I have just installed and configured the payum bundle. I am having an exception:
Request SecuredCaptureRequest{model: Payment} is not supported.
It occurs after the redirect in the preparePaypalExpressCheckoutPaymentAction in the PaymentController.
Payum config:
payum:
contexts:
payment_with_paypal_express:
storages:
Service\Bundle\PaymentBundle\Entity\Payment:
doctrine:
driver: orm
paypal_express_checkout_nvp:
api:
options:
username: %paypal.express.username%
password: %paypal.express.password%
signature: %paypal.express.signature%
sandbox: %paypal.express.sandbox%
security:
token_storage:
Service\Bundle\PaymentBundle\Entity\PayumSecurityToken:
doctrine:
driver: orm
Payment controller:
class PaymentController extends HelperController
{
public function preparePaypalExpressCheckoutPaymentAction()
{
$paymentName = 'payment_with_paypal_express';
$storage = $this->get('payum')->getStorageForClass(
'Service\Bundle\PaymentBundle\Entity\Payment',
$paymentName
);
# ---- Set payment details below
$package = $this->getPackageRepository()->loadOneByAliasAndDuration(Package::TYPE_SUBSCRIPTION,1);
$accountPackages = new ArrayCollection();
$accountPackages->add((new AccountPackage())->setPackage($package)->setQuantity(1));
/**
* #var Payment $payment
*/
$payment = $storage->createModel();
# Account must be set first, packages must be set before paid attribute
$payment->setAccount($this->getAccount())
->setPackages($accountPackages)
->setPaid(false);
# ---- Set payment details above
$storage->updateModel($payment);
$captureToken = $this->get('payum.security.token_factory')->createCaptureToken(
$paymentName,
$payment,
'service_payment_done' // the route to redirect after capture;
);
$payment->setReturnUrl($captureToken->getTargetUrl())
->setCancelUrl($captureToken->getTargetUrl());
$storage->updateModel($payment);
return $this->redirect($captureToken->getTargetUrl());
}
public function paymentDoneAction(Request $request)
{
$token = $this->get('payum.security.http_request_verifier')->verify($request);
$payment = $this->get('payum')->getPayment($token->getPaymentName());
# $paymentDetails = $token->getDetails();
$status = new BinaryMaskStatusRequest($token);
$payment->execute($status);
if ($status->isSuccess()) {
$this->getUser()->addCredits(100);
$this->get('session')->getFlashBag()->set(
'notice',
'Payment success. Credits were added'
);
}
else if ($status->isPending()) {
$this->get('session')->getFlashBag()->set(
'notice',
'Payment is still pending. Credits were not added'
);
}
else {
$this->get('session')->getFlashBag()->set('error', 'Payment failed');
}
return $this->redirect('service_home');
}
}
Does someone have any hints what I am doing wrong? In the official documentation the payment details were presented as an object/array (a little confusing), but in my controller I made it an object, any thoughts there?
I worked it out. Forgot to extend my Payment details with ArrayObject from Payum:)
Related
For example simple controller:
/**
* #Route("/{identifier}", name="page")
*/
public function page(Request $request, string $identifier)
{
$page = $this->pageRepository->findOneBy(['identifier' => $identifier]);
if (!$page || !$page->getEnabled()) {
throw $this->createNotFoundException();
}
return $this->render('cms/index.html.twig', []);
}
And a have a bundle to manage images from admin page elfinder, which will enter the /elfinder link.
And instead of getting the bundle controller, my controller gets.
/{identifier} === /elfinder
How do people usually act in such situations?
I tried to set different priority, but it does not help
Try adding your controllers with the priority required in the annotations.yaml file. Thus, if you get a 404 in the first one, Symfony will try to open the route from the next controller
Add your controllers to config/routes/annotations.yaml
page:
resource: App\Controller\_YourFistController_
type: annotation
elfinder:
resource: FM\ElfinderBundle\Controller\ElFinderController
type: annotation
Or if this option does not suit you, then you can try the optional parameter priority. symfony doc
Add to config file config/routes.yaml:
elfinder:
path: /elfinder/{instance}/{homeFolder}
priority: 2
controller: FM\ElfinderBundle\Controller\ElFinderController::show
I tried to set the priority through the configuration file. But unfortunately it didn't work.
