Issue #390: Implemented ResourceProviderMiddleware and added ResourceGuardInterface

[alexmerlin]

No description provided.

[github-actions]

Qodana for PHP

It seems all right 👌

No new problems were found according to the checks applied

💡 Qodana analysis was run in the pull request mode: only the changed files were checked
☁️ View the detailed Qodana report

Detected 109 dependencies

Third-party software list

This page lists the third-party software dependencies used in project

Dependency	Version	Licenses
brick/math	0.12.3	MIT
brick/varexporter	0.6.0	MIT
defuse/php-encryption	v2.4.0	MIT
doctrine/collections	2.3.0	MIT
doctrine/common	3.5.0	MIT
doctrine/data-fixtures	2.0.2	MIT
doctrine/dbal	4.2.3	MIT
doctrine/deprecations	1.1.5	MIT
doctrine/event-manager	2.0.1	MIT
doctrine/inflector	2.0.10	MIT
doctrine/instantiator	2.0.0	MIT
doctrine/lexer	3.0.1	MIT
doctrine/migrations	3.9.0	MIT
doctrine/orm	3.3.2	MIT
doctrine/persistence	3.4.0	MIT
dotkernel/dot-cache	4.3.0	MIT
dotkernel/dot-cli	3.9.0	MIT
dotkernel/dot-data-fixtures	1.4.0	MIT
dotkernel/dot-dependency-injection	1.2.0	MIT
dotkernel/dot-errorhandler	4.0.0	MIT
dotkernel/dot-event	4.3.0	MIT
dotkernel/dot-log	4.0.4	MIT
dotkernel/dot-mail	5.3.0	MIT
dotkernel/dot-response-header	3.5.0	MIT
dotkernel/dot-router	1.0.5	MIT
egulias/email-validator	4.0.4	MIT
fig/http-message-util	1.1.5	MIT
laminas/laminas-authentication	2.18.0	BSD-3-Clause
laminas/laminas-cli	1.11.0	BSD-3-Clause
laminas/laminas-component-installer	3.5.0	BSD-3-Clause
laminas/laminas-config-aggregator	1.18.0	BSD-3-Clause
laminas/laminas-diactoros	3.5.0	BSD-3-Clause
laminas/laminas-escaper	2.16.0	BSD-3-Clause
laminas/laminas-eventmanager	3.14.0	BSD-3-Clause
laminas/laminas-filter	2.40.0	BSD-3-Clause
laminas/laminas-httphandlerrunner	2.11.0	BSD-3-Clause
laminas/laminas-hydrator	4.16.0	BSD-3-Clause
laminas/laminas-inputfilter	2.32.0	BSD-3-Clause
laminas/laminas-permissions-acl	2.17.0	BSD-3-Clause
laminas/laminas-permissions-rbac	3.7.0	BSD-3-Clause
laminas/laminas-servicemanager	3.23.0	BSD-3-Clause
laminas/laminas-stdlib	3.20.0	BSD-3-Clause
laminas/laminas-stratigility	3.13.0	BSD-3-Clause
laminas/laminas-validator	2.64.2	BSD-3-Clause
lcobucci/clock	3.3.1	MIT
lcobucci/jwt	5.5.0	BSD-3-Clause
league/event	2.3.0	MIT
league/oauth2-server	8.5.5	MIT
league/uri-interfaces	7.5.0	MIT
league/uri	7.5.1	MIT
mezzio/mezzio-authentication-oauth2	2.11.0	BSD-3-Clause
mezzio/mezzio-authentication	1.10.0	BSD-3-Clause
mezzio/mezzio-authorization-acl	1.11.0	BSD-3-Clause
mezzio/mezzio-authorization-rbac	1.8.0	BSD-3-Clause
mezzio/mezzio-authorization	1.10.0	BSD-3-Clause
mezzio/mezzio-cors	1.13.0	BSD-3-Clause
mezzio/mezzio-fastroute	3.12.0	BSD-3-Clause
mezzio/mezzio-hal	2.10.1	BSD-3-Clause
mezzio/mezzio-helpers	5.17.0	BSD-3-Clause
mezzio/mezzio-problem-details	1.15.0	BSD-3-Clause
mezzio/mezzio-router	3.18.0	BSD-3-Clause
mezzio/mezzio-template	2.11.0	BSD-3-Clause
mezzio/mezzio-twigrenderer	2.17.0	BSD-3-Clause
mezzio/mezzio	3.20.1	BSD-3-Clause
nikic/fast-route	v1.3.0	BSD-3-Clause
nikic/php-parser	v5.4.0	BSD-3-Clause
paragonie/random_compat	v9.99.100	MIT
psr/cache	3.0.0	MIT
psr/clock	1.0.0	MIT
psr/container	1.1.2	MIT
psr/event-dispatcher	1.0.0	MIT
psr/http-client	1.0.3	MIT
psr/http-factory	1.1.0	MIT
psr/http-message	2.0	MIT
psr/http-server-handler	1.0.2	MIT
psr/http-server-middleware	1.0.2	MIT
psr/link	1.1.1	MIT
psr/log	3.0.2	MIT
ramsey/collection	2.1.1	MIT
ramsey/uuid-doctrine	2.1.0	MIT
ramsey/uuid	4.7.6	MIT
roave/psr-container-doctrine	5.2.2	BSD-2-Clause
spatie/array-to-xml	3.4.0	MIT
symfony/cache-contracts	v3.5.1	MIT
symfony/cache	v7.2.5	MIT
symfony/console	v7.2.5	MIT
symfony/deprecation-contracts	v3.5.1	MIT
symfony/event-dispatcher-contracts	v3.5.1	MIT
symfony/event-dispatcher	v7.2.0	MIT
symfony/filesystem	v7.2.0	MIT
symfony/finder	v7.2.2	MIT
symfony/mailer	v7.2.3	MIT
symfony/mime	v7.2.4	MIT
symfony/polyfill-ctype	v1.31.0	MIT
symfony/polyfill-intl-grapheme	v1.31.0	MIT
symfony/polyfill-intl-idn	v1.31.0	MIT
symfony/polyfill-intl-normalizer	v1.31.0	MIT
symfony/polyfill-mbstring	v1.31.0	MIT
symfony/polyfill-php84	v1.31.0	MIT
symfony/service-contracts	v3.5.1	MIT
symfony/stopwatch	v7.2.4	MIT
symfony/string	v7.2.0	MIT
symfony/var-exporter	v7.2.5	MIT
symfony/yaml	v7.2.5	MIT
twig/twig	v3.20.0	BSD-3-Clause
webimpress/safe-writer	2.2.0	BSD-2-Clause
webmozart/assert	1.11.0	MIT
willdurand/negotiation	3.1.0	MIT
zircote/swagger-php	5.1.0	Apache-2.0

