Merge 3.3

Author: soyuka

CHANGELOG.md

@@ -1,5 +1,27 @@
 # Changelog
 
+## v3.3.8
+
+### Bug fixes
+
+* [0edc73806](https://github.com/api-platform/core/commit/0edc73806c047b04c452a1cd7bc1132106906d02) fix(state): allow to skip parameter validator provider (#6452)
+* [25c5f222d](https://github.com/api-platform/core/commit/25c5f222dbe24ff111d2ba2b19556112a50ed87a) fix(graphql): security after resolver (#6444)
+* [32ef3d4e2](https://github.com/api-platform/core/commit/32ef3d4e24f14b361e2c67efb2494b8494a87b12) fix(jsonld): allow @id, @context and @type on denormalization 2 (#6451)
+* [4de43bab9](https://github.com/api-platform/core/commit/4de43bab9fbcafcd79ceac9bbe3a1293b56303c4) fix: swagger ui provider accept html (#6449)
+* [65ac0d228](https://github.com/api-platform/core/commit/65ac0d22885c8c9b68df9f3becd1b004746ce019) fix(symfony): property info with doctrine collections
+* [7926dc68d](https://github.com/api-platform/core/commit/7926dc68d1d0e9df7ff6439487beb782dd124671) fix: parameter not found when no value (#6458)
+* [93e4b3d70](https://github.com/api-platform/core/commit/93e4b3d709a6a9bbfb4fd0722f7aa5b01efa57d7) fix(state): store parameter value without its key (#6456)
+* [c086dfe9d](https://github.com/api-platform/core/commit/c086dfe9dd516e5fa26e1a819ba0477c50b4ffda) fix(openapi): optional yaml component (#6445)
+* [c473b2efe](https://github.com/api-platform/core/commit/c473b2efec4e53929fbe2832452894d489002455) fix(state): query and header parameter with the same name (#6453)
+
+
+### Features
+
+These are enhancement to the experimental Parameter feature:
+
+* [9ac50d294](https://github.com/api-platform/core/commit/9ac50d294f95a0c34baf67aebf3ea5623bc1be4c) feat(state): review validation for required parameters (#6441)
+* [c2d3aeb91](https://github.com/api-platform/core/commit/c2d3aeb91764e5fa1f8f56de3a800cc69364a9b0) feat(state): list all violations during query parameters validation (#6442)
+
 ## v3.3.7
 
 ### Bug fixes

features/main/standard_put.feature

@@ -26,6 +26,60 @@ Feature: Spec-compliant PUT support
     }
     """
 
+  Scenario: Create a new resource with JSON-LD attributes
+    When I add "Content-Type" header equal to "application/ld+json"
+    And I send a "PUT" request to "/standard_puts/6" with body:
+    """
+    {
+      "@id": "/standard_puts/6",
+      "@context": "/contexts/StandardPut",
+      "@type": "StandardPut",
+      "foo": "a",
+      "bar": "b"
+    }
+    """
+    Then the response status code should be 201
+    And the response should be in JSON
+    And the JSON should be equal to:
+    """
+    {
+      "@context": "/contexts/StandardPut",
+      "@id": "/standard_puts/6",
+      "@type": "StandardPut",
+      "id": 6,
+      "foo": "a",
+      "bar": "b"
+    }
+    """
+
+  Scenario: Fails to create a new resource with the wrong JSON-LD @id
+    When I add "Content-Type" header equal to "application/ld+json"
+    And I send a "PUT" request to "/standard_puts/7" with body:
+    """
+    {
+      "@id": "/dummies/6",
+      "@context": "/contexts/StandardPut",
+      "@type": "StandardPut",
+      "foo": "a",
+      "bar": "b"
+    }
+    """
+    Then the response status code should be 400
+
+  Scenario: Fails to create a new resource when the JSON-LD @id doesn't match the URI
+    When I add "Content-Type" header equal to "application/ld+json"
+    And I send a "PUT" request to "/standard_puts/7" with body:
+    """
+    {
+      "@id": "/standard_puts/6",
+      "@context": "/contexts/StandardPut",
+      "@type": "StandardPut",
+      "foo": "a",
+      "bar": "b"
+    }
+    """
+    Then the response status code should be 400
+
   Scenario: Replace an existing resource
     When I add "Content-Type" header equal to "application/ld+json"
     And I send a "PUT" request to "/standard_puts/5" with body:

