test: mitigates #7194 with link constraints

soyuka · soyuka · commit a8d9ce2144ed · 2025-06-10T09:24:20.000+02:00
diff --git a/src/Metadata/Link.php b/src/Metadata/Link.php
@@ -14,6 +14,7 @@
 namespace ApiPlatform\Metadata;
 
 use ApiPlatform\OpenApi;
+use Symfony\Component\TypeInfo\Type;
 
 #[\Attribute(\Attribute::TARGET_PROPERTY | \Attribute::TARGET_METHOD | \Attribute::TARGET_PARAMETER)]
 final class Link extends Parameter
@@ -27,7 +28,8 @@ public function __construct(
         private ?array $identifiers = null,
         private ?bool $compositeIdentifier = null,
         private ?string $expandedValue = null,
-        ?string $security = null,
+
+        string|\Stringable|null $security = null,
         ?string $securityMessage = null,
         private ?string $securityObjectName = null,
 
@@ -37,9 +39,15 @@ public function __construct(
         mixed $provider = null,
         mixed $filter = null,
         ?string $property = null,
+        ?array $properties = null,
         ?string $description = null,
         ?bool $required = null,
         array $extraProperties = [],
+
+        mixed $constraints = null,
+        array|string|null $filterContext = null,
+        ?Type $nativeType = null,
+        ?bool $castToArray = null,
     ) {
         // For the inverse property shortcut
         if ($this->parameterName && class_exists($this->parameterName)) {
@@ -53,11 +61,16 @@ public function __construct(
             provider: $provider,
             filter: $filter,
             property: $property,
+            properties: $properties,
             description: $description,
             required: $required,
+            constraints: $constraints,
             security: $security,
             securityMessage: $securityMessage,
-            extraProperties: $extraProperties
+            extraProperties: $extraProperties,
+            filterContext: $filterContext,
+            nativeType: $nativeType,
+            castToArray: $castToArray,
         );
     }
 
diff --git a/src/State/Provider/SecurityParameterProvider.php b/src/State/Provider/SecurityParameterProvider.php
@@ -56,6 +56,10 @@ public function provide(Operation $operation, array $uriVariables = [], array $c
 
         if ($operation instanceof HttpOperation) {
             foreach ($operation->getUriVariables() ?? [] as $key => $uriVariable) {
+                if ($uriVariable->getValue() instanceof ParameterNotFound) {
+                    $uriVariable->setValue($uriVariables[$key] ?? new ParameterNotFound());
+                }
+
                 $parameters->add($key, $uriVariable->withKey($key));
             }
         }
@@ -69,7 +73,6 @@ public function provide(Operation $operation, array $uriVariables = [], array $c
             $value = $parameter->getValue();
             if ($parameter instanceof Link) {
                 $targetResource = $parameter->getFromClass() ?? $parameter->getToClass() ?? null;
-                $value = $uriVariables[$parameter->getKey()] ?? new ParameterNotFound();
             }
 
             if ($value instanceof ParameterNotFound) {
diff --git a/src/Symfony/Validator/State/ParameterValidatorProvider.php b/src/Symfony/Validator/State/ParameterValidatorProvider.php
@@ -13,8 +13,10 @@
 
 namespace ApiPlatform\Symfony\Validator\State;
 
+use ApiPlatform\Metadata\HttpOperation;
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\Metadata\Parameter;
+use ApiPlatform\Metadata\Parameters;
 use ApiPlatform\State\ParameterNotFound;
 use ApiPlatform\State\ProviderInterface;
 use ApiPlatform\State\Util\ParameterParserTrait;
@@ -52,12 +54,25 @@ public function provide(Operation $operation, array $uriVariables = [], array $c
         }
 
         $constraintViolationList = new ConstraintViolationList();
-        foreach ($operation->getParameters() ?? [] as $parameter) {
+        $parameters = $operation->getParameters() ?? new Parameters();
+
+        if ($operation instanceof HttpOperation) {
+            foreach ($operation->getUriVariables() ?? [] as $key => $uriVariable) {
+                if ($uriVariable->getValue() instanceof ParameterNotFound) {
+                    $uriVariable->setValue($uriVariables[$key] ?? new ParameterNotFound());
+                }
+
+                $parameters->add($key, $uriVariable->withKey($key));
+            }
+        }
+
+        foreach ($parameters as $parameter) {
             if (!$constraints = $parameter->getConstraints()) {
                 continue;
             }
 
