|
1 | 1 | # Upgrade Guide |
2 | 2 |
|
| 3 | +## API Platform 4.2 to 4.3 |
| 4 | + |
| 5 | +### Breaking Changes |
| 6 | + |
| 7 | +#### Doctrine Filters Require Explicit `property` |
| 8 | + |
| 9 | +Doctrine parameter-based filters (`ExactFilter`, `IriFilter`, `PartialSearchFilter`, `UuidFilter`) |
| 10 | +now throw `InvalidArgumentException` if the `property` attribute is missing. If you have filter |
| 11 | +parameters without an explicit `property`, you must either add one or use the `:property` placeholder |
| 12 | +in your parameter name. |
| 13 | + |
| 14 | +```php |
| 15 | +// Before (would silently work without property): |
| 16 | +#[ApiFilter(ExactFilter::class)] |
| 17 | + |
| 18 | +// After (property is required): |
| 19 | +#[ApiFilter(ExactFilter::class, property: 'name')] |
| 20 | +// Or use the :property placeholder in the parameter name |
| 21 | +``` |
| 22 | + |
| 23 | +#### Readonly Doctrine Entities Lose PUT & PATCH |
| 24 | + |
| 25 | +Entities marked as readonly via Doctrine metadata (`$classMetadata->markReadOnly()`) no longer |
| 26 | +expose PUT and PATCH operations. Clients sending PUT/PATCH to these resources will receive a 404. |
| 27 | +If you need write operations on readonly entities, explicitly define them in your `ApiResource` |
| 28 | +attribute. |
| 29 | + |
| 30 | +#### JSON-LD `@type` with `output` and `itemUriTemplate` |
| 31 | + |
| 32 | +When using `output` with `itemUriTemplate` on a collection operation, the JSON-LD `@type` now uses |
| 33 | +the resource class name instead of the output DTO class name for semantic consistency with |
| 34 | +`itemUriTemplate` behavior. Update any client code that relies on the DTO class name in `@type`. |
| 35 | + |
| 36 | +### Behavioral Changes |
| 37 | + |
| 38 | +#### `isGranted` Evaluated Before Provider |
| 39 | + |
| 40 | +Security expressions are now evaluated before the state provider runs. Expressions that do not |
| 41 | +reference the `object` variable will be checked at the `pre_read` stage, improving security by |
| 42 | +preventing unnecessary database queries on unauthorized requests. Expressions that reference `object` |
| 43 | +still wait for the provider to resolve the entity. Review any security expressions that relied on |
| 44 | +provider side-effects running before authorization. |
| 45 | + |
| 46 | +#### Hydra Class `@id` Now Always Uses `#ShortName` |
| 47 | + |
| 48 | +Hydra documentation classes now consistently use `#ShortName` as their `@id` instead of schema.org |
| 49 | +type URIs (e.g. `schema:Product`). Semantic types configured via `types` are now exposed through |
| 50 | +`rdfs:subClassOf`. Clients should expect class `@id` and property range changes in the Hydra |
| 51 | +documentation if resources had custom `types` configured. |
| 52 | + |
| 53 | +#### LDP-Compliant Response Headers |
| 54 | + |
| 55 | +API responses now include `Allow` and `Accept-Post` headers per the Linked Data Platform |
| 56 | +specification. These are informational headers that help clients discover API capabilities and should |
| 57 | +not break existing integrations. |
| 58 | + |
3 | 59 | ## API Platform 3.4 |
4 | 60 |
|
5 | 61 | Remove the `keep_legacy_inflector`, the `event_listeners_backward_compatibility_layer` and the |
|
0 commit comments