How is the «resource ref='self'» webapi.xml rule handled for a request?

dmitry_fedyuk · April 5, 2017, 1:33pm

Context

Usage

mage2pro/core/blob/2.4.27/Payment/etc/webapi.xml#L10-L14


	<route url='/V1/df-payment/mine/place-order' method='POST'>
		<service class='Df\Payment\PlaceOrder' method='registered'/>
		<resources><resource ref='self'/></resources>
		<data><parameter name='cartId' force='true'>%cart_id%</parameter></data>
	</route>

Implementation

Magento\Integration\Api\AuthorizationServiceInterface::PERMISSION_SELF

Magento\Customer\Model\Plugin\CustomerAuthorization::aroundIsAllowed()

github.com

magento/magento2/blob/2.1.5/app/code/Magento/Customer/etc/webapi_rest/di.xml#L9-L11


 <type name="Magento\Framework\Authorization">
    <plugin name="customerAuthorization" type="Magento\Customer\Model\Plugin\CustomerAuthorization" />
</type>

github.com

magento/magento2/blob/2.1.5/app/code/Magento/Customer/Model/Plugin/CustomerAuthorization.php#L34-L60


/**
 * Check if resource for which access is needed has self permissions defined in webapi config.
 *
 * @param \Magento\Framework\Authorization $subject
 * @param callable $proceed
 * @param string $resource
 * @param string $privilege
 *
 * @return bool true If resource permission is self, to allow
 * customer access without further checks in parent method
 * @SuppressWarnings(PHPMD.UnusedFormalParameter)
 */
public function aroundIsAllowed(
    \Magento\Framework\Authorization $subject,
    \Closure $proceed,
    $resource,
    $privilege = null
) {
    if ($resource == AuthorizationService::PERMISSION_SELF
        && $this->userContext->getUserId()
        && $this->userContext->getUserType() === UserContextInterface::USER_TYPE_CUSTOMER
    ) {
        return true;
    } else {
        return $proceed($resource, $privilege);
    }
}

dmitry_fedyuk · April 5, 2017, 1:33pm