API Platform: Advanced Security (Voters)

Development

When developing a rest API, it often happens that you want control over which users have the access to a specific resource. The usage of user roles can cover some cases. But what if you want to restrict the access not based on a given role, but some other dependencies? Sometimes the use cases you need to cover become quite complicated, other times they are simple, but repetitive. What allows you to control the access in a clean, un-repetitive way is called voters.

Preview Image

What Is a Voter?

Citing the Symfony docs, “Voters are Symfony's most powerful way of managing permissions. They allow you to centralize all permission logic, then reuse them in many places.”

What does it mean in practice? Voters are classes that extend the Symfony voter abstract class, and you can use them in order to enable access for the endpoint in the circumstances specified by you however you need it.

What Does a Voter Look Like?

class ShopVoter extends Voter
{
  protected function supports(string $attribute, mixed $subject): bool
  {
    ...
  }
  protected function voteOnAttribute(
    string $attribute,
    $subject,
    TokenInterface $token
  ): bool {
    ...
  }
}

In the provided example, we have created a voter that will be used to control access to the “Shop” resource.

The voter implementation needs to only implement two functions: supports and voteOnAttribute.

supports

This function needs to return true or false depending if we want to use this voter in the incoming request.

The most common usage of the voters is to create a Voter for each resource, and check whether the “$subject” is of the corresponding type, and if the attribute we are voting on is handled:

public const CREATE = 'create';
public const READ = 'read';

private const SUPPORTED_ATTRIBUTES = [
  self::CREATE,
  self::READ,
];

protected function supports(string $attribute, mixed $subject): bool
{
  return
    $subject instanceof Shop &&
    in_array($attribute, self::SUPPORTED_ATTRIBUTES)
  ;
}

Of course this logic can be modified to match your needs.

voteOnAttribute

Function voteOnAttribute is responsible for finding out if we want to enable access to the given resource based on the attribute, the subject and a $token implementing Symfony’s TokenInterface that is given to us based on the configured authentication.

protected function voteOnAttribute(string $attribute, $subject, TokenInterface $token): bool
{
  /** @var User|null|string $user */
  $user = $token->getUser();
  if (!$user instanceof User) {
    return false;
  }
  switch ($attribute) {
    case self::CREATE:
      return $this->authorizationChecker->isGranted('ROLE_ADMIN');
    case self::READ:
      return $this->shopService->isUserAShopManager($user, $subject);
  }
  return false;
}

What’s really handy is that you can use dependency injection in order to use other services inside of your voter as shown above! In the default configuration, it’s enough to just add the required services to the voter’s “__construct” method.

How to Use the Custom Voter in API Platform?

The only thing you need to do is to add a “security” to your endpoint definition. You can use Is_granted by providing the “attribute” as the first argument, and the resource object as the second argument:

App\Entity\Shop:
  itemOperations:
    get:
      security: is_granted('read', object)
    post:
      security: is_granted('create', object)

API Platform

What Is a Voter

How to Use the Custom Voter in API Platform

How to Use the Custom Voter

Łu
Portrait of Łukasz Traczyk, back-end developer, a professional with a casual and approachable demeanor, wearing a light blue henley shirt. His relaxed, confident smile and neatly groomed beard convey a sense of friendliness and expertise, suitable for an author or staff profile photo.
Back-end Developer
Łukasz Traczyk

We have managed to extend software engineering
capabilities of 70+ companies

ABInBev logo
Preasidiad logo
ServicePlan logo
Tigers logo
Dood logo
Beer Hawk logo
Cobiro logo
LaSante logo
Platforma Opon logo
LiteGrav logo
Saveur Biere logo
Sweetco logo
Unicornly logo

...and we have been recognized as a valuable tech partner that can flexibly increase
4.8
...and we have been repeatedly awarded for our efforts over the years