use link security

api/config/packages/api_platform.yaml

@@ -3,6 +3,7 @@ api_platform:
     version: 1.0.0
     show_webby: false
     use_symfony_listeners: true
+    enable_link_security: true
     mapping:
         paths:
             - '%kernel.project_dir%/src/Entity'

api/src/Entity/Day.php

@@ -37,7 +37,11 @@
         new GetCollection(
             uriTemplate: self::PERIOD_SUBRESOURCE_URI_TEMPLATE,
             uriVariables: [
-                'periodId' => new Link(toProperty: 'period', fromClass: Period::class),
+                'periodId' => new Link(
+                    toProperty: 'period',
+                    fromClass: Period::class,
+                    security: 'is_granted("CAMP_COLLABORATOR", period) or is_granted("CAMP_IS_PROTOTYPE", period)'
+                ),
             ],
             normalizationContext: self::COLLECTION_NORMALIZATION_CONTEXT,
             security: 'is_fully_authenticated()',

api/src/Entity/DayResponsible.php

@@ -35,9 +35,12 @@
         new GetCollection(
             uriTemplate: self::DAY_SUBRESOURCE_URI_TEMPLATE,
             uriVariables: [
-                'dayId' => new Link(toProperty: 'day', fromClass: Day::class),
+                'dayId' => new Link(
+                    toProperty: 'day',
+                    fromClass: Day::class,
+                    security: 'is_granted("CAMP_COLLABORATOR", day) or is_granted("CAMP_IS_PROTOTYPE", day)'
+                ),
             ],
-            security: 'is_fully_authenticated()',
         ),
         new Post(
             securityPostDenormalize: 'is_granted("CAMP_MEMBER", object) or is_granted("CAMP_MANAGER", object)'

api/src/Entity/ScheduleEntry.php

@@ -46,7 +46,11 @@
         new GetCollection(
             uriTemplate: self::PERIOD_SUBRESOURCE_URI_TEMPLATE,
             uriVariables: [
-                'periodId' => new Link(toProperty: 'period', fromClass: Period::class),
+                'periodId' => new Link(
+                    toProperty: 'period',
+                    fromClass: Period::class,
+                    security: 'is_granted("CAMP_COLLABORATOR", period) or is_granted("CAMP_IS_PROTOTYPE", period)'
+                ),
             ],
             security: 'is_fully_authenticated()',
         ),

api/tests/Api/DayResponsibles/ListDayResponsiblesTest.php

@@ -126,9 +126,6 @@ public function testListDayResponsiblesAsDaySubresourceIsDeniedForUnrelatedUser(
             ->request('GET', '/days/'.$day->getId().'/day_responsibles')
         ;
 
-        $this->assertResponseStatusCodeSame(200);
-
-        $this->assertJsonContains(['totalItems' => 0]);
-        $this->assertArrayNotHasKey('items', $response->toArray()['_links']);
+        $this->assertResponseStatusCodeSame(404);
     }
 }

api/tests/Api/Days/ListDaysTest.php

@@ -149,9 +149,6 @@ public function testListDaysAsPeriodSubresourceIsDeniedForUnrelatedUser() {
             ->request('GET', '/periods/'.$period->getId().'/days')
         ;
 
-        $this->assertResponseStatusCodeSame(200);
-
-        $this->assertJsonContains(['totalItems' => 0]);
-        $this->assertArrayNotHasKey('items', $response->toArray()['_links']);
+        $this->assertResponseStatusCodeSame(404);
     }
 }

api/tests/Api/ScheduleEntries/ListScheduleEntriesTest.php

@@ -402,9 +402,6 @@ public function testListScheduleEntriesAsPeriodSubresourceIsDeniedForUnrelatedUs
             ->request('GET', '/periods/'.$period->getId().'/schedule_entries')
         ;
 
-        $this->assertResponseStatusCodeSame(200);
-
-        $this->assertJsonContains(['totalItems' => 0]);
-        $this->assertArrayNotHasKey('items', $response->toArray()['_links']);
+        $this->assertResponseStatusCodeSame(404);
     }
 }