src/JsonLd/Serializer/ItemNormalizer.php

@@ -17,6 +17,7 @@
 use ApiPlatform\Api\ResourceClassResolverInterface as LegacyResourceClassResolverInterface;
 use ApiPlatform\JsonLd\AnonymousContextBuilderInterface;
 use ApiPlatform\JsonLd\ContextBuilderInterface;
+use ApiPlatform\Metadata\Exception\ItemNotFoundException;
 use ApiPlatform\Metadata\HttpOperation;
 use ApiPlatform\Metadata\IriConverterInterface;
 use ApiPlatform\Metadata\Property\Factory\PropertyMetadataFactoryInterface;
@@ -47,6 +48,29 @@ final class ItemNormalizer extends AbstractItemNormalizer
     use JsonLdContextTrait;
 
     public const FORMAT = 'jsonld';
+    private const JSONLD_KEYWORDS = [
+        '@context',
+        '@direction',
+        '@graph',
+        '@id',
+        '@import',
+        '@included',
+        '@index',
+        '@json',
+        '@language',
+        '@list',
+        '@nest',
+        '@none',
+        '@prefix',
+        '@propagate',
+        '@protected',
+        '@reverse',
+        '@set',
+        '@type',
+        '@value',
+        '@version',
+        '@vocab',
+    ];
 
     public function __construct(ResourceMetadataCollectionFactoryInterface $resourceMetadataCollectionFactory, PropertyNameCollectionFactoryInterface $propertyNameCollectionFactory, PropertyMetadataFactoryInterface $propertyMetadataFactory, IriConverterInterface|LegacyIriConverterInterface $iriConverter, ResourceClassResolverInterface|LegacyResourceClassResolverInterface $resourceClassResolver, private readonly ContextBuilderInterface $contextBuilder, ?PropertyAccessorInterface $propertyAccessor = null, ?NameConverterInterface $nameConverter = null, ?ClassMetadataFactoryInterface $classMetadataFactory = null, array $defaultContext = [], ?ResourceAccessCheckerInterface $resourceAccessChecker = null, protected ?TagCollectorInterface $tagCollector = null)
     {
@@ -148,9 +172,27 @@ public function denormalize(mixed $data, string $class, ?string $format = null,
                 throw new NotNormalizableValueException('Update is not allowed for this operation.');
             }
 
-            $context[self::OBJECT_TO_POPULATE] = $this->iriConverter->getResourceFromIri($data['@id'], $context + ['fetch_data' => true]);
+            try {
+                $context[self::OBJECT_TO_POPULATE] = $this->iriConverter->getResourceFromIri($data['@id'], $context + ['fetch_data' => true], $context['operation'] ?? null);
+            } catch (ItemNotFoundException $e) {
+                $operation = $context['operation'] ?? null;
+
+                if (!('PUT' === $operation?->getMethod() && ($operation->getExtraProperties()['standard_put'] ?? false))) {
+                    throw $e;
+                }
+            }
         }
 
         return parent::denormalize($data, $class, $format, $context);
     }
+
+    protected function getAllowedAttributes(string|object $classOrObject, array $context, bool $attributesAsString = false): array|bool
+    {
+        $allowedAttributes = parent::getAllowedAttributes($classOrObject, $context, $attributesAsString);
+        if (\is_array($allowedAttributes) && ($context['api_denormalize'] ?? false)) {
+            $allowedAttributes = array_merge($allowedAttributes, self::JSONLD_KEYWORDS);
+        }
+
+        return $allowedAttributes;
+    }
 }

src/Serializer/AbstractItemNormalizer.php

@@ -220,7 +220,7 @@ public function denormalize(mixed $data, string $class, ?string $format = null,
                 throw new LogicException('Cannot denormalize the input because the injected serializer is not a denormalizer');
             }
 
-            unset($context['input'], $context['operation'], $context['operation_name']);
+            unset($context['input'], $context['operation'], $context['operation_name'], $context['uri_variables']);
             $context['resource_class'] = $inputClass;
 
             try {

src/Symfony/Bundle/SwaggerUi/SwaggerUiProvider.php

@@ -14,6 +14,7 @@
 namespace ApiPlatform\Symfony\Bundle\SwaggerUi;
 
