test: mitigates #7194 with link constraints

Author: soyuka

src/Metadata/Link.php

@@ -14,6 +14,7 @@
 namespace ApiPlatform\Metadata;
 
 use ApiPlatform\OpenApi;
+use Symfony\Component\TypeInfo\Type;
 
 #[\Attribute(\Attribute::TARGET_PROPERTY | \Attribute::TARGET_METHOD | \Attribute::TARGET_PARAMETER)]
 final class Link extends Parameter
@@ -27,7 +28,8 @@ public function __construct(
         private ?array $identifiers = null,
         private ?bool $compositeIdentifier = null,
         private ?string $expandedValue = null,
-        ?string $security = null,
+
+        string|\Stringable|null $security = null,
         ?string $securityMessage = null,
         private ?string $securityObjectName = null,
 
@@ -37,9 +39,15 @@ public function __construct(
         mixed $provider = null,
         mixed $filter = null,
         ?string $property = null,
+        ?array $properties = null,
         ?string $description = null,
         ?bool $required = null,
         array $extraProperties = [],
+
+        mixed $constraints = null,
+        array|string|null $filterContext = null,
+        ?Type $nativeType = null,
+        ?bool $castToArray = null,
     ) {
         // For the inverse property shortcut
         if ($this->parameterName && class_exists($this->parameterName)) {
@@ -53,11 +61,16 @@ public function __construct(
             provider: $provider,
             filter: $filter,
             property: $property,
+            properties: $properties,
             description: $description,
             required: $required,
+            constraints: $constraints,
             security: $security,
             securityMessage: $securityMessage,
-            extraProperties: $extraProperties
+            extraProperties: $extraProperties,
+            filterContext: $filterContext,
+            nativeType: $nativeType,
+            castToArray: $castToArray,
         );
     }
 

src/Metadata/Tests/Resource/Factory/UriTemplateResourceMetadataCollectionFactoryTest.php

@@ -139,10 +139,37 @@ class: AttributeResource::class,
                     shortName: 'AttributeResource',
                     class: AttributeResource::class,
                     operations: [
-                        '_api_/attribute_resources/{id}{._format}_get' => new Get(uriTemplate: '/attribute_resources/{id}{._format}', shortName: 'AttributeResource', class: AttributeResource::class, controller: 'api_platform.action.placeholder', uriVariables: ['id' => new Link(fromClass: AttributeResource::class, identifiers: ['id'], parameterName: 'id')], name: '_api_/attribute_resources/{id}{._format}_get'),
-                        '_api_/attribute_resources/{id}{._format}_put' => new Put(uriTemplate: '/attribute_resources/{id}{._format}', shortName: 'AttributeResource', class: AttributeResource::class, controller: 'api_platform.action.placeholder', uriVariables: ['id' => new Link(fromClass: AttributeResource::class, identifiers: ['id'], parameterName: 'id')], name: '_api_/attribute_resources/{id}{._format}_put'),
-                        '_api_/attribute_resources/{id}{._format}_delete' => new Delete(uriTemplate: '/attribute_resources/{id}{._format}', shortName: 'AttributeResource', class: AttributeResource::class, controller: 'api_platform.action.placeholder', uriVariables: ['id' => new Link(fromClass: AttributeResource::class, identifiers: ['id'], parameterName: 'id')], name: '_api_/attribute_resources/{id}{._format}_delete'),
-                        '_api_/attribute_resources{._format}_get_collection' => new GetCollection(uriTemplate: '/attribute_resources{._format}', shortName: 'AttributeResource', class: AttributeResource::class, controller: 'api_platform.action.placeholder', name: '_api_/attribute_resources{._format}_get_collection'),
+                        '_api_/attribute_resources/{id}{._format}_get' => new Get(
+                            uriTemplate: '/attribute_resources/{id}{._format}',
+                            shortName: 'AttributeResource',
+                            class: AttributeResource::class,
+                            controller: 'api_platform.action.placeholder',
+                            uriVariables: ['id' => new Link(fromClass: AttributeResource::class, identifiers: ['id'], parameterName: 'id')],
+                            name: '_api_/attribute_resources/{id}{._format}_get',
+                        ),
+                        '_api_/attribute_resources/{id}{._format}_put' => new Put(
+                            uriTemplate: '/attribute_resources/{id}{._format}',
+                            shortName: 'AttributeResource',
+                            class: AttributeResource::class,
+                            controller: 'api_platform.action.placeholder',
+                            uriVariables: ['id' => new Link(fromClass: AttributeResource::class, identifiers: ['id'], parameterName: 'id')],
+                            name: '_api_/attribute_resources/{id}{._format}_put',
+                        ),
+                        '_api_/attribute_resources/{id}{._format}_delete' => new Delete(
+                            uriTemplate: '/attribute_resources/{id}{._format}',
+                            shortName: 'AttributeResource',
+                            class: AttributeResource::class,
+                            controller: 'api_platform.action.placeholder',
+                            uriVariables: ['id' => new Link(fromClass: AttributeResource::class, identifiers: ['id'], parameterName: 'id')],
+                            name: '_api_/attribute_resources/{id}{._format}_delete',
+                        ),
+                        '_api_/attribute_resources{._format}_get_collection' => new GetCollection(
+                            uriTemplate: '/attribute_resources{._format}',
+                            shortName: 'AttributeResource',
+                            class: AttributeResource::class,
+                            controller: 'api_platform.action.placeholder',
+                            name: '_api_/attribute_resources{._format}_get_collection',
+                        ),
                     ]
                 ),
                 new ApiResource(

