/**
* Stores the object in the request.
*
* @param Request $request
* @param ConfigurationInterface $configuration
* @return bool
* @throws AccessDeniedException When User doesn't have permission to the object
* @throws NotFoundHttpException When object not found
* @throws \LogicException When unable to guess how to get a Doctrine instance from the request information
*/
public function apply(Request $request, ConfigurationInterface $configuration)
{
$request->attributes->set('_oro_access_checked', false);
$isSet = parent::apply($request, $configuration);
if ($isSet) {
$object = $request->attributes->get($configuration->getName());
$controller = $request->attributes->get('_controller');
if ($object && strpos($controller, '::') !== false) {
$controllerData = explode('::', $controller);
$permission = $this->securityFacade->getClassMethodAnnotationPermission($controllerData[0], $controllerData[1]);
if ($permission) {
if (!$this->securityFacade->isGranted($permission, $object)) {
throw new AccessDeniedException('You do not get ' . $permission . ' permission for this object');
} else {
$request->attributes->set('_oro_access_checked', true);
}
}
}
}
return $isSet;
}