The only thing that helped was to create your own methods that will redirect
/**
* #Route("/elfinder", name="elfinder", priority=10)
*/
public function elfinder()
{
return $this->forward('FM\ElfinderBundle\Controller\ElFinderController::show', [
'homeFolder' => '',
'instance' => 'default',
]);
}
/**
* #Route("/efconnect", name="efconnect", priority=11)
*/
public function elfinderLoad(Request $request, SessionInterface $session, EventDispatcherInterface $dispatcher)
{
return $this->forward('FM\ElfinderBundle\Controller\ElFinderController::load', [
'session' => $session,
'eventDispatcher' => $dispatcher,
'request' => $request,
'homeFolder' => '',
'instance' => 'default',
]);
}
I have a Symfony login form authenticating against an Ldap server. I can successfully query and authenticate a user using either samaccountname or userprincipalname and the uid key in my config settings. I want to be able to allow the user to enter either their username or their username#domain.com
I have tried a preg_replace on the username in the loadUserbyUsername() method in the LdapUserProviderClass (I know is not ideal). That takes a username such as username#domain.com and passes on username. I was able to verify that the correct user was returned from the Ldap server but I'm still returned to the login form with 'Invalid Credentials'. I believe the reason why this happens in the AuthenticationUtils class request is processed and the username in the request is still username#domain.com and that does not match the username in the user object coming from the Ldap authentication which is username. If anyone has advice on how to accomplish allowing both username#domain.com and username being authenticated against Ldap I would greatly appreciate it.
SecurityController.php
public function login(Request $request, AuthenticationUtils $authenticationUtils): Response
{
// get the login error if there is one
$error = $authenticationUtils->getLastAuthenticationError();
// last username entered by the user
$lastUsername = $authenticationUtils->getLastUsername();
$newLastUsername = trim(preg_replace('/#.*/', '',$lastUsername));
return $this->render('security/login.html.twig', ['last_username' => $newLastUsername, 'error' => $error]);
}
security.yml
providers:
dsg_ldap:
ldap:
service: Symfony\Component\Ldap\Ldap
base_dn: '%env(BASE_DSN)%'
search_dn: '%env(SEARCH_DN)%'
search_password: '%env(SEARCH_PWD)%'
uid_key: '%env(UID_KEY)%'
#filter: '({uid_key}={_username})'
default_roles: ROLE_USER
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
anonymous: ~
form_login_ldap:
login_path: login
check_path: login
service: Symfony\Component\Ldap\Ldap
provider: dsg_ldap
dn_string: '%env(DN_STRING)%\{username}'
My LdapUserProvider.php
class LdapUserProvider extends SymfonyLdapUserProvider
{
/** #var array maps ldap groups to roles */
private $groupMapping = [
'**' => '**',
'**' => '**',
'**' => '**',
'**' => '**'
];
/** #var string extracts group name from dn string */
private $groupNameRegExp = '/CN=(.+?),/';
protected function loadUser($username, Entry $entry)
{
$roles = ['ROLE_USER'];
// Check if the entry has attribute with the group
if (!$entry->hasAttribute('memberOf')) {
return new User($username, '', $roles);
}
// Iterate through each group entry line
foreach ($entry->getAttribute('memberOf') as $groupLine) {
// Extract the group name from the line
$groupName = $this->getGroupName($groupLine);
// Check if the group is in the mapping
if (array_key_exists($groupName, $this->groupMapping)) {
// Map the group to the role(s) the user will have
$roles[] = $this->groupMapping[$groupName];
}
}
// Create and return the user object
return new User($username, null, $roles);
}
/**
* Get the group name from the DN
* #param string $dn
* #return string
*/
private function getGroupName($dn)
{
$matches = [];
return preg_match($this->groupNameRegExp, $dn, $matches) ? $matches[1] : '';
}
}
Symfony\Component\Security\Core\User\LdapUserProvider.php
public function loadUserByUsername($username)
{
try {
$this->ldap->bind($this->searchDn, $this->searchPassword);
// what i added
$username = trim(preg_replace('/#.*/', '',$username));
$username = $this->ldap->escape($username, '', LdapInterface::ESCAPE_FILTER);
$query = str_replace('{username}', $username, $this->defaultSearch);
$search = $this->ldap->query($this->baseDn, $query);
} catch (ConnectionException $e) {
throw new UsernameNotFoundException(sprintf('User "%s" not found.', $username), 0, $e);
}
$entries = $search->execute();
$count = \count($entries);
if (!$count) {
throw new UsernameNotFoundException(sprintf('User "%s" not found.', $username));
}
if ($count > 1) {
throw new UsernameNotFoundException('More than one user found');
}
$entry = $entries[0];
try {
if (null !== $this->uidKey) {
$username = $this->getAttributeValue($entry, $this->uidKey);
}
} catch (InvalidArgumentException $e) {
}
return $this->loadUser($username, $entry);
}
In the loadUserByUsername function, add another query if the first one fails. Your $this->defaultSearch is probably a constant which represents an LDAP filter.
