Request for REST API gives me 403

I recently have got this situation that I get the following response when I add a new Action to REST API Controller Class:

{"status":"error","status_code":403,"status_text":"Forbidden","current_content":"","message":"You do not get VIEW permission for this object"}

1 2 3

{"status":"error","status_code":403,"status_text":"Forbidden","current_content":"","message":"You do not get VIEW permission for this object"}

Example Action:

// Acme\Bundle\AcmeBundle\Controller\Api\Rest (Omitting) use Nelmio\ApiDocBundle\Annotation\ApiDoc; use FOS\RestBundle\Controller\Annotations\NamePrefix; use FOS\RestBundle\Controller\Annotations\RouteResource; use FOS\RestBundle\Controller\Annotations\QueryParam; use FOS\RestBundle\Routing\ClassResourceInterface; use Sensio\Bundle\FrameworkExtraBundle\Configuration\ParamConverter; use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\Response; use FOS\Rest\Util\Codes; use Oro\Bundle\SecurityBundle\Annotation\Acl; use Oro\Bundle\SecurityBundle\Annotation\AclAncestor; use Acme\Bundle\AcmeBundle\Helper\Helper; use Acme\Bundle\AcmeBundle\Entity\Acme; (Omitting) /** * REST GET return Total * * @param Acme $item * * @ApiDoc( * description="Calculate Total", * resource=true * ) * @AclAncestor("acme_view") * @ParamConverter("item", class="AcmeBundle:Acme") * @return Response */ public function getTotalAction(Acme $item) { $helper = $this->get('acme.helper'); $result = $helper->getTotal($item); $responseData = json_encode($result); return new Response($responseData, $result ? Codes::HTTP_OK : Codes::HTTP_BAD_REQUEST); }

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44

// Acme\Bundle\AcmeBundle\Controller\Api\Rest   (Omitting) use Nelmio\ApiDocBundle\Annotation\ApiDoc;   use FOS\RestBundle\Controller\Annotations\NamePrefix; use FOS\RestBundle\Controller\Annotations\RouteResource; use FOS\RestBundle\Controller\Annotations\QueryParam; use FOS\RestBundle\Routing\ClassResourceInterface;   use Sensio\Bundle\FrameworkExtraBundle\Configuration\ParamConverter;   use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\Response; use FOS\Rest\Util\Codes;   use Oro\Bundle\SecurityBundle\Annotation\Acl; use Oro\Bundle\SecurityBundle\Annotation\AclAncestor;   use Acme\Bundle\AcmeBundle\Helper\Helper; use Acme\Bundle\AcmeBundle\Entity\Acme; (Omitting) /** * REST GET return Total * * @param Acme $item * * @ApiDoc( *      description="Calculate Total", *      resource=true * ) * @AclAncestor("acme_view") * @ParamConverter("item", class="AcmeBundle:Acme") * @return Response */ public function getTotalAction(Acme $item) {     $helper = $this->get('acme.helper');     $result = $helper->getTotal($item);     $responseData = json_encode($result);     return new Response($responseData, $result ? Codes::HTTP_OK : Codes::HTTP_BAD_REQUEST); }

First I thought this issue happens if I add the same action name that I already have used for other Controller Class, but it seems not.

And where the error message gets generated is at apply() in:
Oro\Bundle\SecurityBundle\Request\ParamConverter\DoctrineParamConverter

(Omitting) if ($permission && $class && $this->entityClassResolver->isEntity($class) && is_a($object, $this->entityClassResolver->getEntityClass($class)) ) { if (!$this->securityFacade->isGranted($permission, $object)) { throw new AccessDeniedException( ---> 'You do not get ' . $permission . ' permission for this object' ); } else { $request->attributes->set('_oro_access_checked', true); } } (Omitting)

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

(Omitting)                     if ($permission                         && $class                         && $this->entityClassResolver->isEntity($class)                         && is_a($object, $this->entityClassResolver->getEntityClass($class))                     ) {                         if (!$this->securityFacade->isGranted($permission, $object)) {                             throw new AccessDeniedException( --->                            'You do not get ' . $permission . ' permission for this object'                             );                         } else {                             $request->attributes->set('_oro_access_checked', true);                         }                     } (Omitting)

The issue does not happen if I don’t use “ParamConverter” and just pass the id and get the Entity by coding it.

Other actions using “ParamConverter” do not get the error but when I add new action it somehow starts returning the error, sometimes.

I am not sure if we are supposed to use “ParamConverter” within REST API Controller Class as I can see only the following one uses it:

Oro\Bundle\WorkflowBundle\Controller\Api\Rest\WorkflowController

Topic

[Yurii MuratovParticipant]

Good day.
Please try to change access level on view permission to your Acme entity.

[HiroParticipant]

Thank you for the reply.

I think I tried that. I noticed every time I change the permission a new record gets created in the table “acl_classes” so I tried to resolve this issue by having changed all the Entities I made to “System”. And that did not resolve the issue.

It happens even if I login as the user having the role “Administrator” anyway.

So far I just stopped using “ParamConverter” for the actions having this issue because any of Oro bundles does seem to use “ParamConverter” for REST API Controller classes except Workflow Bundle (The one under Controller/Api/Rest directory).

[Author]

Replies