Link Security not compatible with Identifiers

[jamesisaac]

API Platform version(s) affected: 4.1

Description

• The identifiers feature of Link works well for linking subresources on properties other than the main identifier.
• The security feature of Link works well for adding access control based on the uriVariable objects - thanks for this recent addition.
• Unfortunately the two seem incompatible, because security always uses the main identifier rather than using identifiers to query the object.

How to reproduce

# security.yaml
api_platform:
    enable_link_security: true

// Employee.php

#[ApiResource(
    uriTemplate: '/companies/{slug}/employees',
    uriVariables: [
        'slug' => new Link(
            identifiers: ['slug'],
            fromClass: Company::class,
            toProperty: 'company',
            security: 'company == user.company',
        ),
    ],
    operations: [
        new GetCollection(),
    ],
)]

GET /companies/acme/employees gives error:

500: Could not convert database value "acme" to Doctrine Type uuid

Can be worked around by removing security, or by linking on id instead of slug. But the former means a more complicated security setup, and the latter inconvenient for API consumers. So it would be ideal if these features could complement each other.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[jamesisaac]

Still relevant as far as I can see