fix(serializer): use attribute denormalization context for constructor arguments

Author: alexndlm

features/security/strong_typing.feature

@@ -89,6 +89,19 @@ Feature: Handle properly invalid data submitted to the API
     And the response should be in JSON
     And the header "Content-Type" should be equal to "application/ld+json; charset=utf-8"
 
+  Scenario: Ignore date with wrong format
+    When I add "Content-Type" header equal to "application/ld+json"
+    And I send a "POST" request to "/dummies" with body:
+    """
+    {
+      "name": "Invalid date format",
+      "dummyDateWithFormat": "2020-01-01T00:00:00+00:00"
+    }
+    """
+    Then the response status code should be 400
+    And the response should be in JSON
+    And the header "Content-Type" should be equal to "application/ld+json; charset=utf-8"
+
   Scenario: Send non-array data when an array is expected
     When I add "Content-Type" header equal to "application/ld+json"
     And I send a "POST" request to "/dummies" with body:

src/Serializer/AbstractItemNormalizer.php

@@ -317,6 +317,8 @@ protected function instantiateObject(array &$data, string $class, array &$contex
             foreach ($constructorParameters as $constructorParameter) {
                 $paramName = $constructorParameter->name;
                 $key = $this->nameConverter ? $this->nameConverter->normalize($paramName, $class, $format, $context) : $paramName;
+                $attributeContext = $this->getAttributeDenormalizationContext($class, $paramName, $context);
+                $attributeContext['deserialization_path'] = $attributeContext['deserialization_path'] ?? $key;
 
                 $allowed = false === $allowedAttributes || (\is_array($allowedAttributes) && \in_array($paramName, $allowedAttributes, true));
                 $ignored = !$this->isAllowedAttribute($class, $paramName, $format, $context);
@@ -329,10 +331,8 @@ protected function instantiateObject(array &$data, string $class, array &$contex
                         $params[] = $data[$paramName];
                     }
                 } elseif ($allowed && !$ignored && (isset($data[$key]) || \array_key_exists($key, $data))) {
-                    $constructorContext = $context;
-                    $constructorContext['deserialization_path'] = $context['deserialization_path'] ?? $key;
                     try {
-                        $params[] = $this->createConstructorArgument($data[$key], $key, $constructorParameter, $constructorContext, $format);
+                        $params[] = $this->createConstructorArgument($data[$key], $key, $constructorParameter, $attributeContext, $format);
                     } catch (NotNormalizableValueException $exception) {
                         if (!isset($context['not_normalizable_value_exceptions'])) {
                             throw $exception;
@@ -351,7 +351,6 @@ protected function instantiateObject(array &$data, string $class, array &$contex
                         $missingConstructorArguments[] = $constructorParameter->name;
                     }
 
-                    $attributeContext = $this->getAttributeDenormalizationContext($class, $paramName, $context);
                     $constructorParameterType = 'unknown';
                     $reflectionType = $constructorParameter->getType();
                     if ($reflectionType instanceof \ReflectionNamedType) {
@@ -362,7 +361,7 @@ protected function instantiateObject(array &$data, string $class, array &$contex
                         \sprintf('Failed to create object because the class misses the "%s" property.', $constructorParameter->name),
                         null,
                         [$constructorParameterType],
-                        $attributeContext['deserialization_path'] ?? null,
+                        $attributeContext['deserialization_path'],
                         true
                     );
                     $context['not_normalizable_value_exceptions'][] = $exception;
@@ -405,7 +404,7 @@ protected function getClassDiscriminatorResolvedClass(array $data, string $class
         return $mappedClass;
     }
 
-    protected function createConstructorArgument($parameterData, string $key, \ReflectionParameter $constructorParameter, array &$context, ?string $format = null): mixed
+    protected function createConstructorArgument($parameterData, string $key, \ReflectionParameter $constructorParameter, array $context, ?string $format = null): mixed
     {
         return $this->createAndValidateAttributeValue($constructorParameter->name, $parameterData, $format, $context);
     }

tests/Fixtures/TestBundle/Entity/Dummy.php

@@ -20,6 +20,7 @@
 use Doctrine\Common\Collections\ArrayCollection;
 use Doctrine\Common\Collections\Collection;
 use Doctrine\ORM\Mapping as ORM;
+use Symfony\Component\Serializer\Attribute\Context;
 use Symfony\Component\Validator\Constraints as Assert;
 
 /**
@@ -87,6 +88,14 @@ class Dummy
     #[ORM\Column(type: 'datetime', nullable: true)]
     public $dummyDate;
 
+    /**
+     * @var \DateTime|null A dummy date with format
+     */
+    #[Context(denormalizationContext: ['datetime_format' => 'Y-m-d'])]
+    #[ApiProperty(iris: ['https://schema.org/DateTime'])]
+    #[ORM\Column(type: 'datetime', nullable: true)]
+    private $dummyDateWithFormat;
+
     /**
      * @var float|null A dummy float
      */
@@ -140,9 +149,10 @@ public static function staticMethod(): void
     {
     }
 
-    public function __construct()
+    public function __construct(?\DateTime $dummyDateWithFormat = null)
     {
         $this->relatedDummies = new ArrayCollection();
+        $this->dummyDateWithFormat = $dummyDateWithFormat;
     }
 
     public function getId()
@@ -209,6 +219,11 @@ public function getDummyDate()
         return $this->dummyDate;
     }
 
+    public function getDummyDateWithFormat()
+    {
+        return $this->dummyDateWithFormat;
+    }
+
     public function setDummyPrice($dummyPrice)
     {
         $this->dummyPrice = $dummyPrice;