In API Platform, I have all the endpoints secured with JWT but I would like to have the POST User public so users can register themselves.
How can I do this at entity level?
#[ORMEntity(repositoryClass: UserRepository::class)]
#[ApiResource(
collectionOperations: [
'get',
"post" => ["security" => "is_granted('PUBLIC_ACCESS')"], //this does not work
],
itemOperations: [
'get'
],
)]
class User implements UserInterface, PasswordAuthenticatedUserInterface
{
if I implement this in security.yaml as usual in Symfony it works
access_control:
- { path: ^/docs, roles: PUBLIC_ACCESS } # Allows accessing the Swagger UI
- { path: ^/authentication_token, roles: PUBLIC_ACCESS }
- { path: ^/users, roles: PUBLIC_ACCESS, methods: POST }
- { path: ^/, roles: IS_AUTHENTICATED_FULLY }
I just would like to know if I can do it at entity level with annotations.
Advertisement
Answer
The Api-Platform security rules are processed after Symfony’s Security access rules.
So if Symfony’s access rules are stricter than Api-Platform’s rules, those apply and the request will be denied.
If if were the other way around (security.access_rules declared the endpoint “open”, but on your resource configuration you declared a more stringent is_granted() configuration), it would work, since then request would go past the Symfony firewall and reach the Api-Platform access listener.
For you to be able to configure security with attributes/annotations, then the security configuration needs to be more restrictive than the one on the Symfony firewall.
E.g. set / to PUBLIC_ACCESS, and then configure security with the corresponding is_granted() on each resource.