vendor/api-platform/core/src/Serializer/AbstractItemNormalizer.php line 91

Open in your IDE?
  1. <?php
  3. /*
  4. * This file is part of the API Platform project.
  5. *
  6. * (c) Kévin Dunglas <dunglas@gmail.com>
  7. *
  8. * For the full copyright and license information, please view the LICENSE
  9. * file that was distributed with this source code.
  10. */
  12. declare(strict_types=1);
  14. namespace ApiPlatform\Serializer;
  16. use ApiPlatform\Api\IriConverterInterface;
  17. use ApiPlatform\Api\UrlGeneratorInterface;
  18. use ApiPlatform\Core\Api\IriConverterInterface as LegacyIriConverterInterface;
  19. use ApiPlatform\Core\Bridge\Symfony\Messenger\DataTransformer as MessengerDataTransformer;
  20. use ApiPlatform\Core\DataProvider\ItemDataProviderInterface;
  21. use ApiPlatform\Core\DataTransformer\DataTransformerInitializerInterface;
  22. use ApiPlatform\Core\DataTransformer\DataTransformerInterface;
  23. use ApiPlatform\Core\Metadata\Property\Factory\PropertyMetadataFactoryInterface as LegacyPropertyMetadataFactoryInterface;
  24. use ApiPlatform\Core\Metadata\Property\PropertyMetadata;
  25. use ApiPlatform\Core\Metadata\Resource\Factory\ResourceMetadataFactoryInterface;
  26. use ApiPlatform\Exception\InvalidArgumentException;
  27. use ApiPlatform\Exception\InvalidValueException;
  28. use ApiPlatform\Exception\ItemNotFoundException;
  29. use ApiPlatform\Metadata\ApiProperty;
  30. use ApiPlatform\Metadata\CollectionOperationInterface;
  31. use ApiPlatform\Metadata\Property\Factory\PropertyMetadataFactoryInterface;
  32. use ApiPlatform\Metadata\Property\Factory\PropertyNameCollectionFactoryInterface;
  33. use ApiPlatform\Metadata\Resource\Factory\ResourceMetadataCollectionFactoryInterface;
  34. use ApiPlatform\Symfony\Security\ResourceAccessCheckerInterface;
  35. use ApiPlatform\Util\ClassInfoTrait;
  36. use ApiPlatform\Util\CloneTrait;
  37. use Symfony\Component\PropertyAccess\Exception\NoSuchPropertyException;
  38. use Symfony\Component\PropertyAccess\PropertyAccess;
  39. use Symfony\Component\PropertyAccess\PropertyAccessorInterface;
  40. use Symfony\Component\PropertyInfo\Type;
  41. use Symfony\Component\Serializer\Encoder\CsvEncoder;
  42. use Symfony\Component\Serializer\Encoder\XmlEncoder;
  43. use Symfony\Component\Serializer\Exception\LogicException;
  44. use Symfony\Component\Serializer\Exception\MissingConstructorArgumentsException;
  45. use Symfony\Component\Serializer\Exception\NotNormalizableValueException;
  46. use Symfony\Component\Serializer\Exception\RuntimeException;
  47. use Symfony\Component\Serializer\Exception\UnexpectedValueException;
  48. use Symfony\Component\Serializer\Mapping\Factory\ClassMetadataFactoryInterface;
  49. use Symfony\Component\Serializer\NameConverter\AdvancedNameConverterInterface;
  50. use Symfony\Component\Serializer\NameConverter\NameConverterInterface;
  51. use Symfony\Component\Serializer\Normalizer\AbstractObjectNormalizer;
  52. use Symfony\Component\Serializer\Normalizer\DenormalizerInterface;
  53. use Symfony\Component\Serializer\Normalizer\NormalizerInterface;
  55. /**
  56. * Base item normalizer.
