public function withSecurityMessageAfterResolver(string $securityMessageAfterResolver): self
+    {
+        $self = clone $this;
+        $self->securityMessageAfterResolver = $securityMessageAfterResolver;
+
+        return $self;
+    }
 }
diff --git a/src/Metadata/GraphQl/Query.php b/src/Metadata/GraphQl/Query.php
@@ -24,6 +24,8 @@ public function __construct(
         ?array $args = null,
         ?array $extraArgs = null,
         ?array $links = null,
+        ?string $securityAfterResolver = null,
+        ?string $securityMessageAfterResolver = null,
 
         ?string $shortName = null,
         ?string $class = null,
@@ -79,6 +81,8 @@ public function __construct(
             args: $args,
             extraArgs: $extraArgs,
             links: $links,
+            securityAfterResolver: $securityAfterResolver,
+            securityMessageAfterResolver: $securityMessageAfterResolver,
             shortName: $shortName,
             class: $class,
             paginationEnabled: $paginationEnabled,
diff --git a/src/Metadata/GraphQl/QueryCollection.php b/src/Metadata/GraphQl/QueryCollection.php
@@ -25,6 +25,8 @@ public function __construct(
         ?array $args = null,
         ?array $extraArgs = null,
         ?array $links = null,
+        ?string $securityAfterResolver = null,
+        ?string $securityMessageAfterResolver = null,
 
         ?string $shortName = null,
         ?string $class = null,
@@ -80,6 +82,8 @@ public function __construct(
             args: $args,
             extraArgs: $extraArgs,
             links: $links,
+            securityAfterResolver: $securityAfterResolver,
+            securityMessageAfterResolver: $securityMessageAfterResolver,
             shortName: $shortName,
             class: $class,
             paginationEnabled: $paginationEnabled,
diff --git a/src/Metadata/GraphQl/Subscription.php b/src/Metadata/GraphQl/Subscription.php
@@ -24,6 +24,8 @@ public function __construct(
         ?array $args = null,
         ?array $extraArgs = null,
         ?array $links = null,
+        ?string $securityAfterResolver = null,
+        ?string $securityMessageAfterResolver = null,
 
         ?string $shortName = null,
         ?string $class = null,
@@ -77,6 +79,8 @@ public function __construct(
             args: $args,
             extraArgs: $extraArgs,
             links: $links,
+            securityAfterResolver: $securityAfterResolver,
+            securityMessageAfterResolver: $securityMessageAfterResolver,
             shortName: $shortName,
             class: $class,
             paginationEnabled: $paginationEnabled,
diff --git a/src/Symfony/Bundle/Resources/config/graphql/security.xml b/src/Symfony/Bundle/Resources/config/graphql/security.xml
@@ -19,5 +19,11 @@
             <argument type="service" id="api_platform.security.resource_access_checker" />
             <argument>post_validate</argument>
         </service>
+
+        <service id="api_platform.graphql.state_provider.access_checker.after_resolver" class="ApiPlatform\Symfony\Security\State\AccessCheckerProvider" decorates="api_platform.graphql.state_provider" decoration-priority="170">
+            <argument type="service" id="api_platform.graphql.state_provider.access_checker.after_resolver.inner" />
+            <argument type="service" id="api_platform.security.resource_access_checker" />
+            <argument>after_resolver</argument>
+        </service>
     </services>
 </container>
diff --git a/src/Symfony/Security/State/AccessCheckerProvider.php b/src/Symfony/Security/State/AccessCheckerProvider.php
@@ -13,6 +13,7 @@
 
 namespace ApiPlatform\Symfony\Security\State;
 
+use ApiPlatform\Exception\RuntimeException;
 use ApiPlatform\Metadata\GraphQl\Operation as GraphQlOperation;
 use ApiPlatform\Metadata\GraphQl\QueryCollection;
 use ApiPlatform\Metadata\HttpOperation;
@@ -45,6 +46,14 @@ public function provide(Operation $operation, array $uriVariables = [], array $c
                 $isGranted = $operation->getSecurityPostValidation();
                 $message = $operation->getSecurityPostValidationMessage();
                 break;
+            case 'after_resolver':
+                if (!$operation instanceof GraphQlOperation) {
+                    throw new RuntimeException('Not a graphql operation');
+                }
+
+                $isGranted = $operation->getSecurityAfterResolver();
+                $message = $operation->getSecurityMessageAfterResolver();
+                // no break
             default:
                 $isGranted = $operation->getSecurity();
                 $message = $operation->getSecurityMessage();
diff --git a/tests/Fixtures/TestBundle/ApiResource/Issue6427/SecurityAfterResolver.php b/tests/Fixtures/TestBundle/ApiResource/Issue6427/SecurityAfterResolver.php
@@ -0,0 +1,39 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <dunglas@gmail.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\Tests\Fixtures\TestBundle\ApiResource\Issue6427;
+
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\GraphQl\Query;
+
+#[ApiResource(
+    provider: [self::class, 'provide'],
+    graphQlOperations: [
+        new Query(
+            resolver: 'app.graphql.query_resolver.security_after_resolver',
+            securityAfterResolver: "object.name == 'test'",
+            name: 'get'
+        ),
+    ]
+)]
+class SecurityAfterResolver
+{
+    public function __construct(public ?string $id, public ?string $name)
+    {
+    }
+
+    public static function provide()
+    {
+        return new self('1', '1');
+    }
+}
diff --git a/tests/Fixtures/TestBundle/ApiResource/Issue6427/SecurityAfterResolverResolver.php b/tests/Fixtures/TestBundle/ApiResource/Issue6427/SecurityAfterResolverResolver.php
@@ -0,0 +1,28 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <dunglas@gmail.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\Tests\Fixtures\TestBundle\ApiResource\Issue6427;
+
+use ApiPlatform\GraphQl\Resolver\QueryItemResolverInterface;
+
+final class SecurityAfterResolverResolver implements QueryItemResolverInterface
+{
+    /**
+     * @param object|null $item
+     * @param mixed[]     $context
+     */
+    public function __invoke($item, array $context): SecurityAfterResolver
+    {
+        return new SecurityAfterResolver('1', 'test');
+    }
+}
diff --git a/tests/Fixtures/app/config/config_common.yml b/tests/Fixtures/app/config/config_common.yml
@@ -464,3 +464,8 @@ services:
         class: 'ApiPlatform\Tests\Fixtures\TestBundle\ApiResource\Issue6354\CreateActivityLogResolver'
         tags:
             - name: 'api_platform.graphql.resolver'
+
+    app.graphql.query_resolver.security_after_resolver:
+        class: 'ApiPlatform\Tests\Fixtures\TestBundle\ApiResource\Issue6427\SecurityAfterResolverResolver'
+        tags:
+            - name: 'api_platform.graphql.resolver'
