Description
API Platform version(s) affected: 3.3.7
Description
Hey,
I just tried to upgrade my project from 3.2.25 to 3.3.7.
In my project, I have the securityPostValidation attribute on several entities.
My tests failed, and I noticed that all security logic inside securityPostValidation was ignored and never applied.
I then tried all patch versions of api-platform/core and the bug was reproduced since 3.3.2 (and didn't occur in 3.3.0).
I noticed that adding use_symfony_listeners: false fixed the problem and that securityPostValidation was again called.
How to reproduce
Create an entity, and add this config.
#[Post(
denormalizationContext: ['groups' => ['link_type:collection:write']],
securityPostValidation: 'is_granted(false, object)',
)]
class LinkType
{
#[ORM\Column(length: 255)]
#[Gedmo\Versioned]
#[Groups([
'link_type:collection:read', 'link_type:item:read',
'link_type:collection:write', 'link_type:item:write',
])]
private string $name;
public function getName(): string
{
return $this->name;
}
public function setName(string $name): static
{
$this->name = $name;
return $this;
}
}
In config/packages/api_platform.yaml
use_symfony_listeners: falseToggle use_symfony_listeners value and check your POST calls.
It succeeds when having value set to true while it should fail with the is_granted(false)
Possible Solution
I don't have the solution !
I'd like to keep using use_symfony_listeners: true for some time, until I replace everything that needs it.
Additional Context
Same problem when using ApiResource.operations to define my POST endpoint