test: mitigates #7194 with link constraints

soyuka · soyuka · commit f7f2d197b5fd · 2025-06-10T13:49:59.000+02:00
diff --git a/src/Metadata/Link.php b/src/Metadata/Link.php
@@ -14,6 +14,7 @@
 namespace ApiPlatform\Metadata;
 
 use ApiPlatform\OpenApi;
+use Symfony\Component\TypeInfo\Type;
 
 #[\Attribute(\Attribute::TARGET_PROPERTY | \Attribute::TARGET_METHOD | \Attribute::TARGET_PARAMETER)]
 final class Link extends Parameter
@@ -27,7 +28,8 @@ public function __construct(
         private ?array $identifiers = null,
         private ?bool $compositeIdentifier = null,
         private ?string $expandedValue = null,
-        ?string $security = null,
+
+        string|\Stringable|null $security = null,
         ?string $securityMessage = null,
         private ?string $securityObjectName = null,
 
@@ -37,9 +39,15 @@ public function __construct(
         mixed $provider = null,
         mixed $filter = null,
         ?string $property = null,
+        ?array $properties = null,
         ?string $description = null,
         ?bool $required = null,
         array $extraProperties = [],
+
+        mixed $constraints = null,
+        array|string|null $filterContext = null,
+        ?Type $nativeType = null,
+        ?bool $castToArray = null,
     ) {
         // For the inverse property shortcut
         if ($this->parameterName && class_exists($this->parameterName)) {
@@ -53,11 +61,16 @@ public function __construct(
             provider: $provider,
             filter: $filter,
             property: $property,
+            properties: $properties,
             description: $description,
             required: $required,
+            constraints: $constraints,
             security: $security,
             securityMessage: $securityMessage,
-            extraProperties: $extraProperties
+            extraProperties: $extraProperties,
+            filterContext: $filterContext,
+            nativeType: $nativeType,
+            castToArray: $castToArray,
         );
     }
 