If you create the same line in the first if (!$count) {...} like this:
$query = str_replace('{username}', $username, "(userPrincipalName={username})");
and then execute that query, you are performing a second search for the userPrincipalName which is of the form user#domain
I hope someone could help me to use Api-platorm with Nelmio.
I use Api-plaform and Nelmio. I need to hide the Api-platform docs from Nelmio.
I need to have 3 routes:
/internal -> API-Platform Docs
/external -> NELMIO-Docs
/admin -> NELMIO-Docs
My config of Nelmio:
# config/packages/nelmio_api_doc.yaml
nelmio_api_doc:
documentation:
info:
title: ...
description: ...
version: 0.2.0
areas: # to filter documented areas
default:
path_patterns: [ ^/external ]
external:
path_patterns: [ ^/external ]
admin:
path_patterns: [ ^/admin ]
My config of Nelmio (routes):
# config/routes/nelmio_api_doc.yaml
app.swagger:
path: /{area}/json
methods: GET
defaults: { _controller: nelmio_api_doc.controller.swagger, area: default }
app.swagger_ui:
path: /{area}
methods: GET
defaults: { _controller: nelmio_api_doc.controller.swagger_ui, area: default }
My config of API-Platform:
# config/routes/api_platform.yaml
api_platform:
resource: .
type: api_platform
prefix: /internal/
But if I go to http://localhost/external or http://localhost/admin I see always not only needed routes, but also the routes from API-Platform:
I know this question is old by now, but I am facing the same situation and I found a workaround that may help some one, so I am posting it.
API Platform lets you decorate Swagger so you can customize the final documentation output. I took advantage of this to get rid of the entire api platform documentation when not asking for it.
<?php
namespace App\Swagger;
use Symfony\Component\HttpFoundation\RequestStack;
use Symfony\Component\Serializer\Normalizer\NormalizerInterface;
final class SwaggerDecorator implements NormalizerInterface
{
private $decorated;
private $requestStack;
public function __construct(NormalizerInterface $decorated, RequestStack $requestStack)
{
$this->decorated = $decorated;
$this->requestStack = $requestStack;
}
public function normalize($object, $format = null, array $context = [])
{
if ('/internal/docs' !== $this->requestStack->getCurrentRequest()->getPathInfo()) {
// request is not for internal docs (maybe it is for external or admin one) so get rid of api platform docs
return null;
}
$docs = $this->decorated->normalize($object, $format, $context);
// here you can customize documentation
return $docs;
}
public function supportsNormalization($data, $format = null)
{
return $this->decorated->supportsNormalization($data, $format);
}
}
I hope this helps someone, happy coding!
UPDATE
In order to enable that decorator, you must declare it as so in your services file:
App\Swagger\SwaggerDecorator:
decorates: 'api_platform.swagger.normalizer.api_gateway'
arguments: [ '#App\Swagger\SwaggerDecorator.inner' ]
autoconfigure: false
Then, in the class itself, replace '/internal/docs' with the actual URL you are using for your API Platform documentation.
