Merge 4.2

Author: soyuka

.github/workflows/commitlint.yml

@@ -4,6 +4,9 @@ on:
   pull_request_target:
     types: [opened, reopened, synchronize]
 
+permissions:
+  contents: read
+
 jobs:
   commitlint:
     if: github.event_name == 'pull_request_target'

AGENTS.md

@@ -37,6 +37,12 @@ tests/Fixtures/app/console
 # Clear cache (Critical when switching branches/modes)
 rm -rf tests/Fixtures/app/var/cache/test
 
+# Remove stale vendor dirs inside src/ (if PHPUnit hangs)
+# Component packages under src/ may have leftover vendor/ directories
+# from previous `composer link` runs. These cause PHPUnit to scan them
+# indefinitely. Remove them before running tests:
+find src -name vendor -exec rm -rf {} +
+
 # PHPUnit (Preferred)
 vendor/bin/phpunit --filter testMethodName
 

CHANGELOG.md

@@ -67,6 +67,13 @@
 
 * When using `output` with `itemUriTemplate` on a collection operation, the JSON-LD `@type` will now use the resource class name instead of the output DTO class name for semantic consistency with `itemUriTemplate` behavior.
 
+## v4.2.19
+
+### Bug fixes
+
+* [04c30b7ee](https://github.com/api-platform/core/commit/04c30b7eee4af443ad16ec6dd2135a4511dc3138) fix(jsonapi): prevent double unwrapping of data.attributes with input DTOs
+* [c6236f313](https://github.com/api-platform/core/commit/c6236f313864661a4cab0caa926a2520500c0257) fix(serializer): report all missing constructor arguments in instantiateObject
+
 ## v4.2.18
 
 ### Bug fixes

src/JsonApi/Serializer/ItemNormalizer.php

@@ -201,6 +201,12 @@ public function supportsDenormalization(mixed $data, string $type, ?string $form
      */
     public function denormalize(mixed $data, string $type, ?string $format = null, array $context = []): mixed
     {
+        // When re-entering for input DTO denormalization, data has already been
+        // unwrapped from the JSON:API structure by the first pass. Skip extraction.
+        if (isset($context['api_platform_input'])) {
+            return parent::denormalize($data, $class, $format, $context);
+        }
+
         // Avoid issues with proxies if we populated the object
         if (!isset($context[self::OBJECT_TO_POPULATE]) && isset($data['data']['id'])) {
             if (true !== ($context['api_allow_update'] ?? true)) {

src/JsonApi/Tests/Fixtures/InputDto.php

@@ -0,0 +1,20 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <dunglas@gmail.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\JsonApi\Tests\Fixtures;
+
+final class InputDto
+{
+    public string $title = '';
+    public string $body = '';
+}

src/JsonApi/Tests/Serializer/ItemNormalizerTest.php

@@ -17,6 +17,7 @@
 use ApiPlatform\JsonApi\Serializer\ReservedAttributeNameConverter;
 use ApiPlatform\JsonApi\Tests\Fixtures\CircularReference;
 use ApiPlatform\JsonApi\Tests\Fixtures\Dummy;
+use ApiPlatform\JsonApi\Tests\Fixtures\InputDto;
 use ApiPlatform\JsonApi\Tests\Fixtures\RelatedDummy;
 use ApiPlatform\Metadata\ApiProperty;
 use ApiPlatform\Metadata\ApiResource;
@@ -41,6 +42,7 @@
 use Symfony\Component\PropertyAccess\PropertyAccessorInterface;
 use Symfony\Component\Serializer\Exception\NotNormalizableValueException;
 use Symfony\Component\Serializer\Exception\UnexpectedValueException;
+use Symfony\Component\Serializer\Normalizer\DenormalizerInterface;
 use Symfony\Component\Serializer\Normalizer\NormalizerInterface;
 use Symfony\Component\Serializer\Serializer;
 use Symfony\Component\Serializer\SerializerInterface;
@@ -904,4 +906,87 @@ public function testDenormalizeRelationWithEntityIdentifier(): void
 