Contact Qodana team

Contact us at [email protected]

• Or via our issue tracker: https://jb.gg/qodana-issue
• Or share your feedback: https://jb.gg/qodana-discussions

[alexmerlin]

@arhimede @pinclau @MarioRadu

Important

Important changes in this PR:

1. Added Resource attribute.
   How it works:
   • once added to the handle method in a request handler, it helps finding the entity that an endpoint would have to find based on the id/uuid route parameter
   • allows setting a guard (an invokable class implementing ResourceGuardInterface) which receives the $request, the EntityManager and the requested entity. The guard must implement the logic for detecting if the current user is authorized to interact with the requested entity. If not authorized, it should throw a suitable exception (probably NotFoundException).
2. Added ResourceProviderMiddleware middleware.
   How it works:
   • once added to the pipeline, it will check if the request handler's handle method contains a Resource attribute - if not, it skips to the next middleware without altering the request in any way
   • if a Resource attribute was found (see example), then it tries to find the requested entity (if not found, it throws a NotFoundException) and store it in the request using the entity's napespace as the key (example: Core\Admin\Entity\Admin)
   • when the request reaches the handler, the latter will fetch the entity by calling $request->getAttribute(Admin::class) and the original flow continues as before
3. AuthorizationMiddleware used to save the current user in the request entity under the Admin::class / User::class keys.
   In order to avoid conflicts with storing/fetching the requested entities, they are now saved under the IdentityInterface::class key. IdentityInterface has only one job, to serve as a key when storing/fetching the current user. The name itself is "ok-ish", I was thinking about other options as well, like CurrentUser for example.
4. Added the isDeleted method to AbstractEntity, so that all entities have access to it.
   By default it returns false.
   Soft-deletable entities (like User) must implement their logic for checking if the entity is deleted (it is safer doing it in the entity then trying to automatically identify the enum and look for the deleted key, which in some cases might be called something else).

Why an attribute instead of a service or a middleware?

Because this solution reduces complexity (see GetAdminResourceHandler.php) which previously needed a service to fetch the requested entity but now it reads the entity direclty from the request and then sends it to the response factory.

• using a service: besides the fact that this shouldn't be *Service's responsibility, adding the "extra verifications" to it would have added unnecessary complexity. Similarily, creating a new service would have only increased the number of dependencies.
• using a middleware: would have hidden the "extra verification" logic.
• using an attribute: the logic is not in the handler, but it is controllable from it.

Overall, this PR:

• reduces the complexity and the number of dependencies in handlers
• moves common logic (injecting a service to and find an entity by uuid) away from handlers

[arhimede]

@Howriq @bidi47 we will need a separate page in doucmentation v6 about that
not sure if we do not want to have an article too ...

[alexmerlin]

@arhimede
As @MarioRadu pointed out today during our TSC meeting, we should take a look at mezzio/mezzio-authorization-rbac.
Also, @Jurj-Bogdan mentioned laminas/laminas-permissions-acl.