Add information on how to get a user in a provider #1751
Conversation
As this is the most basic usecases for using a provider ever (showing entities that only relate to the current user), adding it to the docs would have saved me a lot of time.
| @@ -125,6 +125,40 @@ use App\State\BlogPostProvider; | |||
| class BlogPost {} | |||
| ``` | |||
|
|
|||
| ## Getting the user in a provider | |||
There was a problem hiding this comment.
| ## Getting the user in a provider | |
| ## Getting The Currently Connected User in a Provider |
| use App\Repository\BlogPostRepository; | ||
| use Symfony\Bundle\SecurityBundle\Security; | ||
|
|
||
| class BlogPostProvider implements ProviderInterface |
There was a problem hiding this comment.
| class BlogPostProvider implements ProviderInterface | |
| final class BlogPostProvider implements ProviderInterface |
| return $this->blogPostRepository->findAllForUser($this->security->getToken()->getUser()); | ||
| } | ||
|
|
||
| return $this->blogPostRepository->find($uriVariables['id']); |
There was a problem hiding this comment.
Maybe should this be removed as this doesn't look related?
Also, you should set the Vary HTTP header (on the ApiResource attribute) to prevent any cache pollution issue.
|
This is only useful if you don't use Doctrine (or at least the built-in Doctrine provider), otherwise you should use an extension instead: https://api-platform.com/docs/core/extensions/ Could you make it clear in this page? Thanks for improving our docs! |
|
🤯 it's called extensions...... (I am using Doctrine) Okay, I had no idea. I found "filters" and "subresources" and "state providers" but I did not look at "extensions" for this type of filtering / ownership logic... (extensions, in my mind, are "extending" API-Platform. Not "Extending the automatically generated queries in ORM's" / "Query extensions") Thanks for the quick review, I'll run through this stuff again and edit the docs. |
As this is the most basic usecases for using a provider ever (showing entities that only relate to the current user), adding it to the docs would have saved me a lot of time.
There's way more docs to be updated - nothing seems to even remotely indicate some kind of ACL / User related data filtering.
Isn't it one of the most basic usecases ever? Where you want someone to only see their own data?
This usecase doesn't seem to be documented anywhere. It doesn't seem doable by using the annotations (albeit there's security and IRI overrides everywhere) it would never just shows this users' own stuff.