Merge 4.2

soyuka · soyuka · commit 7e737d5e483c · 2026-03-20T10:00:10.000+01:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -70,10 +70,10 @@ jobs:
     steps:
       - name: Generate App Token
         id: generate_token
-        uses: actions/create-github-app-token@v1
+        uses: tibdex/github-app-token@v2
         with:
-          app-id: ${{ secrets.API_PLATFORM_APP_ID }}
-          private-key: ${{ secrets.API_PLATFORM_APP_PRIVATE_KEY }}
+          app_id: ${{ secrets.API_PLATFORM_APP_ID }}
+          private_key: ${{ secrets.API_PLATFORM_APP_PRIVATE_KEY }}
 
       - name: Update demo
         env:
diff --git a/src/Hydra/Serializer/DocumentationNormalizer.php b/src/Hydra/Serializer/DocumentationNormalizer.php
@@ -109,10 +109,10 @@ private function populateEntrypointProperties(ApiResource $resourceMetadata, str
                 'domain' => '#Entrypoint',
                 'owl:maxCardinality' => 1,
                 'range' => [
-                    ['@id' => $hydraPrefix.'Collection'],
+                    ['@id' => 'hydra:Collection'],
                     [
                         'owl:equivalentClass' => [
-                            'owl:onProperty' => ['@id' => $hydraPrefix.'member'],
+                            'owl:onProperty' => ['@id' => 'hydra:member'],
                             'owl:allValuesFrom' => ['@id' => $prefixedShortName],
                         ],
                     ],
diff --git a/src/Hydra/Tests/Serializer/DocumentationNormalizerTest.php b/src/Hydra/Tests/Serializer/DocumentationNormalizerTest.php
@@ -899,10 +899,10 @@ public function testNormalizeWithoutPrefix(): void
                                 '@type' => 'Link',
                                 'domain' => '#Entrypoint',
                                 'range' => [
-                                    ['@id' => 'Collection'],
+                                    ['@id' => 'hydra:Collection'],
                                     [
                                         'owl:equivalentClass' => [
-                                            'owl:onProperty' => ['@id' => 'member'],
+                                            'owl:onProperty' => ['@id' => 'hydra:member'],
                                             'owl:allValuesFrom' => ['@id' => '#dummy'],
                                         ],
                                     ],
diff --git a/src/Serializer/AbstractItemNormalizer.php b/src/Serializer/AbstractItemNormalizer.php
@@ -18,6 +18,7 @@
 use ApiPlatform\Metadata\Exception\AccessDeniedException;
 use ApiPlatform\Metadata\Exception\InvalidArgumentException;
 use ApiPlatform\Metadata\Exception\ItemNotFoundException;
+use ApiPlatform\Metadata\Exception\PropertyNotFoundException;
 use ApiPlatform\Metadata\IriConverterInterface;
 use ApiPlatform\Metadata\Property\Factory\PropertyMetadataFactoryInterface;
 use ApiPlatform\Metadata\Property\Factory\PropertyNameCollectionFactoryInterface;
@@ -276,10 +277,6 @@ public function denormalize(mixed $data, string $type, ?string $format = null, a
         $previousObject = $this->clone($objectToPopulate);
         $object = parent::denormalize($data, $type, $format, $context);
 
