refactor(state): merge parameter and link security

Author: soyuka

src/Elasticsearch/Extension/SortExtension.php

@@ -62,7 +62,7 @@ public function applyToCollection(array $requestBody, string $resourceClass, ?Op
         } elseif (null !== $this->defaultDirection) {
             $property = 'id';
             if ($operation instanceof HttpOperation) {
-                $uriVariables = $operation->getUriVariables()[0] ?? null;
+                $uriVariables = current($operation->getUriVariables()) ?? null;
                 $property = $uriVariables ? $uriVariables->getIdentifiers()[0] ?? 'id' : 'id';
             }
 

src/Elasticsearch/Filter/AbstractSearchFilter.php

@@ -139,7 +139,7 @@ protected function isIdentifier(string $resourceClass, string $property, ?Operat
     {
         $identifier = 'id';
         if ($operation instanceof HttpOperation) {
-            $uriVariable = $operation->getUriVariables()[0] ?? null;
+            $uriVariable = current($operation->getUriVariables()) ?? null;
 
             if ($uriVariable) {
                 $identifier = $uriVariable->getIdentifiers()[0] ?? 'id';

src/Elasticsearch/Serializer/DocumentNormalizer.php

@@ -102,7 +102,7 @@ private function populateIdentifier(array $data, string $class): array
 
         $operation = $resourceMetadata->getOperation();
         if ($operation instanceof HttpOperation) {
-            $uriVariable = $operation->getUriVariables()[0] ?? null;
+            $uriVariable = current($operation->getUriVariables()) ?? null;
 
             if ($uriVariable) {
                 $identifier = $uriVariable->getIdentifiers()[0] ?? 'id';

src/Hydra/Serializer/CollectionFiltersNormalizer.php

@@ -84,9 +84,9 @@ public function normalize(mixed $object, ?string $format = null, array $context
         $resourceClass = $this->resourceClassResolver->getResourceClass($object, $context['resource_class']);
         $operation = $context['operation'] ?? $this->resourceMetadataCollectionFactory->create($resourceClass)->getOperation($context['operation_name'] ?? null);
 
-        $parameters = $operation->getParameters();
+        $parameters = $operation->getParameters() ?? new Parameters();
         $resourceFilters = $operation->getFilters();
-        if (!$resourceFilters && !$parameters) {
+        if (!$resourceFilters && 0 === \count($parameters)) {
             return $data;
         }
 
@@ -103,7 +103,7 @@ public function normalize(mixed $object, ?string $format = null, array $context
 
         $resourceClass = $this->getStateOptionsClass($operation, $resourceClass);
 
-        if ($currentFilters || ($parameters && \count($parameters))) {
+        if ($currentFilters || \count($parameters) > 0) {
             $hydraPrefix = $this->getHydraPrefix($context + $this->defaultContext);
             $data[$hydraPrefix.'search'] = $this->getSearch($resourceClass, $requestParts, $currentFilters, $parameters, $hydraPrefix);
         }

src/Metadata/Exception/AccessDeniedException.php

@@ -0,0 +1,29 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\Metadata\Exception;
+
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
+
+final class AccessDeniedException extends AccessDeniedHttpException implements HttpExceptionInterface
+{
+    public function getStatusCode(): int
+    {
+        return 403;
+    }
+
+    public function getHeaders(): array
+    {
+        return [];
+    }
+}

src/Metadata/HttpOperation.php

@@ -34,7 +34,7 @@ class HttpOperation extends Operation
      * @param array<int|string, string|string[]>|string|null $formats       {@see https://api-platform.com/docs/core/content-negotiation/#configuring-formats-for-a-specific-resource-or-operation}
      * @param array<int|string, string|string[]>|string|null $inputFormats  {@see https://api-platform.com/docs/core/content-negotiation/#configuring-formats-for-a-specific-resource-or-operation}
      * @param array<int|string, string|string[]>|string|null $outputFormats {@see https://api-platform.com/docs/core/content-negotiation/#configuring-formats-for-a-specific-resource-or-operation}
-     * @param array<string,array{
+     * @param Parameters|array<string,array{
      *     0: string,
      *     1: string
      * }|array{
@@ -344,11 +344,17 @@ public function withOutputFormats($outputFormats = null): static
         return $self;
     }
 
-    public function getUriVariables()
+    /**
+     * @return array<string, mixed>|null
+     */
+    public function getUriVariables(): mixed
     {
         return $this->uriVariables;
     }
 
+    /**
+     * @param array<string, mixed>|array<int, Link>|list<string> $uriVariables
+     */
     public function withUriVariables($uriVariables): static
     {
         $self = clone $this;

src/Metadata/Link.php

@@ -16,7 +16,7 @@
 use ApiPlatform\OpenApi;
 
 #[\Attribute(\Attribute::TARGET_PROPERTY | \Attribute::TARGET_METHOD | \Attribute::TARGET_PARAMETER)]
-final class Link extends Parameter
+final class Link extends Parameter implements UriVariableParameterInterface
 {
     public function __construct(
         private ?string $parameterName = null,

src/Metadata/Parameter.php

@@ -133,6 +133,12 @@ public function getValue(mixed $default = new ParameterNotFound()): mixed
         return $this->extraProperties['_api_values'] ?? $default;
     }
 
+    /**
+     * Only use this in a parameter provider, the ApiPlatform\State\Provider\ParameterProvider
+     * resets this value to extract the correct value on each request.
+     * It's also possible to set the `_api_query_parameters` request attribute directly and
+     * API Platform will extract the value from there.
+     */
     public function setValue(mixed $value): static
     {
         $this->extraProperties['_api_values'] = $value;

src/Metadata/Parameters.php

@@ -122,6 +122,19 @@ public function has(string $key, string $parameterClass = QueryParameter::class)
         return false;
     }
 
+    /**
+     * @return list<string>
+     */
+    public function keys(): array
+    {
+        $keys = [];
+        foreach ($this->parameters as [$key]) {
+            $keys[] = $key;
+        }
+
+        return $keys;
+    }
+
     public function count(): int
     {
         return \count($this->parameters);

src/Metadata/UriVariableParameterInterface.php

@@ -0,0 +1,21 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\Metadata;
+
+/**
+ * @experimental
+ */
+interface UriVariableParameterInterface
+{
+}