diff --git a/src/Metadata/Tests/Resource/Factory/UriTemplateResourceMetadataCollectionFactoryTest.php b/src/Metadata/Tests/Resource/Factory/UriTemplateResourceMetadataCollectionFactoryTest.php
@@ -135,27 +135,60 @@ class: AttributeResource::class,
         $this->assertEquals(
             new ResourceMetadataCollection(AttributeResource::class, [
                 new ApiResource(
-                    uriVariables: ['id' => new Link(fromClass: AttributeResource::class, identifiers: ['id'], parameterName: 'id')],
+                    uriVariables: ['id' => new Link(fromClass: AttributeResource::class, identifiers: ['id'], parameterName: 'id', key: 'id')],
                     shortName: 'AttributeResource',
                     class: AttributeResource::class,
                     operations: [
-                        '_api_/attribute_resources/{id}{._format}_get' => new Get(uriTemplate: '/attribute_resources/{id}{._format}', shortName: 'AttributeResource', class: AttributeResource::class, controller: 'api_platform.action.placeholder', uriVariables: ['id' => new Link(fromClass: AttributeResource::class, identifiers: ['id'], parameterName: 'id')], name: '_api_/attribute_resources/{id}{._format}_get'),
-                        '_api_/attribute_resources/{id}{._format}_put' => new Put(uriTemplate: '/attribute_resources/{id}{._format}', shortName: 'AttributeResource', class: AttributeResource::class, controller: 'api_platform.action.placeholder', uriVariables: ['id' => new Link(fromClass: AttributeResource::class, identifiers: ['id'], parameterName: 'id')], name: '_api_/attribute_resources/{id}{._format}_put'),
-                        '_api_/attribute_resources/{id}{._format}_delete' => new Delete(uriTemplate: '/attribute_resources/{id}{._format}', shortName: 'AttributeResource', class: AttributeResource::class, controller: 'api_platform.action.placeholder', uriVariables: ['id' => new Link(fromClass: AttributeResource::class, identifiers: ['id'], parameterName: 'id')], name: '_api_/attribute_resources/{id}{._format}_delete'),
-                        '_api_/attribute_resources{._format}_get_collection' => new GetCollection(uriTemplate: '/attribute_resources{._format}', shortName: 'AttributeResource', class: AttributeResource::class, controller: 'api_platform.action.placeholder', name: '_api_/attribute_resources{._format}_get_collection'),
+                        '_api_/attribute_resources/{id}{._format}_get' => new Get(
+                            uriTemplate: '/attribute_resources/{id}{._format}',
+                            shortName: 'AttributeResource',
+                            class: AttributeResource::class,
+                            controller: 'api_platform.action.placeholder',
+                            uriVariables: ['id' => new Link(fromClass: AttributeResource::class, identifiers: ['id'], parameterName: 'id', key: 'id')],
+                            name: '_api_/attribute_resources/{id}{._format}_get',
+                        ),
+                        '_api_/attribute_resources/{id}{._format}_put' => new Put(
+                            uriTemplate: '/attribute_resources/{id}{._format}',
+                            shortName: 'AttributeResource',
+                            class: AttributeResource::class,
+                            controller: 'api_platform.action.placeholder',
+                            uriVariables: ['id' => new Link(fromClass: AttributeResource::class, identifiers: ['id'], parameterName: 'id', key: 'id')],
+                            name: '_api_/attribute_resources/{id}{._format}_put',
+                        ),
+                        '_api_/attribute_resources/{id}{._format}_delete' => new Delete(
+                            uriTemplate: '/attribute_resources/{id}{._format}',
+                            shortName: 'AttributeResource',
+                            class: AttributeResource::class,
+                            controller: 'api_platform.action.placeholder',
+                            uriVariables: ['id' => new Link(fromClass: AttributeResource::class, identifiers: ['id'], parameterName: 'id', key: 'id')],
+                            name: '_api_/attribute_resources/{id}{._format}_delete',
+                        ),
+                        '_api_/attribute_resources{._format}_get_collection' => new GetCollection(
+                            uriTemplate: '/attribute_resources{._format}',
+                            shortName: 'AttributeResource',
+                            class: AttributeResource::class,
+                            controller: 'api_platform.action.placeholder',
+                            name: '_api_/attribute_resources{._format}_get_collection',
+                        ),
                     ]
                 ),
                 new ApiResource(
                     shortName: 'AttributeResource',
                     class: AttributeResource::class,
                     uriTemplate: '/dummy/{dummyId}/attribute_resources/{id}',
-                    uriVariables: ['dummyId' => new Link(fromClass: Dummy::class, identifiers: ['id'], parameterName: 'dummyId'), 'id' => new Link(fromClass: AttributeResource::class, identifiers: ['id'], parameterName: 'id')],
+                    uriVariables: [
+                        'dummyId' => new Link(fromClass: Dummy::class, identifiers: ['id'], parameterName: 'dummyId', key: 'dummyId'),
+                        'id' => new Link(fromClass: AttributeResource::class, identifiers: ['id'], parameterName: 'id', key: 'id'),
+                    ],
                     operations: [
                         '_api_/dummy/{dummyId}/attribute_resources/{id}_get' => new Get(
                             class: AttributeResource::class,
                             uriTemplate: '/dummy/{dummyId}/attribute_resources/{id}',
                             shortName: 'AttributeResource',
-                            uriVariables: ['dummyId' => new Link(fromClass: Dummy::class, identifiers: ['id'], parameterName: 'dummyId'), 'id' => new Link(fromClass: AttributeResource::class, identifiers: ['id'], parameterName: 'id')],
+                            uriVariables: [
+                                'dummyId' => new Link(fromClass: Dummy::class, identifiers: ['id'], parameterName: 'dummyId', key: 'dummyId'),
+                                'id' => new Link(fromClass: AttributeResource::class, identifiers: ['id'], parameterName: 'id', key: 'id'),
+                            ],
                             extraProperties: ['user_defined_uri_template' => true],
                             name: '_api_/dummy/{dummyId}/attribute_resources/{id}_get'
                         ),
@@ -165,32 +198,38 @@ class: AttributeResource::class,
                     shortName: 'AttributeResource',
                     class: AttributeResource::class,
                     uriTemplate: '/attribute_resources/by_name/{name}',
-                    uriVariables: ['name' => new Link(fromClass: AttributeResource::class, identifiers: ['name'], parameterName: 'name')],
+                    uriVariables: ['name' => new Link(fromClass: AttributeResource::class, identifiers: ['name'], parameterName: 'name', key: 'name')],
                     operations: [],
                 ),
                 new ApiResource(
                     shortName: 'AttributeResource',
                     class: AttributeResource::class,
                     uriTemplate: '/attribute_resources/by_name/{name}',
-                    uriVariables: ['name' => new Link(fromClass: AttributeResource::class, identifiers: ['name'], parameterName: 'name')],
+                    uriVariables: ['name' => new Link(fromClass: AttributeResource::class, identifiers: ['name'], parameterName: 'name', key: 'name')],
                     operations: [],
                 ),
                 new ApiResource(
                     shortName: 'AttributeResource',
                     class: AttributeResource::class,
                     uriTemplate: '/dummy/{dummyId}/attribute_resources/{id}',
-                    uriVariables: ['dummyId' => new Link(fromClass: Dummy::class, identifiers: [], parameterName: 'dummyId', fromProperty: 'id'), 'id' => new Link(fromClass: AttributeResource::class, identifiers: [], parameterName: 'id', fromProperty: 'id')],
+                    uriVariables: [
+                        'dummyId' => new Link(fromClass: Dummy::class, identifiers: [], parameterName: 'dummyId', fromProperty: 'id', key: 'dummyId'),
+                        'id' => new Link(fromClass: AttributeResource::class, identifiers: [], parameterName: 'id', fromProperty: 'id', key: 'id'),
+                    ],
                     operations: [],
                 ),
                 new ApiResource(
                     shortName: 'AttributeResource',
                     class: AttributeResource::class,
                     uriTemplate: '/dummy/{dummyId}/attribute_resources/{id}',
-                    uriVariables: ['dummyId' => new Link(fromClass: Dummy::class, identifiers: ['id'], parameterName: 'dummyId'), 'id' => new Link(fromClass: AttributeResource::class, identifiers: ['id'], parameterName: 'id')],
+                    uriVariables: [
+                        'dummyId' => new Link(fromClass: Dummy::class, identifiers: ['id'], parameterName: 'dummyId', key: 'dummyId'),
+                        'id' => new Link(fromClass: AttributeResource::class, identifiers: ['id'], parameterName: 'id', key: 'id'),
+                    ],
                     operations: [],
                 ),
                 new ApiResource(
-                    uriVariables: ['id' => new Link(fromClass: AttributeResource::class, identifiers: ['id'], parameterName: 'id')],
+                    uriVariables: ['id' => new Link(fromClass: AttributeResource::class, identifiers: ['id'], parameterName: 'id', key: 'id')],
                     shortName: 'AttributeResource',
                     class: AttributeResource::class,
                     operations: [
@@ -199,7 +238,7 @@ class: AttributeResource::class,
                             shortName: 'AttributeResource',
                             class: AttributeResource::class,
                             controller: 'api_platform.action.placeholder',
-                            uriVariables: ['id' => new Link(fromClass: AttributeResource::class, identifiers: ['id'], parameterName: 'id')],
+                            uriVariables: ['id' => new Link(fromClass: AttributeResource::class, identifiers: ['id'], parameterName: 'id', key: 'id')],
                             routePrefix: '/prefix',
                             name: '_api_/prefix/attribute_resources/{id}{._format}_get'),
                     ]
diff --git a/src/State/Provider/SecurityParameterProvider.php b/src/State/Provider/SecurityParameterProvider.php
@@ -56,6 +56,10 @@ public function provide(Operation $operation, array $uriVariables = [], array $c
 
