We need to add several checks on the API to protect some specific endpoints.
Users should not be able to see personal information of any other one; we must add a voter to be able to check who is the current user trying to access to the ressource (if a token is provided) and if he effectively is allowed to see it.
Four steps:
- We should split Account entity to "Profile" and "Account". Account should contain only private stuff and Profile any information that could be displayed on user's profile page
- Create a voter (declared as a service) to check if user is allowed to see the "Account" entity: https://symfony.com/doc/current/security/voters.html
- Using the event system https://api-platform.com/docs/core/events to check if the user can effectively see the "Account" entity (the action is delegated to the voter, you will need to inject it as a service with the "token storage" one (it contains the potential currently authenticated user) using dependency injections) and return a 403 if voter returned false.
- Testing (behat or unit testing, I believe behat should be faster to write)
We need to add several checks on the API to protect some specific endpoints.
Users should not be able to see personal information of any other one; we must add a voter to be able to check who is the current user trying to access to the ressource (if a token is provided) and if he effectively is allowed to see it.
Four steps: