Issue #3066645 by e0ipso: Add more granular permissions

api_proxy.routing.yml

@@ -25,5 +25,6 @@ api_proxy.forwarder:
     _controller: Drupal\api_proxy\Controller\Forwarder::forward
     _title: 'API Proxy request forwarder'
   requirements:
-    # TODO: Add granular permissions to use each one of the APIs.
-    _permission: 'use api proxies'
+    # Dynamic permissions are enforced in the controller.
+    # TODO: Move permission checks to the routing system.
+    _access: 'TRUE'

src/Controller/Forwarder.php

@@ -6,6 +6,8 @@ use Drupal\api_proxy\Plugin\HttpApiInterface;
 use Drupal\Component\Utility\UrlHelper;
 use Drupal\Core\Cache\CacheableMetadata;
 use Drupal\Core\Cache\CacheableResponse;
+use Drupal\Core\Controller\ControllerBase;
+use Drupal\Core\Http\Exception\CacheableAccessDeniedHttpException;
 use Drupal\Core\Http\Exception\CacheableBadRequestHttpException;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
@@ -13,7 +15,7 @@ use Symfony\Component\HttpFoundation\Response;
 /**
  * Main controller to forward requests.
  */
-final class Forwarder {
+final class Forwarder extends ControllerBase {
 
   const QUERY_PARAM_URI = '_api_proxy_uri';
 
@@ -29,6 +31,13 @@ final class Forwarder {
    *   The response object.
    */
   public function forward(HttpApiInterface $api_proxy, Request $request): Response {
+    // TODO: This belongs to the routing system.
+    $account = $this->currentUser();
+    if (!$account->hasPermission(key($api_proxy->permissions()))) {
+      $cacheability = (new CacheableMetadata())
+        ->addCacheContexts(['user.permissions']);
+      throw new CacheableAccessDeniedHttpException($cacheability, 'The current user does not have access to this proxy');
+    }
     $third_party_uri = $this->sanitizeUri($request->query->get(static::QUERY_PARAM_URI));
     $cache_contexts = ['url.query_args:' . static::QUERY_PARAM_URI];
     $cacheability = (new CacheableMetadata())->addCacheContexts($cache_contexts);

src/EventSubscriber/OptionsRequestSubscriber.php

@@ -2,6 +2,7 @@
 
 namespace Drupal\api_proxy\EventSubscriber;
 
+use Drupal\api_proxy\Controller\Forwarder;
 use Drupal\api_proxy\Plugin\HttpApiPluginBase;
 use Drupal\Core\Cache\CacheableMetadata;
 use Drupal\Core\Cache\CacheableResponse;
@@ -75,7 +76,16 @@ class OptionsRequestSubscriber implements EventSubscriberInterface {
       $event->setResponse($response);
       return;
     }
-    $event->setResponse($proxy->corsResponse($request));
+    $response = $proxy->corsResponse($request);
+    $cache_contexts = [
+      'url.query_args:' . Forwarder::QUERY_PARAM_URI,
+      'headers:Origin',
+    ];
+    $cacheability = (new CacheableMetadata())
+      ->addCacheContexts($cache_contexts);
+    $response->addCacheableDependency($cacheability);
+    $response->setVary('Origin', FALSE);
+    $event->setResponse($response);
   }
 
   /**

src/Plugin/HttpApiInterface.php

@@ -2,6 +2,7 @@
 
 namespace Drupal\api_proxy\Plugin;
 
+use Drupal\Component\Plugin\PluginInspectionInterface;
 use Drupal\Core\Cache\CacheableResponse;
 use Drupal\Core\Form\SubformStateInterface;
 use Symfony\Component\HttpFoundation\HeaderBag;
@@ -9,7 +10,7 @@ use Symfony\Component\HttpFoundation\ParameterBag;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 
-interface HttpApiInterface {
+interface HttpApiInterface extends PluginInspectionInterface {
 
   public function getBaseUrl(): string;
   public function shouldForwardHeaders(): bool;
@@ -47,6 +48,6 @@ interface HttpApiInterface {
    * @return array
    *   The permission array.
    */
-  public function permissions();
+  public function permissions(): array;
 
 }

src/Plugin/HttpApiPluginBase.php

@@ -438,7 +438,7 @@ abstract class HttpApiPluginBase extends PluginBase implements ContainerFactoryP
   /**
    * {@inheritdoc}
    */
-  public function permissions() {
+  public function permissions(): array {
     $permission = sprintf('use %s api proxy', $this->getPluginId());
     $definition = $this->getPluginDefinition();
     $title = $this->t('Use the HTTP API proxy for %label', [