         if ($operation instanceof HttpOperation) {
             foreach ($operation->getUriVariables() ?? [] as $key => $uriVariable) {
+                if ($uriVariable->getValue() instanceof ParameterNotFound) {
+                    $uriVariable->setValue($uriVariables[$key] ?? new ParameterNotFound());
+                }
+
                 $parameters->add($key, $uriVariable->withKey($key));
             }
         }
@@ -69,7 +73,6 @@ public function provide(Operation $operation, array $uriVariables = [], array $c
             $value = $parameter->getValue();
             if ($parameter instanceof Link) {
                 $targetResource = $parameter->getFromClass() ?? $parameter->getToClass() ?? null;
-                $value = $uriVariables[$parameter->getKey()] ?? new ParameterNotFound();
             }
 
             if ($value instanceof ParameterNotFound) {
diff --git a/src/Symfony/Validator/State/ParameterValidatorProvider.php b/src/Symfony/Validator/State/ParameterValidatorProvider.php
@@ -13,8 +13,10 @@
 
 namespace ApiPlatform\Symfony\Validator\State;
 
+use ApiPlatform\Metadata\HttpOperation;
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\Metadata\Parameter;
+use ApiPlatform\Metadata\Parameters;
 use ApiPlatform\State\ParameterNotFound;
 use ApiPlatform\State\ProviderInterface;
 use ApiPlatform\State\Util\ParameterParserTrait;
@@ -52,12 +54,25 @@ public function provide(Operation $operation, array $uriVariables = [], array $c
         }
 
         $constraintViolationList = new ConstraintViolationList();
-        foreach ($operation->getParameters() ?? [] as $parameter) {
+        $parameters = $operation->getParameters() ?? new Parameters();
+
+        if ($operation instanceof HttpOperation) {
+            foreach ($operation->getUriVariables() ?? [] as $key => $uriVariable) {
+                if ($uriVariable->getValue() instanceof ParameterNotFound) {
+                    $uriVariable->setValue($uriVariables[$key] ?? new ParameterNotFound());
+                }
+
+                $parameters->add($key, $uriVariable->withKey($key));
+            }
+        }
+
+        foreach ($parameters as $parameter) {
             if (!$constraints = $parameter->getConstraints()) {
                 continue;
             }
 