 use ApiPlatform\Documentation\Documentation;
+use ApiPlatform\Documentation\Entrypoint;
 use ApiPlatform\Metadata\Error;
 use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\HttpOperation;
@@ -44,6 +45,7 @@ public function provide(Operation $operation, array $uriVariables = [], array $c
             !($operation instanceof HttpOperation)
             || !($request = $context['request'] ?? null)
             || 'html' !== $request->getRequestFormat()
+            || true === ($operation->getExtraProperties()['_api_disable_swagger_provider'] ?? false)
         ) {
             return $this->decorated->provide($operation, $uriVariables, $context);
         }
@@ -55,11 +57,12 @@ public function provide(Operation $operation, array $uriVariables = [], array $c
         // We need to call our operation provider just in case it fails
         // when it fails we'll get an Error and we'll fix the status accordingly
         // @see features/main/content_negotiation.feature:119
-        // DocumentationAction has no content negotation as well we want HTML so render swagger ui
-        if (!$operation instanceof Error && Documentation::class !== $operation->getClass()) {
+        // When requesting DocumentationAction or EntrypointAction with Accept: text/html we render SwaggerUi
+        if (!$operation instanceof Error && !\in_array($operation->getClass(), [Documentation::class, Entrypoint::class], true)) {
             $this->decorated->provide($operation, $uriVariables, $context);
         }
 
+        // This should render only when an error occured
         $swaggerUiOperation = new Get(
             class: OpenApi::class,
             processor: 'api_platform.swagger_ui.processor',
@@ -71,7 +74,6 @@ class: OpenApi::class,
 
         // save our operation
         $request->attributes->set('_api_operation', $swaggerUiOperation);
-
         $data = $this->openApiFactory->__invoke(['base_url' => $request->getBaseUrl() ?: '/']);
         $request->attributes->set('data', $data);
 

src/Symfony/Routing/IriConverter.php

@@ -78,6 +78,17 @@ public function getResourceFromIri(string $iri, array $context = [], ?Operation
             throw new InvalidArgumentException(sprintf('No resource associated to "%s".', $iri));
         }
 
+        // uri_variables come from the Request context and may not be available
+        foreach ($context['uri_variables'] ?? [] as $key => $value) {
+            if (!isset($parameters[$key]) || $parameters[$key] !== (string) $value) {
+                throw new InvalidArgumentException(sprintf('The iri "%s" does not reference the correct resource.', $iri));
+            }
+        }
+
+        if ($operation && !is_a($parameters['_api_resource_class'], $operation->getClass(), true)) {
+            throw new InvalidArgumentException(sprintf('The iri "%s" does not reference the correct resource.', $iri));
+        }
+
         $operation = $parameters['_api_operation'] = $this->resourceMetadataCollectionFactory->create($parameters['_api_resource_class'])->getOperation($parameters['_api_operation_name']);
 
         if ($operation instanceof CollectionOperationInterface) {

tests/Fixtures/TestBundle/ApiResource/Issue6384/AcceptHtml.php

@@ -0,0 +1,32 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\Tests\Fixtures\TestBundle\ApiResource\Issue6384;
+
+use ApiPlatform\Metadata\Get;
+use Symfony\Component\HttpFoundation\Response;
+
+#[Get(
+    uriTemplate: 'accept_html',
+    provider: [self::class, 'provide'],
+    outputFormats: ['html' => ['text/html']],
+    formats: ['html' => ['text/html']],
+    extraProperties: ['_api_disable_swagger_provider' => true]
+)]
+class AcceptHtml
+{
+    public static function provide(): Response
+    {
+        return new Response('<h1>hello</h1>');
+    }
+}

tests/Fixtures/TestBundle/Entity/Issue6465/Bar.php

@@ -0,0 +1,31 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\Tests\Fixtures\TestBundle\Entity\Issue6465;
+
+use ApiPlatform\Metadata\ApiResource;
+use Doctrine\ORM\Mapping as ORM;
+
+#[ORM\Entity()]
+#[ApiResource(shortName: 'Bar6465')]
+#[ORM\Table(name: 'bar6465')]
+class Bar
+{
+    #[ORM\Id]
+    #[ORM\GeneratedValue]
+    #[ORM\Column]
+    public ?int $id = null;
+
+    #[ORM\Column]
+    public string $title = '';
+}

tests/Fixtures/TestBundle/Entity/Issue6465/CustomInput.php

@@ -0,0 +1,22 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\Tests\Fixtures\TestBundle\Entity\Issue6465;
+
+use Symfony\Component\Validator\Constraints\NotBlank;
+
+class CustomInput
+{
+    #[NotBlank]
+    public Bar $bar;
+}

tests/Fixtures/TestBundle/Entity/Issue6465/CustomOutput.php

@@ -0,0 +1,21 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\Tests\Fixtures\TestBundle\Entity\Issue6465;
+
+class CustomOutput
+{
+    public function __construct(public string $title)
+    {
+    }
+}