Closed
Description
Symfony version(s) affected
6.3
Description
After playing a bit with this new feature, I noticed that the payload is getting mapped/validated before ensuring that the user is actually allowed to access the resource.
This seems odd to me and I'd like to know your opinion about that.
How to reproduce
- create a route and its payload.
- use the
#[MapRequestPayload]attribute on the payload argument (in the controller) - secure the route using the
#[IsGranted]attribute - access the route by posting some data (voluntarily malformed data) but without being logged-in
- see the error message related to the malformed data (and not because the user is not logged-in)
Possible Solution
Few years ago, I created a bundle to achieve the same thing that this feature is offering, and I encountered the same problem.
I played around with the "priority" option but without luck. So my only solution was to create a listener on the ControllerArgumentsEvent instead of using an ArgumentResolver. That way, the #[IsGranted] attribute would always be fired before my listener. No clue if I did things right at the time, but that's what worked for me.
Additional Context
No response
Metadata
Metadata
Assignees
Labels
Issues and PRs which are looking for volunteers to complete them.Issues and PRs which are looking for volunteers to complete them.