-        if (!$this->resourceClassResolver->isResourceClass($type)) {
-            return $object;
-        }
-
         // Bypass the post-denormalize attribute revert logic if the object could not be
         // cloned since we cannot possibly revert any changes made to it.
         if (null !== $objectToPopulate && null === $previousObject) {
@@ -296,7 +293,13 @@ public function denormalize(mixed $data, string $type, ?string $format = null, a
         // Revert attributes that aren't allowed to be changed after a post-denormalize check
         foreach (array_keys($data) as $attribute) {
             $attribute = $this->nameConverter ? $this->nameConverter->denormalize((string) $attribute) : $attribute;
-            $propertyMetadata = $this->propertyMetadataFactory->create($resourceClass, $attribute, $options);
+
+            try {
+                $propertyMetadata = $this->propertyMetadataFactory->create($resourceClass, $attribute, $options);
+            } catch (PropertyNotFoundException) {
+                continue;
+            }
+
             $attributeExtraProperties = $propertyMetadata->getExtraProperties();
             $throwOnPropertyAccessDenied = $attributeExtraProperties['throw_on_access_denied'] ?? $throwOnAccessDenied;
             if (!\in_array($attribute, $propertyNames, true)) {
@@ -500,12 +503,13 @@ protected function isAllowedAttribute(object|string $classOrObject, string $attr
      */
     protected function canAccessAttribute(?object $object, string $attribute, array $context = []): bool
     {
-        if (!$this->resourceClassResolver->isResourceClass($context['resource_class'])) {
+        $options = $this->getFactoryOptions($context);
+
+        try {
+            $propertyMetadata = $this->propertyMetadataFactory->create($context['resource_class'], $attribute, $options);
+        } catch (PropertyNotFoundException) {
             return true;
         }
-
-        $options = $this->getFactoryOptions($context);
-        $propertyMetadata = $this->propertyMetadataFactory->create($context['resource_class'], $attribute, $options);
         $security = $propertyMetadata->getSecurity() ?? $propertyMetadata->getPolicy();
         if (null !== $this->resourceAccessChecker && $security) {
             return $this->resourceAccessChecker->isGranted($context['resource_class'], $security, [
diff --git a/tests/Fixtures/TestBundle/ApiResource/DummyDtoSecuredInput.php b/tests/Fixtures/TestBundle/ApiResource/DummyDtoSecuredInput.php
@@ -0,0 +1,67 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <dunglas@gmail.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\Tests\Fixtures\TestBundle\ApiResource;
+
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\Metadata\Patch;
+use ApiPlatform\Tests\Fixtures\TestBundle\Dto\SecuredInputDto;
+
+#[ApiResource(
+    operations: [
+        new Get(provider: [self::class, 'provide']),
+        new Patch(input: SecuredInputDto::class, processor: [self::class, 'process'], provider: [self::class, 'provide']),
+    ]
+)]
+class DummyDtoSecuredInput
+{
+    public ?int $id = null;
+
+    public ?string $title = null;
+
+    public ?string $adminOnly = null;
+
+    public function getId(): ?int
+    {
+        return $this->id;
+    }
+
+    public static function provide(Operation $operation, array $uriVariables = [], array $context = []): self
+    {
+        $entity = new self();
+        $entity->id = (int) $uriVariables['id'];
+        $entity->title = 'existing title';
+        $entity->adminOnly = 'existing admin value';
+
+        return $entity;
+    }
+
+    public static function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): self
+    {
+        if (!$data instanceof SecuredInputDto) {
+            throw new \InvalidArgumentException('Expected SecuredInputDto');
+        }
+
+        $entity = $context['previous_data'] ?? new self();
+        if (null !== $data->title) {
+            $entity->title = $data->title;
+        }
+        if (null !== $data->adminOnly) {
+            $entity->adminOnly = $data->adminOnly;
+        }
+
+        return $entity;
+    }
+}
diff --git a/tests/Fixtures/TestBundle/Dto/SecuredInputDto.php b/tests/Fixtures/TestBundle/Dto/SecuredInputDto.php
@@ -0,0 +1,24 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <dunglas@gmail.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\Tests\Fixtures\TestBundle\Dto;
+
+use ApiPlatform\Metadata\ApiProperty;
+
+class SecuredInputDto
+{
+    public ?string $title = null;
+
+    #[ApiProperty(security: "is_granted('ROLE_ADMIN')")]
+    public ?string $adminOnly = null;
+}
diff --git a/tests/Functional/SecurityPropertyInputDtoTest.php b/tests/Functional/SecurityPropertyInputDtoTest.php
@@ -0,0 +1,73 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <dunglas@gmail.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\Tests\Functional;
+
+use ApiPlatform\Symfony\Bundle\Test\ApiTestCase;
+use ApiPlatform\Tests\Fixtures\TestBundle\ApiResource\DummyDtoSecuredInput;
+use ApiPlatform\Tests\SetupClassResourcesTrait;
+use Symfony\Component\Security\Core\User\InMemoryUser;
+
+final class SecurityPropertyInputDtoTest extends ApiTestCase
+{
+    use SetupClassResourcesTrait;
+
+    protected static ?bool $alwaysBootKernel = false;
+
+    /**
+     * @return class-string[]
+     */
+    public static function getResources(): array
+    {
+        return [DummyDtoSecuredInput::class];
+    }
+
+    public function testNonAdminCannotWriteSecuredProperty(): void
+    {
+        $client = self::createClient();
+        $client->loginUser(new InMemoryUser('user', 'password', ['ROLE_USER']));
+
+        $response = $client->request('PATCH', '/dummy_dto_secured_inputs/1', [
+            'headers' => ['Content-Type' => 'application/merge-patch+json'],
+            'json' => [
+                'title' => 'updated title',
+                'adminOnly' => 'hacked value',
+            ],
+        ]);
+
+        $this->assertResponseIsSuccessful();
+        $json = $response->toArray();
+        $this->assertSame('updated title', $json['title']);
+        // The adminOnly field should be silently dropped (not written) for non-admin
+        $this->assertSame('existing admin value', $json['adminOnly']);
+    }
+
+    public function testAdminCanWriteSecuredProperty(): void
+    {
+        $client = self::createClient();
+        $client->loginUser(new InMemoryUser('admin', 'password', ['ROLE_ADMIN']));
+
+        $response = $client->request('PATCH', '/dummy_dto_secured_inputs/1', [
+            'headers' => ['Content-Type' => 'application/merge-patch+json'],
+            'json' => [
+                'title' => 'admin updated',
+                'adminOnly' => 'admin value',
+            ],
+        ]);
+
+        $this->assertResponseIsSuccessful();
+        $json = $response->toArray();
+        $this->assertSame('admin updated', $json['title']);
+        $this->assertSame('admin value', $json['adminOnly']);
+    }
+}
