src/Controller/EntityResource.php | 20 ++++++++++---------- src/Exception/EntityAccessDeniedHttpException.php | 6 +----- .../EntityAccessDeniedHttpExceptionNormalizer.php | 10 ---------- src/Normalizer/JsonApiDocumentTopLevelNormalizer.php | 2 +- 4 files changed, 12 insertions(+), 26 deletions(-) diff --git a/src/Controller/EntityResource.php b/src/Controller/EntityResource.php index 4b24048..5182add 100644 --- a/src/Controller/EntityResource.php +++ b/src/Controller/EntityResource.php @@ -135,7 +135,7 @@ class EntityResource { public function getIndividual(EntityInterface $entity, Request $request, $response_code = 200) { $entity_access = $entity->access('view', NULL, TRUE); if (!$entity_access->isAllowed()) { - throw new EntityAccessDeniedHttpException($entity, $entity_access, '/data', 'The current user is not allowed to GET the selected resource.'); + throw new EntityAccessDeniedHttpException($entity_access, '/data', 'The current user is not allowed to GET the selected resource.'); } $response = $this->buildWrappedResponse($entity, $response_code); return $response; @@ -194,7 +194,7 @@ class EntityResource { $entity_access = $entity->access('create', NULL, TRUE); if (!$entity_access->isAllowed()) { - throw new EntityAccessDeniedHttpException(NULL, $entity_access, '/data', 'The current user is not allowed to POST the selected resource.'); + throw new EntityAccessDeniedHttpException($entity_access, '/data', 'The current user is not allowed to POST the selected resource.'); } $this->validate($entity); @@ -242,7 +242,7 @@ class EntityResource { public function patchIndividual(EntityInterface $entity, EntityInterface $parsed_entity, Request $request) { $entity_access = $entity->access('update', NULL, TRUE); if (!$entity_access->isAllowed()) { - throw new EntityAccessDeniedHttpException($entity, $entity_access, '/data', 'The current user is not allowed to PATCH the selected resource.'); + throw new EntityAccessDeniedHttpException($entity_access, '/data', 'The current user is not allowed to PATCH the selected resource.'); } $body = Json::decode($request->getContent()); $data = $body['data']; @@ -282,7 +282,7 @@ class EntityResource { public function deleteIndividual(EntityInterface $entity, Request $request) { $entity_access = $entity->access('delete', NULL, TRUE); if (!$entity_access->isAllowed()) { - throw new EntityAccessDeniedHttpException($entity, $entity_access, '/data', 'The current user is not allowed to DELETE the selected resource.'); + throw new EntityAccessDeniedHttpException($entity_access, '/data', 'The current user is not allowed to DELETE the selected resource.'); } $entity->delete(); return new ResourceResponse(NULL, 204); @@ -520,7 +520,7 @@ class EntityResource { $field_access = $field_list->access('edit', NULL, TRUE); if (!$field_access->isAllowed()) { $field_name = $field_list->getName(); - throw new EntityAccessDeniedHttpException($entity, $field_access, '/data/relationships/' . $field_name, sprintf('The current user is not allowed to PATCH the selected field (%s).', $field_name)); + throw new EntityAccessDeniedHttpException($field_access, '/data/relationships/' . $field_name, sprintf('The current user is not allowed to PATCH the selected field (%s).', $field_name)); } // Time to save the relationship. foreach ($parsed_field_list as $field_item) { @@ -599,7 +599,7 @@ class EntityResource { $field_name = $parsed_field_list->getName(); $field_access = $parsed_field_list->access('edit', NULL, TRUE); if (!$field_access->isAllowed()) { - throw new EntityAccessDeniedHttpException($entity, $field_access, '/data/relationships/' . $field_name, sprintf('The current user is not allowed to PATCH the selected field (%s).', $field_name)); + throw new EntityAccessDeniedHttpException($field_access, '/data/relationships/' . $field_name, sprintf('The current user is not allowed to PATCH the selected field (%s).', $field_name)); } $entity->{$field_name} = $parsed_field_list; } @@ -636,7 +636,7 @@ class EntityResource { $field_name = $parsed_field_list->getName(); $field_access = $parsed_field_list->access('edit', NULL, TRUE); if (!$field_access->isAllowed()) { - throw new EntityAccessDeniedHttpException($entity, $field_access, '/data/relationships/' . $field_name, sprintf('The current user is not allowed to PATCH the selected field (%s).', $field_name)); + throw new EntityAccessDeniedHttpException($field_access, '/data/relationships/' . $field_name, sprintf('The current user is not allowed to PATCH the selected field (%s).', $field_name)); } /* @var \Drupal\Core\Field\EntityReferenceFieldItemListInterface $field_list */ $field_list = $entity->{$related_field}; @@ -792,7 +792,7 @@ class EntityResource { $entity_access = $entity->access('update', NULL, TRUE); if (!