Skip to content

[HttpKernel] #[MapRequestPayload] is "handled" before #[IsGranted] #50120

New issue
New issue
Closed
#50125
Closed
[HttpKernel] #[MapRequestPayload] is "handled" before #[IsGranted]#50120
#50125
Labels
BugHelp wantedIssues and PRs which are looking for volunteers to complete them.HttpKernelStatus: Needs Review
@artyuum

Description

@artyuum
artyuum
opened on Apr 22, 2023

Symfony version(s) affected

6.3

Description

After playing a bit with this new feature, I noticed that the payload is getting mapped/validated before ensuring that the user is actually allowed to access the resource.

This seems odd to me and I'd like to know your opinion about that.

How to reproduce

  1. create a route and its payload.
  2. use the #[MapRequestPayload] attribute on the payload argument (in the controller)
  3. secure the route using the #[IsGranted] attribute
  4. access the route by posting some data (voluntarily malformed data) but without being logged-in
  5. see the error message related to the malformed data (and not because the user is not logged-in)

Possible Solution

Few years ago, I created a bundle to achieve the same thing that this feature is offering, and I encountered the same problem.
I played around with the "priority" option but without luck. So my only solution was to create a listener on the ControllerArgumentsEvent instead of using an ArgumentResolver. That way, the #[IsGranted] attribute would always be fired before my listener. No clue if I did things right at the time, but that's what worked for me.

Additional Context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    BugHelp wantedIssues and PRs which are looking for volunteers to complete them.HttpKernelStatus: Needs Review

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions