Merge pull request #2648 from bolt/feature/post-api

Role-based API support for `POST`, `PUT` and `DELETE` operations
bolt · Nov 29, 2021 · 6016c91 · 6016c91
2 parents 4e7878c + 3dfd45a
commit 6016c91
Show file tree

Hide file tree

Showing 12 changed files with 468 additions and 170 deletions.
diff --git a/config/bolt/permissions.yaml b/config/bolt/permissions.yaml
diff --git a/config/packages/security.yaml b/config/packages/security.yaml
@@ -6,6 +6,7 @@ security:
         ROLE_EDITOR: [ROLE_USER]
         # ROLE_USER is assigned to Bolt Entity Users if no roles have been set
         ROLE_USER: []
+        ROLE_WEBSERVICE: []
 
     encoders:
         Bolt\Entity\User: auto
@@ -20,7 +21,11 @@ security:
         dev:
             pattern: ^/(_(profiler|wdt)|css|images|js)/
             security: false
-
+
+        api:
+            pattern: ^/api
+            http_basic: ~
+
         main:
             pattern: ^/
             anonymous: true

diff --git a/config/services.yaml b/config/services.yaml
@@ -154,3 +154,7 @@ services:
         class: Jasny\Twig\ArrayExtension
         tags:
             - { name: twig.extension }
+
+    Bolt\Api\ContentDataPersister:
+        decorates: 'api_platform.doctrine.orm.data_persister'
+
diff --git a/src/Api/ContentDataPersister.php b/src/Api/ContentDataPersister.php
@@ -0,0 +1,58 @@
+<?php
+
+namespace Bolt\Api;
+
+use ApiPlatform\Core\DataPersister\ContextAwareDataPersisterInterface;
+use Bolt\Configuration\Config;
+use Bolt\Configuration\Content\FieldType;
+use Bolt\Entity\Content;
+use Bolt\Repository\FieldRepository;
+
+class ContentDataPersister implements ContextAwareDataPersisterInterface
+{
+    /** @var ContextAwareDataPersisterInterface */
+    private $decorated;
+
+    /** @var Config */
+    private $config;
+
+    public function __construct(ContextAwareDataPersisterInterface $decorated, Config $config)
+    {
+        $this->decorated = $decorated;
+        $this->config = $config;
+    }
+
+    public function supports($data, array $context = []): bool
+    {
+        return $this->decorated->supports($data, $context);
+    }
+
+    public function persist($data, array $context = [])
+    {
+        if ($data instanceof Content) {
+            $contentTypes = $this->config->get('contenttypes');
+
+            $data->setDefinitionFromContentTypesConfig($contentTypes);
+
+            foreach ($data->getFields() as $field) {
+                $fieldDefinition = FieldType::factory($field->getName(), $data->getDefinition());
+                $newField = FieldRepository::factory($fieldDefinition);
+
+                // todo: This works for standalone fields only.
+                // See CollectionField.php and SetField.php
+                $newField->setName($field->getName());
+                $newField->setValue($field->getValue());
+
+                $data->removeField($field);
+                $data->addField($newField);
+            }
+        }
+
+        $this->decorated->persist($data, $context);
+    }
+
+    public function remove($data, array $context = [])
+    {
+        $this->decorated->persist($data, $context);
+    }
+}
diff --git a/src/Entity/Content.php b/src/Entity/Content.php
@@ -24,9 +24,22 @@
 /**
  * @ApiResource(
  *     normalizationContext={"groups"={"get_content","get_definition"}},
- *     collectionOperations={"get"},
- *     itemOperations={"get"},
- *     graphql={"item_query", "collection_query"}
+ *     denormalizationContext={"groups"={"api_write"},"enable_max_depth"=true},
+ *     collectionOperations={
+ *          "get"={"security"="is_granted('api:get')"},
+ *          "post"={"security"="is_granted('api:post')"}
+ *     },
+ *     itemOperations={
+ *          "get"={"security"="is_granted('api:get')"},
+ *          "put"={"security"="is_granted('api:post')"},
+ *          "delete"={"security"="is_granted('api:delete')"}
+ *     },
+ *     graphql={
+ *          "item_query"={"security"="is_granted('api:get')"},
+ *          "collection_query"={"security"="is_granted('api:get')"},
+ *          "create"={"security"="is_granted('api:post')"},
+ *          "delete"={"security"="is_granted('api:delete')"}
+ *     }
  * )
  * @ApiFilter(SearchFilter::class)
  * @ORM\Entity(repositoryClass="Bolt\Repository\ContentRepository")
@@ -47,15 +60,15 @@ class Content
      * @ORM\Id()
      * @ORM\GeneratedValue()
      * @ORM\Column(type="integer")
-     * @Groups("get_content")
+     * @Groups({"get_content", "api_write"})
      */
     private $id;
 
     /**
      * @var string
      *
      * @ORM\Column(type="string", length=191)
-     * @Groups("get_content")
+     * @Groups({"get_content","api_write"})
      */
     private $contentType;
 
@@ -71,39 +84,39 @@ class Content
      * @var string
      *
      * @ORM\Column(type="string", length=191)
-     * @Groups("get_content")
+     * @Groups({"get_content","api_write"})
      */
     private $status;
 
     /**
      * @var \DateTime
      *
      * @ORM\Column(type="datetime")
-     * @Groups("get_content")
+     * @Groups({"get_content","api_write"})
      */
     private $createdAt;
 
     /**
      * @var \DateTime|null
      *
      * @ORM\Column(type="datetime", nullable=true)
-     * @Groups("get_content")
+     * @Groups({"get_content","api_write"})
      */
     private $modifiedAt = null;
 
     /**
      * @var \DateTime|null
      *
      * @ORM\Column(type="datetime", nullable=true)
-     * @Groups("get_content")
+     * @Groups({"get_content","api_write"})
      */
     private $publishedAt = null;
 
     /**
      * @var \DateTime|null
      *
      * @ORM\Column(type="datetime", nullable=true)
-     * @Groups("get_content")
+     * @Groups({"get_content","api_write"})
      */
     private $depublishedAt = null;
 
@@ -122,6 +135,7 @@ class Content
      *     cascade={"persist"}
      * )
      * @ORM\OrderBy({"sortorder": "ASC"})
+     * @Groups("api_write")
      */
     private $fields;
 
@@ -726,10 +740,17 @@ private function convertToUTCFromLocal(?\DateTime $dateTime): ?\DateTime
      */
     private function standaloneFieldsFilter(): Collection
     {
-        $keys = $this->getDefinition()->get('fields')->keys()->all();
+        $definition = $this->getDefinition();
+
+        $keys = $definition ?
+            $this->getDefinition()->get('fields')->keys()->all()
+            : [];
+        // If the definition is missing, we cannot filter out keys. ¯\_(ツ)_/¯
+
 
         return $this->fields->filter(function (Field $field) use ($keys) {
-            return ! $field->hasParent() && in_array($field->getName(), $keys, true);
+            return ! $field->hasParent() &&
+                (in_array($field->getName(), $keys, true) || empty($keys));
         });
     }
 

diff --git a/src/Entity/Field.php b/src/Entity/Field.php
@@ -22,15 +22,29 @@
 
 /**
  * @ApiResource(
+ *     denormalizationContext={"groups"={"api_write"},"enable_max_depth"=true},
+ *     normalizationContext={"groups"={"get_field"}},
+ *
  *     subresourceOperations={
  *         "api_contents_fields_get_subresource"={
- *             "method"="GET",
- *              "normalization_context"={"groups"={"get_field"}}
+ *             "method"="GET"
  *         },
  *     },
- *     collectionOperations={"get"},
- *     itemOperations={"get"},
- *     graphql={"item_query", "collection_query"}
+ *     collectionOperations={
+ *          "get"={"security"="is_granted('api:get')"},
+ *          "post"={"security"="is_granted('api:post')"}
+ *     },
+ *     itemOperations={
+ *          "get"={"security"="is_granted('api:get')"},
+ *          "put"={"security"="is_granted('api:post')"},
+ *          "delete"={"security"="is_granted('api:delete')"}
+ *     },
+ *     graphql={
+ *          "item_query"={"security"="is_granted('api:get')"},
+ *          "collection_query"={"security"="is_granted('api:get')"},
+ *          "create"={"security"="is_granted('api:post')"},
+ *          "delete"={"security"="is_granted('api:delete')"}
+ *     }
  * )
  * @ApiFilter(SearchFilter::class)
  * @ORM\Entity(repositoryClass="Bolt\Repository\FieldRepository")
@@ -53,7 +67,7 @@ class Field implements FieldInterface, TranslatableInterface
 
     /**
      * @ORM\Column(type="string", length=191)
-     * @Groups("get_field")
+     * @Groups({"get_field","api_write"})
      */
     public $name;
 
@@ -64,8 +78,9 @@ class Field implements FieldInterface, TranslatableInterface
     private $version;
 
     /**
-     * @ORM\ManyToOne(targetEntity="Bolt\Entity\Content", inversedBy="fields", cascade={"persist"})
+     * @ORM\ManyToOne(targetEntity="Bolt\Entity\Content", inversedBy="fields", fetch="EAGER")
      * @ORM\JoinColumn(nullable=false)
+     * @Groups("api_write")
      */
     private $content;
 
@@ -279,6 +294,9 @@ public function set(string $key, $value): self
         return $this;
     }
 
+    /**
+     * @Groups("api_write")
+     */
     public function setValue($value): self
     {
         $this->translate($this->getLocale(), ! $this->isTranslatable())->setValue($value);

diff --git a/src/Entity/Field/CollectionField.php b/src/Entity/Field/CollectionField.php
@@ -62,6 +62,8 @@ public function setValue($fields): Field
     {
         /** @var Field $field */
         foreach ($fields as $field) {
+            // todo: This should be able to handle an array of fields
+            // in key-value format, not just Field.php types.
             $field->setParent($this);
         }
 

diff --git a/src/Entity/Field/SetField.php b/src/Entity/Field/SetField.php
@@ -42,6 +42,8 @@ public function setValue($fields): Field
 
         /** @var Field $field */
         foreach ($fields as $field) {
+            // todo: This should be able to handle an array of fields
+            // in key-value format, not just Field.php types.
             $field->setParent($this);
             $value[$field->getName()] = $field;
         }

diff --git a/src/Entity/Relation.php b/src/Entity/Relation.php
@@ -13,9 +13,21 @@
 /**
  * @ApiResource(
  *     normalizationContext={"groups"={"get_relation"}},
- *     collectionOperations={"get"},
- *     itemOperations={"get"},
- *     graphql={"item_query", "collection_query"}
+ *     collectionOperations={
+ *          "get"={"security"="is_granted('api:get')"},
+ *          "post"={"security"="is_granted(‘api:post’)"}
+ *     },
+ *     itemOperations={
+ *          "get"={"security"="is_granted('api:get')"},
+ *          "put"={"security"="is_granted('api:post')"},
+ *          "delete"={"security"="is_granted('api:delete')"}
+ *     },
+ *     graphql={
+ *          "item_query"={"security"="is_granted('api:get')"},
+ *          "collection_query"={"security"="is_granted('api:get')"},
+ *          "create"={"security"="is_granted('api:post')"},
+ *          "delete"={"security"="is_granted('api:delete')"}
+ *     }
  * )
  * @ORM\Entity(repositoryClass="Bolt\Repository\RelationRepository")
  * @ORM\Table(indexes={