src/State/Provider/SecurityParameterProvider.php

@@ -56,6 +56,10 @@ public function provide(Operation $operation, array $uriVariables = [], array $c
 
         if ($operation instanceof HttpOperation) {
             foreach ($operation->getUriVariables() ?? [] as $key => $uriVariable) {
+                if ($uriVariable->getValue() instanceof ParameterNotFound) {
+                    $uriVariable->setValue($uriVariables[$key] ?? new ParameterNotFound());
+                }
+
                 $parameters->add($key, $uriVariable->withKey($key));
             }
         }
@@ -69,7 +73,6 @@ public function provide(Operation $operation, array $uriVariables = [], array $c
             $value = $parameter->getValue();
             if ($parameter instanceof Link) {
                 $targetResource = $parameter->getFromClass() ?? $parameter->getToClass() ?? null;
-                $value = $uriVariables[$parameter->getKey()] ?? new ParameterNotFound();
             }
 
             if ($value instanceof ParameterNotFound) {

src/Symfony/Validator/State/ParameterValidatorProvider.php

@@ -13,8 +13,10 @@
 
 namespace ApiPlatform\Symfony\Validator\State;
 
+use ApiPlatform\Metadata\HttpOperation;
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\Metadata\Parameter;
+use ApiPlatform\Metadata\Parameters;
 use ApiPlatform\State\ParameterNotFound;
 use ApiPlatform\State\ProviderInterface;
 use ApiPlatform\State\Util\ParameterParserTrait;
@@ -52,12 +54,25 @@ public function provide(Operation $operation, array $uriVariables = [], array $c
         }
 
         $constraintViolationList = new ConstraintViolationList();
-        foreach ($operation->getParameters() ?? [] as $parameter) {
+        $parameters = $operation->getParameters() ?? new Parameters();
+
+        if ($operation instanceof HttpOperation) {
+            foreach ($operation->getUriVariables() ?? [] as $key => $uriVariable) {
+                if ($uriVariable->getValue() instanceof ParameterNotFound) {
+                    $uriVariable->setValue($uriVariables[$key] ?? new ParameterNotFound());
+                }
+
+                $parameters->add($key, $uriVariable->withKey($key));
+            }
+        }
+
+        foreach ($parameters as $parameter) {
             if (!$constraints = $parameter->getConstraints()) {
                 continue;
             }
 
             $value = $parameter->getValue();
+
             if ($value instanceof ParameterNotFound) {
                 $value = null;
             }

tests/Fixtures/TestBundle/Entity/Company.php

@@ -23,14 +23,14 @@
 use Doctrine\ORM\Mapping as ORM;
 use Symfony\Component\Serializer\Annotation\Groups;
 
+#[ApiResource]
+#[GetCollection]
+#[Get]
 #[NotExposed(
     uriTemplate: '/company-by-name/{name}',
     provider: [self::class, 'provideCompanyByName'],
     uriVariables: ['name']
 )]
-#[ApiResource]
-#[GetCollection]
-#[Get]
 #[Post]
 #[ApiResource(
     uriTemplate: '/employees/{employeeId}/company',

tests/Fixtures/TestBundle/Entity/Employee.php

@@ -20,6 +20,7 @@
 use ApiPlatform\Metadata\Post;
 use Doctrine\ORM\Mapping as ORM;
 use Symfony\Component\Serializer\Annotation\Groups;
+use Symfony\Component\Validator\Constraints\IdenticalTo;
 
 #[ApiResource]
 #[Post]
@@ -46,8 +47,9 @@
             identifiers: ['name'],
             fromClass: Company::class,
             toProperty: 'company',
-            security: 'company.name == "Test"',
-            extraProperties: ['uri_template' => '/company-by-name/{name}']
+            security: 'company.name == "Test" or company.name == "NotTest"',
+            extraProperties: ['uri_template' => '/company-by-name/{name}'],
+            constraints: [new IdenticalTo('Test')]
         ),
     ],
 )]

tests/Functional/Parameters/LinkProviderParameterTest.php

@@ -130,8 +130,36 @@ public function testLinkSecurityWithSlug(): void
             $this->markTestSkipped();
         }
 
-        $response = self::createClient()->request('GET', '/companies-by-name/Test/employees');
-        dd($response->toArray(false));
-        self::assertEquals(200, $response->getStatusCode());
+        self::createClient()->request('GET', '/companies-by-name/Test/employees');
+        self::assertJsonContains([
+            'hydra:member' => [
+                ['company' => ['name' => 'Test']],
+            ],
+        ]);
+        self::assertResponseStatusCodeSame(200);
+    }
+
+    /**
+     * See https://github.com/api-platform/core/issues/7061.
+     */
+    public function testLinkSecurityWithConstraint(): void
+    {
+        $manager = $this->getManager();
+        $employee = new Employee();
+        $employee->setName('me');
+        $dummy = new Company();
+        $dummy->setName('Test');
+        $employee->setCompany($dummy);
+        $manager->persist($employee);
+        $manager->persist($dummy);
+        $manager->flush();
+
+        $container = static::getContainer();
+        if ('mongodb' === $container->getParameter('kernel.environment')) {
+            $this->markTestSkipped();
+        }
+
+        $response = self::createClient()->request('GET', '/companies-by-name/NotTest/employees');
+        self::assertEquals(422, $response->getStatusCode());
     }
 }