             $value = $parameter->getValue();
+
             if ($value instanceof ParameterNotFound) {
                 $value = null;
             }
diff --git a/tests/Fixtures/TestBundle/Entity/Company.php b/tests/Fixtures/TestBundle/Entity/Company.php
@@ -23,14 +23,14 @@
 use Doctrine\ORM\Mapping as ORM;
 use Symfony\Component\Serializer\Annotation\Groups;
 
+#[ApiResource]
+#[GetCollection]
+#[Get]
 #[NotExposed(
     uriTemplate: '/company-by-name/{name}',
     provider: [self::class, 'provideCompanyByName'],
     uriVariables: ['name']
 )]
-#[ApiResource]
-#[GetCollection]
-#[Get]
 #[Post]
 #[ApiResource(
     uriTemplate: '/employees/{employeeId}/company',
diff --git a/tests/Fixtures/TestBundle/Entity/Employee.php b/tests/Fixtures/TestBundle/Entity/Employee.php
@@ -20,6 +20,7 @@
 use ApiPlatform\Metadata\Post;
 use Doctrine\ORM\Mapping as ORM;
 use Symfony\Component\Serializer\Annotation\Groups;
+use Symfony\Component\Validator\Constraints\IdenticalTo;
 
 #[ApiResource]
 #[Post]
@@ -46,8 +47,9 @@
             identifiers: ['name'],
             fromClass: Company::class,
             toProperty: 'company',
-            security: 'company.name == "Test"',
-            extraProperties: ['uri_template' => '/company-by-name/{name}']
+            security: 'company.name == "Test" or company.name == "NotTest"',
+            extraProperties: ['uri_template' => '/company-by-name/{name}'],
+            constraints: [new IdenticalTo('Test')]
         ),
     ],
 )]
diff --git a/tests/Functional/Parameters/LinkProviderParameterTest.php b/tests/Functional/Parameters/LinkProviderParameterTest.php
@@ -115,6 +115,11 @@ public function testReadDummyProviderFromQueryParameterNoNotFound(): void
      */
     public function testLinkSecurityWithSlug(): void
     {
+        $container = static::getContainer();
+        if ('mongodb' === $container->getParameter('kernel.environment')) {
+            $this->markTestSkipped();
+        }
+
         $manager = $this->getManager();
         $employee = new Employee();
         $employee->setName('me');
@@ -125,13 +130,36 @@ public function testLinkSecurityWithSlug(): void
         $manager->persist($dummy);
         $manager->flush();
 
+        self::createClient()->request('GET', '/companies-by-name/Test/employees');
+        self::assertJsonContains([
+            'hydra:member' => [
+                ['company' => ['name' => 'Test']],
+            ],
+        ]);
+        self::assertResponseStatusCodeSame(200);
+    }
+
+    /**
+     * See https://github.com/api-platform/core/issues/7061.
+     */
+    public function testLinkSecurityWithConstraint(): void
+    {
         $container = static::getContainer();
         if ('mongodb' === $container->getParameter('kernel.environment')) {
             $this->markTestSkipped();
         }
 
-        $response = self::createClient()->request('GET', '/companies-by-name/Test/employees');
-        dd($response->toArray(false));
-        self::assertEquals(200, $response->getStatusCode());
+        $manager = $this->getManager();
+        $employee = new Employee();
+        $employee->setName('me');
+        $dummy = new Company();
+        $dummy->setName('Test');
+        $employee->setCompany($dummy);
+        $manager->persist($employee);
+        $manager->persist($dummy);
+        $manager->flush();
+
+        $response = self::createClient()->request('GET', '/companies-by-name/NotTest/employees');
+        self::assertEquals(422, $response->getStatusCode());
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -56,6 +56,10 @@ public function provide(Operation $operation, array $uriVariables = [], array $c`
`56`	`56`
`57`	`57`	`if ($operation instanceof HttpOperation) {`
`58`	`58`	`foreach ($operation->getUriVariables() ?? [] as $key => $uriVariable) {`
	`59`	`+ if ($uriVariable->getValue() instanceof ParameterNotFound) {`
	`60`	`+ $uriVariable->setValue($uriVariables[$key] ?? new ParameterNotFound());`
	`61`	`+ }`
	`62`	`+`
`59`	`63`	`$parameters->add($key, $uriVariable->withKey($key));`
`60`	`64`	`}`
`61`	`65`	`}`
`@@ -69,7 +73,6 @@ public function provide(Operation $operation, array $uriVariables = [], array $c`
`69`	`73`	`$value = $parameter->getValue();`
`70`	`74`	`if ($parameter instanceof Link) {`
`71`	`75`	`$targetResource = $parameter->getFromClass() ?? $parameter->getToClass() ?? null;`
`72`		`- $value = $uriVariables[$parameter->getKey()] ?? new ParameterNotFound();`
`73`	`76`	`}`
`74`	`77`
`75`	`78`	`if ($value instanceof ParameterNotFound) {`