Hope this helps.
On your nelmio configuration yaml file, use a regex to exclude the docs. For instance, for excluding the /external/doc you should:
external:
path_patterns: [ ^/external(?!/doc$) ]
I guess there is something I'm missing.
I have a User entity which is validated through a yml file but every time I send a post request to the route it seems it doesn't get my request. With this I mean that the route works fine but I keep getting the error messages that the password and username should not be blank (due to the constraints i set). So it seems it's not getting my request validated against the entity.
I made sure to have this settings triggered in my config:
validation: { enabled: true, enable_annotations: true }
Here is my routing.yml:
user_login_homepage:
path: /check
defaults: { _controller: UserLoginBundle:Login:checkCredentials }
methods: [POST]
Here is my validation.yml
User\UserBundle\Entity\User:
properties:
username:
- NotBlank: ~
password:
- NotBlank: ~
Here is my controller (LoginController.php)
public function checkCredentialsAction(Request $request)
{
$recursiveValidator = $this->get('validator');
$user = new User();
$errors = $recursiveValidator->validate($user);
if (count($errors) > 0) {
$errorsString = (string) $errors;
return new Response($errorsString);
}
return new Response('Yuppy');
}
I've just tried to follow the instructions but I'm not able to have it work :(
Am I missing something?
you are creating an empty User so It's correct the error, try this (I have imagine that username and password are passed into POST data right?):
$user = new User();
$postData = $request->request->all();
$user->setUsername($postData['username'];
$user->setPassword($postData['password'];
$errors = $recursiveValidator->validate($user);
Generally I have the following business model:
There're users and groups. Each user belongs to only one group and amount of groups is not determined beforehead (as well as amount of users for most sites).
Also there're several different busyness objects, which may belong to user.
Groups are not separate objects, which should be controlled by ACL themselves, but they should affect how other entities should be controlled much like unix groups.
There're 3 basic roles: SUPERADMIN, ADMIN and USER.
SUPERADMIN is able to do anything with any entity.
USER is generally able to read/write own entities (including him/her-self) and read
entitites from his/her group.
ADMIN should have full control of
entities within his group, but not from other groups. I don't
understand how to apply ACL inheritance here (and whether this could
be applied at all).
Also I'm interested in, how denying access could be applied in ACL. Like user have read/write access to all his fields except login. User should only read his login.
I.e. it is logical to provide read/write access to his own profile, but deny write to login, rather than defining read/write access to all his fields (except login) directly.
Ok, here it is. Code isn't perfect at all, but it's better, than nothing.
Voter service.
<?php
namespace Acme\AcmeBundle\Services\Security;
use Symfony\Component\DependencyInjection\ContainerInterface;
use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Acl\Domain\ObjectIdentity;
class GroupedConcernVoter implements VoterInterface {
public function __construct(ContainerInterface $container)
{
$this->container = $container;
$rc = $this->container->getParameter('grouped_concern_voter.config');
// some config normalization performed
$this->rightsConfig = $rc;
}
// even though supportsAttribute and supportsClass methods are required by interface,
// services that I saw, leaves them empty and do not use them
public function supportsAttribute($attribute)
{
return in_array($attribute, array('OWNER', 'MASTER', 'OPERATOR', 'VIEW', 'EDIT', 'CREATE', 'DELETE', 'UNDELETE', 'DEPLOY'))
// hacky way to support per-attribute edit and even view rights.
or preg_match("/^(EDIT|VIEW)(_[A-Z]+)+$/", $attribute);
}
public function supportsClass($object)
{
$object = $object instanceof ObjectIdentity ? $object->getType() : $object;
// all our business object, which should be manageable by that code have common basic class.
// Actually it is a decorator over Propel objects with some php magic... nevermind.