  57. *
  58. * @author Kévin Dunglas <dunglas@gmail.com>
  59. */
  60. abstract class AbstractItemNormalizer extends AbstractObjectNormalizer
  61. {
  62. use ClassInfoTrait;
  63. use CloneTrait;
  64. use ContextTrait;
  65. use InputOutputMetadataTrait;
  66. use OperationContextTrait;
  68. public const IS_TRANSFORMED_TO_SAME_CLASS = 'is_transformed_to_same_class';
  70. /**
  71. * @var PropertyNameCollectionFactoryInterface
  72. */
  73. protected $propertyNameCollectionFactory;
  74. /**
  75. * @var LegacyPropertyMetadataFactoryInterface|PropertyMetadataFactoryInterface
  76. */
  77. protected $propertyMetadataFactory;
  78. protected $resourceMetadataFactory;
  79. /**
  80. * @var LegacyIriConverterInterface|IriConverterInterface
  81. */
  82. protected $iriConverter;
  83. protected $resourceClassResolver;
  84. protected $resourceAccessChecker;
  85. protected $propertyAccessor;
  86. protected $itemDataProvider;
  87. protected $allowPlainIdentifiers;
  88. protected $dataTransformers = [];
  89. protected $localCache = [];
  91. public function __construct(PropertyNameCollectionFactoryInterface $propertyNameCollectionFactory, $propertyMetadataFactory, $iriConverter, $resourceClassResolver, PropertyAccessorInterface $propertyAccessor = null, NameConverterInterface $nameConverter = null, ClassMetadataFactoryInterface $classMetadataFactory = null, ItemDataProviderInterface $itemDataProvider = null, bool $allowPlainIdentifiers = false, array $defaultContext = [], iterable $dataTransformers = [], $resourceMetadataFactory = null, ResourceAccessCheckerInterface $resourceAccessChecker = null)
  92. {
  93. if (!isset($defaultContext['circular_reference_handler'])) {
  94. $defaultContext['circular_reference_handler'] = function ($object) {
  95. return $this->iriConverter instanceof LegacyIriConverterInterface ? $this->iriConverter->getIriFromItem($object) : $this->iriConverter->getIriFromResource($object);
  96. };
  97. }
  98. if (!interface_exists(AdvancedNameConverterInterface::class) && method_exists($this, 'setCircularReferenceHandler')) {
  99. $this->setCircularReferenceHandler($defaultContext['circular_reference_handler']);
  100. }
  102. parent::__construct($classMetadataFactory, $nameConverter, null, null, \Closure::fromCallable([$this, 'getObjectClass']), $defaultContext);
  104. $this->propertyNameCollectionFactory = $propertyNameCollectionFactory;
  105. $this->propertyMetadataFactory = $propertyMetadataFactory;
  107. if ($iriConverter instanceof LegacyIriConverterInterface) {
  108. trigger_deprecation('api-platform/core', '2.7', sprintf('Use an implementation of "%s" instead of "%s".', IriConverterInterface::class, LegacyIriConverterInterface::class));
  109. }
  111. $this->iriConverter = $iriConverter;
  112. $this->resourceClassResolver = $resourceClassResolver;
  113. $this->propertyAccessor = $propertyAccessor ?: PropertyAccess::createPropertyAccessor();
  114. $this->itemDataProvider = $itemDataProvider;
  116. if (true === $allowPlainIdentifiers) {
  117. @trigger_error(sprintf('Allowing plain identifiers as argument of "%s" is deprecated since API Platform 2.7 and will not be possible anymore in API Platform 3.', self::class), \E_USER_DEPRECATED);
  118. }
  119. $this->allowPlainIdentifiers = $allowPlainIdentifiers;
  121. $this->dataTransformers = $dataTransformers;
  123. // Just skip our data transformer to trigger a proper deprecation
  124. $customDataTransformers = array_filter(\is_array($dataTransformers) ? $dataTransformers : iterator_to_array($dataTransformers), function ($dataTransformer) {
  125. return !$dataTransformer instanceof MessengerDataTransformer;
  126. });
  128. if (\count($customDataTransformers)) {
  129. trigger_deprecation('api-platform/core', '2.7', 'The DataTransformer pattern is deprecated, use a Provider or a Processor and either use your input or return a new output there.');
  130. }
  132. if ($resourceMetadataFactory && !$resourceMetadataFactory instanceof ResourceMetadataCollectionFactoryInterface) {
