From cc78ab0ce514a2d31ee44f1ff1cd4b8669d4a996 Mon Sep 17 00:00:00 2001
From: Christoph Reiter <reiter.christoph@gmail.com>
Date: Wed, 21 Sep 2022 10:17:02 +0200
Subject: [PATCH] Restrict access to ROLE_SCOPE_API-PROXY

This means the client needs the "api-proxy" oauth scope to access the proxy
functionality.
---
 src/DataPersister/ProxyDataPersister.php             | 2 ++
 src/DataProvider/ProxyDataCollectionDataProvider.php | 1 +
 src/DataProvider/ProxyDataItemDataProvider.php       | 1 +
 src/Entity/ProxyData.php                             | 2 --
 4 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/DataPersister/ProxyDataPersister.php b/src/DataPersister/ProxyDataPersister.php
index 07bcfdf..d6dc5c3 100644
--- a/src/DataPersister/ProxyDataPersister.php
+++ b/src/DataPersister/ProxyDataPersister.php
@@ -33,6 +33,7 @@ class ProxyDataPersister extends AbstractController implements ContextAwareDataP
     public function persist($data, array $context = []): ProxyData
     {
         $this->denyAccessUnlessGranted('IS_AUTHENTICATED_FULLY');
+        $this->denyAccessUnlessGranted('ROLE_SCOPE_API-PROXY');
 
         if (Tools::isNullOrEmpty($data->getNamespace())) {
             throw new BadRequestException('parameter namespace must not be null nor empty');
@@ -55,5 +56,6 @@ class ProxyDataPersister extends AbstractController implements ContextAwareDataP
     public function remove($data, array $context = []): void
     {
         $this->denyAccessUnlessGranted('IS_AUTHENTICATED_FULLY');
+        $this->denyAccessUnlessGranted('ROLE_SCOPE_API-PROXY');
     }
 }
diff --git a/src/DataProvider/ProxyDataCollectionDataProvider.php b/src/DataProvider/ProxyDataCollectionDataProvider.php
index 4321d8a..06d89d7 100644
--- a/src/DataProvider/ProxyDataCollectionDataProvider.php
+++ b/src/DataProvider/ProxyDataCollectionDataProvider.php
@@ -19,6 +19,7 @@ final class ProxyDataCollectionDataProvider extends AbstractController implement
     public function getCollection(string $resourceClass, string $operationName = null, array $context = []): iterable
     {
         $this->denyAccessUnlessGranted('IS_AUTHENTICATED_FULLY');
+        $this->denyAccessUnlessGranted('ROLE_SCOPE_API-PROXY');
 
         return [];
     }
diff --git a/src/DataProvider/ProxyDataItemDataProvider.php b/src/DataProvider/ProxyDataItemDataProvider.php
index eaf1ecd..3b48cd2 100644
--- a/src/DataProvider/ProxyDataItemDataProvider.php
+++ b/src/DataProvider/ProxyDataItemDataProvider.php
@@ -19,6 +19,7 @@ final class ProxyDataItemDataProvider extends AbstractController implements Item
     public function getItem(string $resourceClass, $id, string $operationName = null, array $context = []): ?ProxyData
     {
         $this->denyAccessUnlessGranted('IS_AUTHENTICATED_FULLY');
+        $this->denyAccessUnlessGranted('ROLE_SCOPE_API-PROXY');
 
         return null;
     }
diff --git a/src/Entity/ProxyData.php b/src/Entity/ProxyData.php
index a73602a..55277ac 100644
--- a/src/Entity/ProxyData.php
+++ b/src/Entity/ProxyData.php
@@ -12,7 +12,6 @@ use Symfony\Component\Serializer\Annotation\Groups;
  * @ApiResource(
  *     collectionOperations={
  *         "post" = {
- *             "security" = "is_granted('IS_AUTHENTICATED_FULLY')",
  *             "path" = "/proxy/proxydata",
  *             "openapi_context" = {
  *                 "tags" = {"Proxy"},
@@ -26,7 +25,6 @@ use Symfony\Component\Serializer\Annotation\Groups;
  *             }
  *         },
  *         "get" = {
- *             "security" = "is_granted('IS_AUTHENTICATED_FULLY')",
  *             "path" = "/proxy/proxydata",
  *             "openapi_context" = {
  *                 "tags" = {"Proxy"},
-- 
GitLab