Handling security authorization for resource operations with custom DTO

[jelovac]

Now that DataTransformers are deprecated and removed and the suggested way to create custom resource output objects is through State Providers, how are we supposed to handle authorization via voters? Because Security checks are executed after the state provider so basically the object passed to the security: "is_granted('ROLE_SOME_ROLE', object)", is now output DTO and not the original entity object.

It seems to me that the current API Resource Security / SecurityPostDenormalize functionality lost its purpose during the upgrade. Because even if we moved DTO to a custom resource we would still need to handle the security during the State Provider phase and not after it when we already generate the output.

[jelovac]

So I managed to find a workaround by moving DTO creation logic from a StateProvider to a custom ControllerAction.

By doing this we can have original ORM resource loaded via state provider and then passed for authorization to the AuthorizationChecker. Once it passes security the resource is then injected as $data into custom controller action. And voila we can now create the DTO and return it.