Merge pull request #7208 from usu/feat/disable-filter-by-user-for-subresources

usu · web-flow · commit c17def29c28e · 2025-04-12T21:19:35.000Z
opt out from FilterByUserExtension for subresources
diff --git a/api/src/Doctrine/FilterByCurrentUserExtension.php b/api/src/Doctrine/FilterByCurrentUserExtension.php
@@ -22,6 +22,11 @@ public function __construct(Security $security, EntityManagerInterface $entityMa
     }
 
     public function applyToCollection(QueryBuilder $queryBuilder, QueryNameGeneratorInterface $queryNameGenerator, ?string $resourceClass = null, ?Operation $operation = null, array $context = []): void {
+        $extraProperties = $operation->getExtraProperties();
+        if (array_key_exists('filter_by_current_user', $extraProperties) && false === $extraProperties['filter_by_current_user']) {
+            return;
+        }
+
         $this->addWhere($queryBuilder, $queryNameGenerator, $resourceClass);
     }
 
diff --git a/api/src/Entity/Activity.php b/api/src/Entity/Activity.php
@@ -58,6 +58,9 @@
             ],
             normalizationContext: self::COLLECTION_NORMALIZATION_CONTEXT,
             security: 'is_fully_authenticated()',
+            extraProperties: [
+                'filter_by_current_user' => false,
+            ]
         ),
         new Post(
             processor: ActivityCreateProcessor::class,
diff --git a/api/src/Entity/ActivityProgressLabel.php b/api/src/Entity/ActivityProgressLabel.php
@@ -54,6 +54,9 @@
                 ),
             ],
             security: 'is_fully_authenticated()',
+            extraProperties: [
+                'filter_by_current_user' => false,
+            ]
         ),
         new Post(
             validationContext: ['groups' => ['Default', 'create']],
diff --git a/api/src/Entity/Category.php b/api/src/Entity/Category.php
@@ -66,6 +66,9 @@
                     security: 'is_granted("CAMP_COLLABORATOR", camp) or is_granted("CAMP_IS_PROTOTYPE", camp)'
                 ),
             ],
+            extraProperties: [
+                'filter_by_current_user' => false,
+            ]
         ),
     ],
     denormalizationContext: ['groups' => ['write']],
diff --git a/api/src/Entity/Checklist.php b/api/src/Entity/Checklist.php
@@ -65,6 +65,9 @@
                     security: 'is_granted("CAMP_COLLABORATOR", camp) or is_granted("CAMP_IS_PROTOTYPE", camp)'
                 ),
             ],
+            extraProperties: [
+                'filter_by_current_user' => false,
+            ]
         ),
     ],
     denormalizationContext: ['groups' => ['write']],
diff --git a/api/src/Entity/ChecklistItem.php b/api/src/Entity/ChecklistItem.php
@@ -68,6 +68,9 @@
                                is_granted("CAMP_COLLABORATOR", checklist)'
                 ),
             ],
+            extraProperties: [
+                'filter_by_current_user' => false,
+            ]
         ),
     ],
     denormalizationContext: ['groups' => ['write']],
diff --git a/api/src/Entity/Day.php b/api/src/Entity/Day.php
@@ -45,6 +45,9 @@
             ],
             normalizationContext: self::COLLECTION_NORMALIZATION_CONTEXT,
             security: 'is_fully_authenticated()',
+            extraProperties: [
+                'filter_by_current_user' => false,
+            ]
         ),
     ],
     denormalizationContext: ['groups' => ['write']],
diff --git a/api/src/Entity/DayResponsible.php b/api/src/Entity/DayResponsible.php
@@ -41,6 +41,9 @@
                     security: 'is_granted("CAMP_COLLABORATOR", day) or is_granted("CAMP_IS_PROTOTYPE", day)'
                 ),
             ],
+            extraProperties: [
+                'filter_by_current_user' => false,
+            ]
         ),
         new Post(
             securityPostDenormalize: 'is_granted("CAMP_MEMBER", object) or is_granted("CAMP_MANAGER", object) or object.day === null'
diff --git a/api/src/Entity/ScheduleEntry.php b/api/src/Entity/ScheduleEntry.php
@@ -54,6 +54,9 @@
                 ),
             ],
             security: 'is_fully_authenticated()',
+            extraProperties: [
+                'filter_by_current_user' => false,
+            ]
         ),
         new Post(
             denormalizationContext: ['groups' => ['write', 'create']],
diff --git a/api/tests/Api/Activities/ListActivitiesTest.php b/api/tests/Api/Activities/ListActivitiesTest.php
@@ -59,7 +59,7 @@ public function testListActivitiesFilteredByCampIsAllowedForCollaborator() {
         ], $response->toArray()['_links']['items']);
     }
 
-    public function testListActivitiesByCampSubresourceIsAllowedForCollaborator() {
+    public function testListActivitiesAsCampSubresourceIsAllowedForCollaborator() {
         $camp = static::getFixture('camp1');
         $response = static::createClientWithCredentials()->request('GET', "/camps/{$camp->getId()}/activities");
         $this->assertResponseStatusCodeSame(200);
@@ -78,6 +78,12 @@ public function testListActivitiesByCampSubresourceIsAllowedForCollaborator() {
         ], $response->toArray()['_links']['items']);
     }
 
+    public function testListActivitiesAsCampSubresourceIsDeniedForUnrelatedUser() {
+        $camp = static::getFixture('camp1');
+        $response = static::createClientWithCredentials(['email' => static::$fixtures['user4unrelated']->getEmail()])->request('GET', "/camps/{$camp->getId()}/activities");
+        $this->assertResponseStatusCodeSame(404);
+    }
+
     public function testListActivitiesFilteredByCampIsDeniedForUnrelatedUser() {
         $camp = static::getFixture('camp1');
         $response = static::createClientWithCredentials(['email' => static::$fixtures['user4unrelated']->getEmail()])
diff --git a/api/tests/Api/ActivityProgressLabel/ListActivityProgressLabelTest.php b/api/tests/Api/ActivityProgressLabel/ListActivityProgressLabelTest.php
@@ -86,6 +86,14 @@ public function testListActivityProgressLabelsAsSubresourceOfCampIsAllowedForCol
         ], $response->toArray()['_links']['items']);
     }
 
+    public function testListActivityProgressLabelsAsSubresourceOfCampIsDeniedForUnrelatedUser() {
+        $camp = static::getFixture('camp1');
+        $response = static::createClientWithCredentials(['email' => static::$fixtures['user4unrelated']->getEmail()])
+            ->request('GET', "/camps/{$camp->getId()}/activity_progress_labels")
+        ;
+        $this->assertResponseStatusCodeSame(404);
+    }
+
     public function testListActivityProgressLabelsFilteredByCampIsDeniedForUnrelatedUser() {
         $camp = static::getFixture('camp1');
         $response = static::createClientWithCredentials(['email' => static::$fixtures['user4unrelated']->getEmail()])

Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,11 @@ public function __construct(Security $security, EntityManagerInterface $entityMa`
`22`	`22`	`}`
`23`	`23`
`24`	`24`	`public function applyToCollection(QueryBuilder $queryBuilder, QueryNameGeneratorInterface $queryNameGenerator, ?string $resourceClass = null, ?Operation $operation = null, array $context = []): void {`
	`25`	`+ $extraProperties = $operation->getExtraProperties();`
	`26`	`+ if (array_key_exists('filter_by_current_user', $extraProperties) && false === $extraProperties['filter_by_current_user']) {`
	`27`	`+ return;`
	`28`	`+ }`
	`29`	`+`
`25`	`30`	`$this->addWhere($queryBuilder, $queryNameGenerator, $resourceClass);`
`26`	`31`	`}`
`27`	`32`