             $value = $parameter->getValue();
+
             if ($value instanceof ParameterNotFound) {
                 $value = null;
             }
diff --git a/tests/Fixtures/TestBundle/Entity/Employee.php b/tests/Fixtures/TestBundle/Entity/Employee.php
@@ -20,6 +20,7 @@
 use ApiPlatform\Metadata\Post;
 use Doctrine\ORM\Mapping as ORM;
 use Symfony\Component\Serializer\Annotation\Groups;
+use Symfony\Component\Validator\Constraints\IdenticalTo;
 
 #[ApiResource]
 #[Post]
@@ -46,8 +47,9 @@
             identifiers: ['name'],
             fromClass: Company::class,
             toProperty: 'company',
-            security: 'company.name == "Test"',
-            extraProperties: ['uri_template' => '/company-by-name/{name}']
+            security: 'company.name == "Test" or company.name == "NotTest"',
+            extraProperties: ['uri_template' => '/company-by-name/{name}'],
+            constraints: [new IdenticalTo('Test')]
         ),
     ],
 )]
diff --git a/tests/Functional/Parameters/LinkProviderParameterTest.php b/tests/Functional/Parameters/LinkProviderParameterTest.php
@@ -130,8 +130,36 @@ public function testLinkSecurityWithSlug(): void
             $this->markTestSkipped();
         }
 
-        $response = self::createClient()->request('GET', '/companies-by-name/Test/employees');
-        dd($response->toArray(false));
-        self::assertEquals(200, $response->getStatusCode());
+        self::createClient()->request('GET', '/companies-by-name/Test/employees');
+        self::assertJsonContains([
+            'hydra:member' => [
+                ['company' => ['@id' => '/company-by-name/Test', 'name' => 'Test']],
+            ],
+        ]);
+        self::assertResponseStatusCodeSame(200);
+    }
+
+    /**
+     * See https://github.com/api-platform/core/issues/7061.
+     */
+    public function testLinkSecurityWithConstraint(): void
+    {
+        $manager = $this->getManager();
+        $employee = new Employee();
+        $employee->setName('me');
+        $dummy = new Company();
+        $dummy->setName('Test');
+        $employee->setCompany($dummy);
+        $manager->persist($employee);
+        $manager->persist($dummy);
+        $manager->flush();
+
+        $container = static::getContainer();
+        if ('mongodb' === $container->getParameter('kernel.environment')) {
+            $this->markTestSkipped();
+        }
+
+        $response = self::createClient()->request('GET', '/companies-by-name/NotTest/employees');
+        self::assertEquals(422, $response->getStatusCode());
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -56,6 +56,10 @@ public function provide(Operation $operation, array $uriVariables = [], array $c`
`56`	`56`
`57`	`57`	`if ($operation instanceof HttpOperation) {`
`58`	`58`	`foreach ($operation->getUriVariables() ?? [] as $key => $uriVariable) {`
	`59`	`+ if ($uriVariable->getValue() instanceof ParameterNotFound) {`
	`60`	`+ $uriVariable->setValue($uriVariables[$key] ?? new ParameterNotFound());`
	`61`	`+ }`
	`62`	`+`
`59`	`63`	`$parameters->add($key, $uriVariable->withKey($key));`
`60`	`64`	`}`
`61`	`65`	`}`
`@@ -69,7 +73,6 @@ public function provide(Operation $operation, array $uriVariables = [], array $c`
`69`	`73`	`$value = $parameter->getValue();`
`70`	`74`	`if ($parameter instanceof Link) {`
`71`	`75`	`$targetResource = $parameter->getFromClass() ?? $parameter->getToClass() ?? null;`
`72`		`- $value = $uriVariables[$parameter->getKey()] ?? new ParameterNotFound();`
`73`	`76`	`}`
`74`	`77`
`75`	`78`	`if ($value instanceof ParameterNotFound) {`