  133. trigger_deprecation('api-platform/core', '2.7', sprintf('Use "%s" instead of "%s".', ResourceMetadataCollectionFactoryInterface::class, ResourceMetadataFactoryInterface::class));
  134. }
  136. $this->resourceMetadataFactory = $resourceMetadataFactory;
  137. $this->resourceAccessChecker = $resourceAccessChecker;
  138. }
  140. public function supportsNormalization($data, $format = null, array $context = []): bool
  141. {
  142. if (!\is_object($data) || is_iterable($data)) {
  143. return false;
  144. }
  146. $class = $this->getObjectClass($data);
  147. if (($context['output']['class'] ?? null) === $class) {
  148. return true;
  149. }
  151. return $this->resourceClassResolver->isResourceClass($class);
  152. }
  154. public function hasCacheableSupportsMethod(): bool
  155. {
  156. return true;
  157. }
  159. /**
  160. * @param mixed|null $format
  161. *
  162. * @throws LogicException
  163. *
  164. * @return array|string|int|float|bool|\ArrayObject|null
  165. */
  166. public function normalize($object, $format = null, array $context = [])
  167. {
  168. $resourceClass = $this->getObjectClass($object);
  169. if (!($isTransformed = isset($context[self::IS_TRANSFORMED_TO_SAME_CLASS])) && $outputClass = $this->getOutputClass($resourceClass, $context)) {
  170. if (!$this->serializer instanceof NormalizerInterface) {
  171. throw new LogicException('Cannot normalize the output because the injected serializer is not a normalizer');
  172. }
  174. // Data transformers are deprecated, this is removed from 3.0
  175. if ($dataTransformer = $this->getDataTransformer($object, $outputClass, $context)) {
  176. $transformed = $dataTransformer->transform($object, $outputClass, $context);
  178. if ($object === $transformed) {
  179. $context[self::IS_TRANSFORMED_TO_SAME_CLASS] = true;
  180. } else {
  181. $context['api_normalize'] = true;
  182. $context['api_resource'] = $object;
  183. unset($context['output'], $context['resource_class']);
  184. }
  186. return $this->serializer->normalize($transformed, $format, $context);
  187. }
  189. unset($context['output'], $context['operation_name']);
  190. if ($this->resourceMetadataFactory instanceof ResourceMetadataCollectionFactoryInterface && !isset($context['operation'])) {
  191. $context['operation'] = $this->resourceMetadataFactory->create($context['resource_class'])->getOperation();
  192. }
  193. $context['resource_class'] = $outputClass;
  194. $context['api_sub_level'] = true;
  195. $context[self::ALLOW_EXTRA_ATTRIBUTES] = false;
  197. return $this->serializer->normalize($object, $format, $context);
  198. }
  200. if ($isTransformed) {
  201. unset($context[self::IS_TRANSFORMED_TO_SAME_CLASS]);
  202. }
  204. if ($isResourceClass = $this->resourceClassResolver->isResourceClass($resourceClass)) {
  205. $context = $this->initContext($resourceClass, $context);
  206. }
  208. // Never remove this, with `application/json` we don't use our AbstractCollectionNormalizer and we need
  209. // to remove the collection operation from our context or we'll introduce security issues
  210. if (isset($context['operation']) && $context['operation'] instanceof CollectionOperationInterface) {
  211. unset($context['operation_name']);
  212. unset($context['operation']);
  213. unset($context['iri']);
  214. }
  216. $iri = null;
  217. if (isset($context['iri'])) {
  218. $iri = $context['iri'];
  219. } elseif ($this->iriConverter instanceof LegacyIriConverterInterface && $isResourceClass) {
  220. $iri = $this->iriConverter->getIriFromItem($object);
  221. } elseif ($this->iriConverter instanceof IriConverterInterface) {
  222. $iri = $this->iriConverter->getIriFromResource($object, UrlGeneratorInterface::ABS_URL, $context['operation'] ?? null, $context);
  223. }
  225. $context['iri'] = $iri;
  226. $context['api_normalize'] = true;
  228. /*
  229. * When true, converts the normalized data array of a resource into an
  230. * IRI, if the normalized data array is empty.
