How are permissions checked for a Web API request?

dmitry_fedyuk · April 5, 2017, 1:16pm

Step 1. Magento\Webapi\Controller\Rest\InputParamsResolver::resolve()

Step 2. Magento\Webapi\Controller\Rest\RequestValidator::validate()

magento/magento2/blob/2.1.5/app/code/Magento/Webapi/Controller/Rest/RequestValidator.php#L61-L75


/**
 * Validate request
 *
 * @throws AuthorizationException
 * @throws \Magento\Framework\Webapi\Exception
 * @return void
 */
public function validate()
{
    $this->checkPermissions();
    $route = $this->router->match($this->request);
    if ($route->isSecure() && !$this->request->isSecure()) {
        throw new \Magento\Framework\Webapi\Exception(__('Operation allowed only in HTTPS'));
    }
}

Step 3. Magento\Webapi\Controller\Rest\RequestValidator::checkPermissions()

github.com

magento/magento2/blob/2.1.5/app/code/Magento/Webapi/Controller/Rest/RequestValidator.php#L77-L92


/**
 * Perform authentication and authorization.
 *
 * @throws \Magento\Framework\Exception\AuthorizationException
 * @return void
 */
private function checkPermissions()
{
    $route = $this->router->match($this->request);
    if (!$this->authorization->isAllowed($route->getAclResources())) {
        $params = ['resources' => implode(', ', $route->getAclResources())];
        throw new AuthorizationException(
            __(AuthorizationException::NOT_AUTHORIZED, $params)
        );
    }
}

Step 4. Magento\Framework\Webapi\Authorization::isAllowed()

github.com

magento/magento2/blob/2.1.5/lib/internal/Magento/Framework/Webapi/Authorization.php#L28-L42


/**
 * Check if all ACL resources are allowed to be accessed by current API user.
 *
 * @param string[] $aclResources
 * @return bool
 */
public function isAllowed($aclResources)
{
    foreach ($aclResources as $resource) {
        if (!$this->authorization->isAllowed($resource)) {
            return false;
        }
    }
    return true;
}

Step 5.

5.1. For a guest customer:

How is the «resource ref='anonymous’» webapi.xml rule handled for a request?

5.2. For a registered customer:

How is the «resource ref='self'» webapi.xml rule handled for a request?

dmitry_fedyuk · April 5, 2017, 1:31pm