         $this->assertInstanceOf(Dummy::class, $result);
     }
+
+    /**
+     * Reproducer for https://github.com/api-platform/core/issues/7794.
+     *
+     * When a resource uses an input DTO, AbstractItemNormalizer::denormalize() re-enters
+     * the serializer with the already-unwrapped (flat) data plus an 'api_platform_input'
+     * context flag. Without the guard, JsonApi\ItemNormalizer::denormalize() runs a second
+     * time on the flat data, tries to read $data['data']['attributes'] and gets null,
+     * which nulls every DTO property.
+     */
+    public function testDenormalizeInputDtoDoesNotDoubleUnwrapJsonApiStructure(): void
+    {
+        $jsonApiData = [
+            'data' => [
+                'type' => 'dummy',
+                'attributes' => [
+                    'title' => 'Hello',
+                    'body' => 'World',
+                ],
+            ],
+        ];
+
+        $propertyNameCollectionFactoryProphecy = $this->prophesize(PropertyNameCollectionFactoryInterface::class);
+        $propertyNameCollectionFactoryProphecy->create(Dummy::class, Argument::any())->willReturn(new PropertyNameCollection([]));
+        $propertyNameCollectionFactoryProphecy->create(InputDto::class, Argument::any())->willReturn(new PropertyNameCollection(['title', 'body']));
+
+        $propertyMetadataFactoryProphecy = $this->prophesize(PropertyMetadataFactoryInterface::class);
+        $propertyMetadataFactoryProphecy->create(InputDto::class, 'title', Argument::any())->willReturn((new ApiProperty())->withNativeType(Type::string())->withReadable(true)->withWritable(true));
+        $propertyMetadataFactoryProphecy->create(InputDto::class, 'body', Argument::any())->willReturn((new ApiProperty())->withNativeType(Type::string())->withReadable(true)->withWritable(true));
+
+        $iriConverterProphecy = $this->prophesize(IriConverterInterface::class);
+
+        $propertyAccessorProphecy = $this->prophesize(PropertyAccessorInterface::class);
+        $propertyAccessorProphecy->setValue(Argument::type(InputDto::class), Argument::type('string'), Argument::any())
+            ->will(static function ($args): void {
+                $args[0]->{$args[1]} = $args[2];
+            });
+
+        $resourceClassResolverProphecy = $this->prophesize(ResourceClassResolverInterface::class);
+        $resourceClassResolverProphecy->getResourceClass(null, Dummy::class)->willReturn(Dummy::class);
+        $resourceClassResolverProphecy->isResourceClass(Dummy::class)->willReturn(true);
+        $resourceClassResolverProphecy->isResourceClass(InputDto::class)->willReturn(false);
+        $resourceClassResolverProphecy->getResourceClass(null, InputDto::class)->willReturn(InputDto::class);
+
+        $resourceMetadataCollectionFactory = $this->prophesize(ResourceMetadataCollectionFactoryInterface::class);
+        $resourceMetadataCollectionFactory->create(Dummy::class)->willReturn(new ResourceMetadataCollection(Dummy::class, [
+            (new ApiResource())->withOperations(new Operations([new Get(name: 'get')])),
+        ]));
+
+        $normalizer = new ItemNormalizer(
+            $propertyNameCollectionFactoryProphecy->reveal(),
+            $propertyMetadataFactoryProphecy->reveal(),
+            $iriConverterProphecy->reveal(),
+            $resourceClassResolverProphecy->reveal(),
+            $propertyAccessorProphecy->reveal(),
+            new ReservedAttributeNameConverter(),
+            null,
+            [],
+            $resourceMetadataCollectionFactory->reveal(),
+        );
+
+        // Create a mock serializer that simulates the real serializer chain:
+        // when re-entering for the input DTO, it calls back into the normalizer.
+        $serializerProphecy = $this->prophesize(SerializerInterface::class);
+        $serializerProphecy->willImplement(DenormalizerInterface::class);
+        $serializerProphecy->willImplement(NormalizerInterface::class);
+        $serializerProphecy->denormalize(Argument::type('array'), InputDto::class, ItemNormalizer::FORMAT, Argument::type('array'))
+            ->will(static function ($args) use ($normalizer) {
+                // This simulates the serializer re-entering the normalizer chain
+                return $normalizer->denormalize($args[0], $args[1], $args[2], $args[3]);
+            });
+
+        $normalizer->setSerializer($serializerProphecy->reveal());
+
+        $result = $normalizer->denormalize($jsonApiData, Dummy::class, ItemNormalizer::FORMAT, [
+            'input' => ['class' => InputDto::class],
+            'resource_class' => Dummy::class,
+        ]);
+
+        $this->assertInstanceOf(InputDto::class, $result);
+        $this->assertSame('Hello', $result->title);
+        $this->assertSame('World', $result->body);
+    }
 }

