Skip to content

Commit

Permalink
Merge commit from fork
Browse files Browse the repository at this point in the history
Co-authored-by: Vincent Amstoutz <[email protected]>
  • Loading branch information
soyuka and vinceAmstoutz authored Jan 17, 2025
1 parent 9eb5c4e commit dc4fc84
Show file tree
Hide file tree
Showing 3 changed files with 25 additions and 1 deletion.
17 changes: 17 additions & 0 deletions features/graphql/query.feature
Original file line number Diff line number Diff line change
Expand Up @@ -677,3 +677,20 @@ Feature: GraphQL query support
Then the response status code should be 200
And the header "Content-Type" should be equal to "application/json"
And the JSON node "data.getSecurityAfterResolver.name" should be equal to "test"


Scenario: Call security after resolver with 403 error (ensure /2 does not match securityAfterResolver)
When I send the following GraphQL request:
""""
{
getSecurityAfterResolver(id: "/security_after_resolvers/2") {
name
}
}
"""
Then the response status code should be 200
And the response should be in JSON
And the header "Content-Type" should be equal to "application/json"
And the JSON node "errors[0].extensions.status" should be equal to 403
And the JSON node "errors[0].message" should be equal to "Access Denied."
And the JSON node "data.getSecurityAfterResolver.name" should not exist
2 changes: 1 addition & 1 deletion src/Symfony/Security/State/AccessCheckerProvider.php
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ public function provide(Operation $operation, array $uriVariables = [], array $c

$isGranted = $operation->getSecurityAfterResolver();
$message = $operation->getSecurityMessageAfterResolver();
// no break
break;
default:
$isGranted = $operation->getSecurity();
$message = $operation->getSecurityMessage();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,13 @@ final class SecurityAfterResolverResolver implements QueryItemResolverInterface
*/
public function __invoke($item, array $context): SecurityAfterResolver
{
$idUrl = $context['args']['id'];

if (str_contains($idUrl, '2')) {
// Unknown to simulate a 403 error
return new SecurityAfterResolver('2', 'nonexistent');
}

return new SecurityAfterResolver('1', 'test');
}
}

0 comments on commit dc4fc84

Please sign in to comment.