/** * {@inheritdoc} */ public function invoke(callable $callable, $requestObject) { /** @var Attribute $attributeAnnotation */ $attributeAnnotation = $this->annotationReader->getMethodAnnotation(ReflectionFunctionFactory::createReflectionMethodFromCallable($callable), Attribute::class); $attributeName = $attributeAnnotation->name; $attributeValue = $this->propertyAccessor->getValue($requestObject, $attributeAnnotation->valueAt); $userId = $this->userProvider->getUserId(); if (!is_array($attributeValue) && !$this->guard->isGranted($userId, $attributeName, $attributeValue)) { throw new AccessDeniedException(); } if (is_array($attributeValue)) { $attributeValue = $this->guard->filterGranted($userId, $attributeName, $attributeValue); $this->propertyAccessor->setValue($requestObject, $attributeAnnotation->valueAt, $attributeValue); } return $this->methodInvoker->invoke($callable, $requestObject); }
public function it_should_filter_allowed_attributes(MethodInvokerInterface $methodInvoker, UserProviderInterface $userProvider, GuardInterface $guard, Reader $annotationReader, PropertyAccessor $propertyAccessor) { $securedService = new SecuredAreaApi(); $requestObject = new \stdClass(); $requestObject->prop1 = 'asd'; $responseObject = new \stdClass(); $responseObject->prop2 = 'asd'; $attributeAnnotation = new Attribute(); $attributeAnnotation->name = 'test'; $attributeAnnotation->valueAt = 'test'; $annotationReader->getMethodAnnotation(new \ReflectionMethod($securedService, 'securedMethod'), Attribute::class)->willReturn($attributeAnnotation)->shouldBeCalled(); $propertyAccessor->getValue($requestObject, 'test')->willReturn(['sec-attr-val'])->shouldBeCalled(); $userProvider->getUserId()->willReturn(12)->shouldBeCalled(); $guard->filterGranted(12, 'test', ['sec-attr-val'])->willReturn([])->shouldBeCalled(); $propertyAccessor->setValue($requestObject, 'test', [])->shouldBeCalled(); $methodInvoker->invoke([$securedService, 'securedMethod'], $requestObject)->willReturn($responseObject)->shouldBeCalled(); $this->invoke([$securedService, 'securedMethod'], $requestObject)->shouldBe($responseObject); }