src/JsonApi/composer.json

@@ -25,7 +25,7 @@
         "api-platform/documentation": "^4.2",
         "api-platform/json-schema": "^4.2",
         "api-platform/metadata": "^4.2",
-        "api-platform/serializer": "^4.2.4",
+        "api-platform/serializer": "^4.2.18",
         "api-platform/state": "^4.2.4",
         "symfony/error-handler": "^6.4 || ^7.0 || ^8.0",
         "symfony/http-foundation": "^6.4.14 || ^7.0 || ^8.0",

src/Laravel/ApiPlatformDeferredProvider.php

@@ -104,7 +104,7 @@ class ApiPlatformDeferredProvider extends ServiceProvider implements DeferrableP
     public function register(): void
     {
         $directory = app_path();
-        $classes = ReflectionClassRecursiveIterator::getReflectionClassesFromDirectories([$directory], '(?!.*Test\.php$)');
+        $classes = ReflectionClassRecursiveIterator::getReflectionClassesFromDirectories([$directory], '(?!.*(?:Test|\.blade)\.php$)');
 
         foreach ($classes as $className => $refl) {
             foreach ($refl->getAttributes() as $attribute) {

src/Laravel/Eloquent/Metadata/ModelMetadata.php

@@ -14,6 +14,7 @@
 namespace ApiPlatform\Laravel\Eloquent\Metadata;
 
 use Illuminate\Database\Eloquent\Model;
+use Illuminate\Database\Eloquent\Relations\BelongsTo;
 use Illuminate\Database\Eloquent\Relations\Relation;
 use Illuminate\Support\Str;
 use Symfony\Component\Serializer\NameConverter\CamelCaseToSnakeCaseNameConverter;
@@ -77,7 +78,10 @@ public function getAttributes(Model $model): array
         $indexes = $schema->getIndexes($table);
         $relations = $this->getRelations($model);
 
-        $foreignKeys = array_flip(array_filter(array_column($relations, 'foreign_key')));
+        // Only exclude BelongsTo foreign keys — those are local columns on this model's table.
+        // HasMany/HasOne foreign keys reference the related table and should not be excluded.
+        $belongsToRelations = array_filter($relations, static fn ($r) => is_a($r['type'], BelongsTo::class, true));
+        $foreignKeys = array_flip(array_filter(array_column($belongsToRelations, 'foreign_key')));
         $attributes = [];
 
         foreach ($columns as $column) {

src/Laravel/Tests/Eloquent/Metadata/ModelMetadataTest.php

@@ -20,6 +20,7 @@
 use Orchestra\Testbench\Concerns\WithWorkbench;
 use Orchestra\Testbench\TestCase;
 use Workbench\App\Models\Book;
+use Workbench\App\Models\Device;
 
 /**
  * @author Tobias Oitzinger <tobiasoitzinger@gmail.com>
@@ -80,4 +81,22 @@ public function secret(): HasMany // @phpstan-ignore-line
         $metadata = new ModelMetadata();
         $this->assertCount(1, $metadata->getRelations($model));
     }
+
+    /**
+     * When a model has a custom primary key (e.g. device_id) and a HasMany
+     * relation whose foreign key on the related table has the same name,
+     * the primary key must not be excluded from getAttributes().
+     *
+     * Only BelongsTo foreign keys are local columns that should be excluded.
+     * HasMany/HasOne foreign keys reference the related model's table.
+     */
+    public function testCustomPrimaryKeyNotExcludedByHasManyForeignKey(): void
+    {
+        $model = new Device();
+        $metadata = new ModelMetadata();
+        $attributes = $metadata->getAttributes($model);
+
+        $this->assertArrayHasKey('device_id', $attributes, 'Primary key "device_id" should not be excluded from attributes when it matches a HasMany foreign key name.');
+        $this->assertTrue($attributes['device_id']['primary'], 'The device_id attribute should be marked as primary key.');
+    }
 }