  231. *
  232. * This is useful when traversing from a non-resource towards an attribute
  233. * which is a resource, as we do not have the benefit of {@see PropertyMetadata::isReadableLink}.
  234. *
  235. * It must not be propagated to subresources, as {@see PropertyMetadata::isReadableLink}
  236. * should take effect.
  237. */
  238. $emptyResourceAsIri = $context['api_empty_resource_as_iri'] ?? false;
  239. unset($context['api_empty_resource_as_iri']);
  241. if (isset($context['resources'])) {
  242. $context['resources'][$iri] = $iri;
  243. }
  245. $data = parent::normalize($object, $format, $context);
  246. if ($emptyResourceAsIri && \is_array($data) && 0 === \count($data)) {
  247. return $iri;
  248. }
  250. return $data;
  251. }
  253. /**
  254. * @param mixed|null $format
  255. *
  256. * @return bool
  257. */
  258. public function supportsDenormalization($data, $type, $format = null, array $context = [])
  259. {
  260. if (($context['input']['class'] ?? null) === $type) {
  261. return true;
  262. }
  264. return $this->localCache[$type] ?? $this->localCache[$type] = $this->resourceClassResolver->isResourceClass($type);
  265. }
  267. public function denormalize($data, $class, $format = null, array $context = [])
  268. {
  269. $resourceClass = $class;
  271. if (null !== $inputClass = $this->getInputClass($resourceClass, $context)) {
  272. if (null !== $dataTransformer = $this->getDataTransformer($data, $resourceClass, $context)) {
  273. $dataTransformerContext = $context;
  275. unset($context['input']);
  276. unset($context['resource_class']);
  278. if (!$this->serializer instanceof DenormalizerInterface) {
  279. throw new LogicException('Cannot denormalize the input because the injected serializer is not a denormalizer');
  280. }
  282. if ($dataTransformer instanceof DataTransformerInitializerInterface) {
  283. $context[AbstractObjectNormalizer::OBJECT_TO_POPULATE] = $dataTransformer->initialize($inputClass, $context);
  284. $context[AbstractObjectNormalizer::DEEP_OBJECT_TO_POPULATE] = true;
  285. }
  287. try {
  288. $denormalizedInput = $this->serializer->denormalize($data, $inputClass, $format, $context);
  289. } catch (NotNormalizableValueException $e) {
  290. throw new UnexpectedValueException('The input data is misformatted.', $e->getCode(), $e);
  291. }
  293. if (!\is_object($denormalizedInput)) {
  294. throw new UnexpectedValueException('Expected denormalized input to be an object.');
  295. }
  297. return $dataTransformer->transform($denormalizedInput, $resourceClass, $dataTransformerContext);
  298. }
  300. unset($context['input']);
  301. unset($context['operation']);
  302. unset($context['operation_name']);
  303. $context['resource_class'] = $inputClass;
  305. if (!$this->serializer instanceof DenormalizerInterface) {
  306. throw new LogicException('Cannot denormalize the input because the injected serializer is not a denormalizer');
  307. }
  309. try {
  310. return $this->serializer->denormalize($data, $inputClass, $format, $context);
  311. } catch (NotNormalizableValueException $e) {
  312. throw new UnexpectedValueException('The input data is misformatted.', $e->getCode(), $e);
  313. }
  314. }
  316. if (null === $objectToPopulate = $this->extractObjectToPopulate($class, $context, static::OBJECT_TO_POPULATE)) {
  317. $normalizedData = \is_scalar($data) ? [$data] : $this->prepareForDenormalization($data);
  318. $class = $this->getClassDiscriminatorResolvedClass($normalizedData, $class);
  319. }
  321. $context['api_denormalize'] = true;