$entity_access->isAllowed()) { // @todo Is this really the right path? - throw new EntityAccessDeniedHttpException($entity, $entity_access, $related_field, 'The current user is not allowed to update the selected resource.'); + throw new EntityAccessDeniedHttpException($entity_access, $related_field, 'The current user is not allowed to update the selected resource.'); } if (!($field_list = $entity->get($related_field)) || !$this->isRelationshipField($field_list)) { throw new NotFoundHttpException(sprintf('The relationship %s is not present in this resource.', $related_field)); @@ -825,7 +825,7 @@ class EntityResource { if ($destination_field_list->getValue() != $origin_field_list->getValue()) { $field_access = $destination_field_list->access('edit', NULL, TRUE); if (!$field_access->isAllowed()) { - throw new EntityAccessDeniedHttpException($destination, $field_access, '/data/attributes/' . $field_name, sprintf('The current user is not allowed to PATCH the selected field (%s).', $field_name)); + throw new EntityAccessDeniedHttpException($field_access, '/data/attributes/' . $field_name, sprintf('The current user is not allowed to PATCH the selected field (%s).', $field_name)); } $destination->{$field_name} = $origin->get($field_name); } @@ -897,7 +897,7 @@ class EntityResource { ]; if ($entity instanceof AccessibleInterface && !$access->isAllowed()) { // Pass an exception to the list of things to normalize. - $output['entity'] = new EntityAccessDeniedHttpException($entity, $access, '/data', 'The current user is not allowed to GET the selected resource.'); + $output['entity'] = new EntityAccessDeniedHttpException($access, '/data', 'The current user is not allowed to GET the selected resource.'); } return $output; diff --git a/src/Exception/EntityAccessDeniedHttpException.php b/src/Exception/EntityAccessDeniedHttpException.php index 9cd844c..fcbb5aa 100644 --- a/src/Exception/EntityAccessDeniedHttpException.php +++ b/src/Exception/EntityAccessDeniedHttpException.php @@ -33,8 +33,6 @@ class EntityAccessDeniedHttpException extends HttpException { /** * EntityAccessDeniedHttpException constructor. * - * @param \Drupal\Core\Entity\EntityInterface|null $entity - * The entity, or NULL when an entity is being created. * @param \Drupal\Core\Access\AccessResultInterface $entity_access * The access result. * @param string $pointer @@ -48,12 +46,10 @@ class EntityAccessDeniedHttpException extends HttpException { * @param int $code * The code. */ - public function __construct($entity, AccessResultInterface $entity_access, $pointer, $messsage = 'The current user is not allowed to GET the selected resource.', \Exception $previous = NULL, array $headers = [], $code = 0) { - assert(is_null($entity) || $entity instanceof EntityInterface); + public function __construct(AccessResultInterface $entity_access, $pointer, $messsage = 'The current user is not allowed to GET the selected resource.', \Exception $previous = NULL, array $headers = [], $code = 0) { parent::__construct(403, $messsage, $previous, $headers, $code); $error = [ - 'entity' => $entity, 'pointer' => $pointer, 'reason' => NULL, ]; diff --git a/src/Normalizer/EntityAccessDeniedHttpExceptionNormalizer.php b/src/Normalizer/EntityAccessDeniedHttpExceptionNormalizer.php index e9077dc..f749410 100644 --- a/src/Normalizer/EntityAccessDeniedHttpExceptionNormalizer.php +++ b/src/Normalizer/EntityAccessDeniedHttpExceptionNormalizer.php @@ -31,19 +31,9 @@ class EntityAccessDeniedHttpExceptionNormalizer extends HttpExceptionNormalizer if ($exception instanceof EntityAccessDeniedHttpException) { $error = $exception->getError(); - /** @var \Drupal\Core\Entity\EntityInterface $entity */ - $entity = $error['entity']; $pointer = $error['pointer']; $reason = $error['reason']; - if (isset($entity)) { - $errors[0]['id'] = sprintf( - '/%s--%s/%s', - $entity->getEntityTypeId(), - $entity->bundle(), - $entity->uuid() - ); - } $errors[0]['source']['pointer'] = $pointer; if ($reason) { diff --git a/src/Normalizer/JsonApiDocumentTopLevelNormalizer.php b/src/Normalizer/JsonApiDocumentTopLevelNormalizer.php index e34c085..f5716e0 100644 --- a/src/Normalizer/JsonApiDocumentTopLevelNormalizer.php +++ b/src/Normalizer/JsonApiDocumentTopLevelNormalizer.php @@ -321,7 +321,7 @@ class JsonApiDocumentTopLevelNormalizer extends NormalizerBase implements Denorm if (isset($document['data']['id']) && !Uuid::isValid($document['data']['id'])) { // This should be a 422 response, but the JSON API specification dictates // a 403 Forbidden response. We follow the specification. - throw new EntityAccessDeniedHttpException(NULL, AccessResult::forbidden(), '/data/id', 'IDs should be properly generated and formatted UUIDs as described in RFC 4122.'); + throw new EntityAccessDeniedHttpException(AccessResult::forbidden(), '/data/id', 'IDs should be properly generated and formatted UUIDs as described in RFC 4122.'); } }