// If one wants similar solution, interface like IOwnableByUserAndGroup with
// getUserId and getGroupId methods may be defined and used
return is_subclass_of($object, "Acme\\AcmeBundle\\CommonBusinessObject");
}
function vote(TokenInterface $token, $object, array $attributes)
{
if (!$this->supportsClass($object)) {
return self::ACCESS_ABSTAIN;
}
if ($object instanceof ObjectIdentity) $object = $object->getType();
if (is_string($object)) {
$scope = 'own';
$entity = $object;
} else {
if ($object->getUserId() == $this->getUser()->getId()) {
$scope = 'own';
} else if ($object->getGroupId() == $this->getUser()->getGroupId()) {
$scope = 'group';
} else {
$scope = 'others';
}
$entity = get_class($object);
}
$user = $token->getUser();
$roles = $user->getRoles();
$role = empty($roles) ? 'ROLE_USER' : $roles[0];
$rights = $this->getRightsFor($role, $scope, $entity);
if ($rights === null) return self::ACCESS_ABSTAIN;
// some complicated logic for checking rights...
foreach ($attributes as $attr) {
$a = $attr;
$field = '';
if (preg_match("/^(EDIT|VIEW)((?:_[A-Z]+)+)$/", $attr, $m)) list(, $a, $field) = $m;
if (!array_key_exists($a, $rights)) return self::ACCESS_DENIED;
if ($rights[$a]) {
if ($rights[$a] === true
or $field === '')
return self::ACCESS_GRANTED;
}
if (is_array($rights[$a])) {
if ($field == '') return self::ACCESS_GRANTED;
$rfield = ltrim(strtolower($field), '_');
if (in_array($rfield, $rights[$a])) return self::ACCESS_GRANTED;
}
return self::ACCESS_DENIED;
}
}
private function getRightsFor($role, $scope, $entity)
{
if (array_key_exists($entity, $this->rightsConfig)) {
$rc = $this->rightsConfig[$entity];
} else {
$rc = $this->rightsConfig['global'];
}
$rc = $rc[$role][$scope];
$ret = array();
foreach($rc as $k => $v) {
if (is_numeric($k)) $ret[$v] = true;
else $ret[$k] = $v;
}
// hacky way to emulate cumulative rights like in ACL
if (isset($ret['OWNER'])) $ret['MASTER'] = true;
if (isset($ret['MASTER'])) $ret['OPERATOR'] = true;
if (isset($ret['OPERATOR']))
foreach(array('VIEW', 'EDIT', 'CREATE', 'DELETE', 'UNDELETE') as $r) $ret[$r] = true;
return $ret;
}
private function getUser() {
if (empty($this->user)) {
// Not sure, how this shortcut works. This is a service (?) returning current authorized user.
$this->user = $this->container->get('acme.user.shortcut');
}
return $this->user;
}
}
And config... actually, it is implementation-specific and its structure is completely arbitrary.
grouped_concern_voter.config:
global:
ROLE_SUPERADMIN:
own: [MASTER]
group: [MASTER]
others: [MASTER]
ROLE_ADMIN:
own: [MASTER]
group: [MASTER]
others: []
ROLE_USER:
own: [VIEW, EDIT, CREATE]
group: [VIEW]
others: []
"Acme\\AcmeBundle\\User":
# rights for ROLE_SUPERADMIN are derived from 'global'
ROLE_ADMIN:
own:
VIEW: [login, email, real_name, properties, group_id]
EDIT: [login, password, email, real_name, properties]
CREATE: true
group:
VIEW: [login, email, real_name, properties]
EDIT: [login, password, email, real_name, properties]
# rights for ROLE_ADMIN/others are derived from 'global'
ROLE_USER:
own:
VIEW: [login, password, email, real_name, properties]
EDIT: [password, email, real_name, properties]
group: []
# rights for ROLE_USER/others are derived from 'global'
"Acme\\AcmeBundle\\Cake":
# most rights are derived from global here.
ROLE_ADMIN:
others: [VIEW]
ROLE_USER:
own: [VIEW]
others: [VIEW]
And finally usage example. Somewhere in controller:
$cake = Acme\AcmeBundle\CakeFactory->produce('strawberry', '1.3kg');
$securityContext = $this->get('security.context');
if ($securityContext->isGranted('EAT', $cake)) {
die ("The cake is a lie");
}
when creating a group, create role ROLE_GROUP_(group id), promote group with this role, and grant permissions with rolesecurityidentity