Merge 3.3

api-platform · Jan 17, 2025 · dbf6085 · dbf6085
2 parents 2055e08 + 4062853
commit dbf6085
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -265,6 +265,13 @@ You should now install `api-platform/symfony` instead of `api-platform/core`.
 * [74986cb55](https://github.com/api-platform/core/commit/74986cb552182dc645bd1fc967faa0954dd59e0a) feat: inflector as service (#6447)
 * [b47edb2a4](https://github.com/api-platform/core/commit/b47edb2a499c34e79c167f963e3a626a3e9d040a) feat(serializer): context IRI in HAL or JsonApi format (#6215)
 
+## v3.3.15
+
+### Bug fixes
+
+* [dc4fc84ba](https://github.com/api-platform/core/commit/dc4fc84ba93e22b4f44a37e90a93c6d079c1c620) fix(graphql): securityAfterResolver not called 
+* [9eb5c4e94](https://github.com/api-platform/core/commit/9eb5c4e941d0ebf59bc8ef5777b144db9b4a0899) fix(symfony): suggest `DocumentationAction` as replacement for deprecated `SwaggerUiAction` (#6894)
+
 ## v3.3.14
 
 ### Bug fixes
@@ -2707,4 +2714,4 @@ Please read #2825 if you have issues with the behavior of Readable/Writable Link
 ## 1.0.0 beta 2
 
 * Preserve indexes when normalizing and denormalizing associative arrays
-* Allow setting default order for property when registering a `Doctrine\Orm\Filter\OrderFilter` instance
+* Allow setting default order for property when registering a `Doctrine\Orm\Filter\OrderFilter` instance
diff --git a/features/graphql/query.feature b/features/graphql/query.feature
@@ -677,3 +677,20 @@ Feature: GraphQL query support
     Then the response status code should be 200
     And the header "Content-Type" should be equal to "application/json"
     And the JSON node "data.getSecurityAfterResolver.name" should be equal to "test"
+
+
+  Scenario: Call security after resolver with 403 error (ensure /2 does not match securityAfterResolver)
+    When I send the following GraphQL request:
+    """"
+    {
+      getSecurityAfterResolver(id: "/security_after_resolvers/2") {
+        name
+      }
+    }
+    """
+    Then the response status code should be 200
+    And the response should be in JSON
+    And the header "Content-Type" should be equal to "application/json"
+    And the JSON node "errors[0].extensions.status" should be equal to 403
+    And the JSON node "errors[0].message" should be equal to "Access Denied."
+    And the JSON node "data.getSecurityAfterResolver.name" should not exist
diff --git a/src/Symfony/Bundle/SwaggerUi/SwaggerUiAction.php b/src/Symfony/Bundle/SwaggerUi/SwaggerUiAction.php
@@ -26,7 +26,7 @@
 /**
  * Displays the swaggerui interface.
  *
- * @deprecated use ApiPlatform\Symfony\Bundle\SwaggerUi\Processor instead
+ * @deprecated use ApiPlatform\Symfony\Action\DocumentationAction instead
  *
  * @author Antoine Bluchet <[email protected]>
  */

diff --git a/src/Symfony/Security/State/AccessCheckerProvider.php b/src/Symfony/Security/State/AccessCheckerProvider.php
@@ -53,7 +53,7 @@ public function provide(Operation $operation, array $uriVariables = [], array $c
 
                 $isGranted = $operation->getSecurityAfterResolver();
                 $message = $operation->getSecurityMessageAfterResolver();
-                // no break
+                break;
             default:
                 $isGranted = $operation->getSecurity();
                 $message = $operation->getSecurityMessage();

diff --git a/tests/Fixtures/TestBundle/ApiResource/Issue6427/SecurityAfterResolverResolver.php b/tests/Fixtures/TestBundle/ApiResource/Issue6427/SecurityAfterResolverResolver.php
@@ -23,6 +23,13 @@ final class SecurityAfterResolverResolver implements QueryItemResolverInterface
      */
     public function __invoke($item, array $context): SecurityAfterResolver
     {
+        $idUrl = $context['args']['id'];
+
+        if (str_contains($idUrl, '2')) {
+            // Unknown to simulate a 403 error
+            return new SecurityAfterResolver('2', 'nonexistent');
+        }
+
         return new SecurityAfterResolver('1', 'test');
     }
 }