phpsymfonybasic-authenticationezpublish

EzPublish users : how to use ezPublish access control in front standard symfony controller


I'm using ezPublish 5.3 only for its administration side. What I want to do is to manage users / user groups / roles in this back-office and control their access to a FOSRestBundle designed API.

Here is my security.yml :

security:
    providers:
        ezpublish:
            id: ezpublish.security.user_provider

    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false

        my_api:
            pattern: ^/api/v[0-9]+
            stateless: true
            ezpublish_http_basic:
                realm: eZ Publish REST API

        ezpublish_front:
            pattern: ^/
            anonymous: ~
            ezpublish_rest_session: ~
            form_login:
                require_previous_session: false
            logout: ~

        default:
            anonymous: ~

And here is what I want to do in my controller :

<?php
namespace Acme\AppBundle\Controller;

use FOS\RestBundle\Controller\FOSRestController;

class ItemsController extends FOSRestController
{
    public function postItemsAction(Request $request)
    {
        if (!$this->get('security.authorization_checker')->isGranted('EZ_CUSTOM_ROLE')) {
            throw new \Exception('No Auth');
        }

        //... do something
     }
}

I got this response :

{
  "code": 0,
  "message": "User 'USER_LOGIN' doesn't have user/login permission to SiteAccess 'site'"
}

How can I achieve that ? How can I retrieve the user role ?

In the profiler I can see that when I do a standard POST with basic auth to this action, the user is connected with the default Symfony role ROLE_USER.


Solution

  • Here is my solution :

    <?php
    namespace Acme\AppBundle\Controller;
    
    use FOS\RestBundle\Controller\FOSRestController;
    use eZ\Publish\API\Repository\Values\User\RoleAssignment;
    use eZ\Publish\API\Repository\Values\User\User;
    
    class ItemsController extends FOSRestController
    {
        public function postItemsAction(Request $request)
        {
            if (!$this->isUserRoleGranted()) {
                throw new \Exception('No Auth');
            }
    
            //... do something
         }
    
        private function isUserRoleGranted()
        {
            $user = $this->getCurrentUser();
    
            if ($user instanceof User) {
                $roleService = $this->get('ezpublish.api.repository')->getRoleService();
                $roles       = $roleService->getRoleAssignmentsForUser($user, true);
    
                if (is_array($roles) && !empty($roles)) {
                    foreach ($roles as $role) {
                        if ($role instanceof RoleAssignment) {
                            $roleIdentifier = $role->getRole()->__get('identifier');
    
                            if (is_string($roleIdentifier) && $roleIdentifier === 'EZ_CUSTOM_ROLE') {
                                return true;
                            }
                        }
                    }
                }
            }
    
            return false;
        }
    
        private function getCurrentUser()
        {
            return $this->get('ezpublish.api.repository')->getUserService()->loadUser(
                $this->get('ezpublish.api.repository')->getPermissionResolver()->getCurrentUserReference()->getUserId()
            );
        }
    }