Description
Version: latest (4.1)
Problem:
When a default security annotation is written in config/packages/api_platform.yml, it makes the serialization of ApiPlatform\State\ApiResource\Error no longer possible for operations where a less restrictive access is required.
E.g. if I specify security: is_granted("ROLE_USER") in defaults and I define a public /api/register operation which requires ApiPlatform\State\ApiResource\Error in a public context, I obtain a 500 error without body. The only information I got about the error was a header that was indicating that the access was denied in ApiPlatform\Symfony\Security\State\AccessCheckerProvider:L88
I debugged the received parameters and saw that the AccessCheckerProvider were failing because of the ApiPlatform\State\ApiResource\Error that had the is_security("ROLE_USER").
I even tried to replace the default security to test by is_granted("PUBLIC_ACCESS") and I receive the expected ApiPlatform\State\ApiResource\Error serialized, so I'm quite sure about the issue.
Suggestion:
- Make the error clearer, the response I received had no body and only a 500 exception code
- Either:
- add a possibility to edit the security applied to
ApiPlatform\State\ApiResource\Error(e.g. using a flag in the config) - add
"is_granted("PUBLIC_ACCESS")forApiPlatform\State\ApiResource\Error
- add a possibility to edit the security applied to
Feel free to tell me how I can help