/** * Stores the object in the request. * * @param Request $request * @param ConfigurationInterface $configuration * @return bool * @throws AccessDeniedException When User doesn't have permission to the object * @throws NotFoundHttpException When object not found * @throws \LogicException When unable to guess how to get a Doctrine instance from the request information */ public function apply(Request $request, ConfigurationInterface $configuration) { $request->attributes->set('_oro_access_checked', false); $isSet = parent::apply($request, $configuration); if ($isSet) { $object = $request->attributes->get($configuration->getName()); $controller = $request->attributes->get('_controller'); if ($object && strpos($controller, '::') !== false) { $controllerData = explode('::', $controller); $permission = $this->securityFacade->getClassMethodAnnotationPermission($controllerData[0], $controllerData[1]); if ($permission) { if (!$this->securityFacade->isGranted($permission, $object)) { throw new AccessDeniedException('You do not get ' . $permission . ' permission for this object'); } else { $request->attributes->set('_oro_access_checked', true); } } } } return $isSet; }