  323. if ($this->resourceClassResolver->isResourceClass($class)) {
  324. $resourceClass = $this->resourceClassResolver->getResourceClass($objectToPopulate, $class);
  325. $context['resource_class'] = $resourceClass;
  326. }
  328. $supportsPlainIdentifiers = $this->supportsPlainIdentifiers();
  330. if (\is_string($data)) {
  331. try {
  332. return $this->iriConverter instanceof LegacyIriConverterInterface ? $this->iriConverter->getItemFromIri($data, $context + ['fetch_data' => true]) : $this->iriConverter->getResourceFromIri($data, $context + ['fetch_data' => true]);
  333. } catch (ItemNotFoundException $e) {
  334. if (!$supportsPlainIdentifiers) {
  335. throw new UnexpectedValueException($e->getMessage(), $e->getCode(), $e);
  336. }
  337. } catch (InvalidArgumentException $e) {
  338. if (!$supportsPlainIdentifiers) {
  339. throw new UnexpectedValueException(sprintf('Invalid IRI "%s".', $data), $e->getCode(), $e);
  340. }
  341. }
  342. }
  344. if (!\is_array($data)) {
  345. if (!$supportsPlainIdentifiers) {
  346. throw new UnexpectedValueException(sprintf('Expected IRI or document for resource "%s", "%s" given.', $resourceClass, \gettype($data)));
  347. }
  349. $item = $this->itemDataProvider->getItem($resourceClass, $data, null, $context + ['fetch_data' => true]);
  350. if (null === $item) {
  351. throw new ItemNotFoundException(sprintf('Item not found for resource "%s" with id "%s".', $resourceClass, $data));
  352. }
  354. return $item;
  355. }
  357. $previousObject = $this->clone($objectToPopulate);
  358. $object = parent::denormalize($data, $resourceClass, $format, $context);
  360. if (!$this->resourceClassResolver->isResourceClass($context['resource_class'])) {
  361. return $object;
  362. }
  364. // Bypass the post-denormalize attribute revert logic if the object could not be
  365. // cloned since we cannot possibly revert any changes made to it.
  366. if (null !== $objectToPopulate && null === $previousObject) {
  367. return $object;
  368. }
  370. $options = $this->getFactoryOptions($context);
  371. $propertyNames = iterator_to_array($this->propertyNameCollectionFactory->create($resourceClass, $options));
  373. // Revert attributes that aren't allowed to be changed after a post-denormalize check
  374. foreach (array_keys($data) as $attribute) {
  375. $attribute = $this->nameConverter ? $this->nameConverter->denormalize((string) $attribute) : $attribute;
  376. if (!\in_array($attribute, $propertyNames, true)) {
  377. continue;
  378. }
  380. if (!$this->canAccessAttributePostDenormalize($object, $previousObject, $attribute, $context)) {
  381. if (null !== $previousObject) {
  382. $this->setValue($object, $attribute, $this->propertyAccessor->getValue($previousObject, $attribute));
  383. } else {
  384. $propertyMetadata = $this->propertyMetadataFactory->create($resourceClass, $attribute, $options);
  385. $this->setValue($object, $attribute, $propertyMetadata->getDefault());
  386. }
  387. }
  388. }
  390. return $object;
  391. }
  393. /**
  394. * Method copy-pasted from symfony/serializer.
  395. * Remove it after symfony/serializer version update @see https://github.com/symfony/symfony/pull/28263.
  396. *
  397. * @internal
  398. *
  399. * @return object
  400. */
  401. protected function instantiateObject(array &$data, $class, array &$context, \ReflectionClass $reflectionClass, $allowedAttributes, string $format = null)
  402. {
  403. if (null !== $object = $this->extractObjectToPopulate($class, $context, static::OBJECT_TO_POPULATE)) {
  404. unset($context[static::OBJECT_TO_POPULATE]);
  406. return $object;
  407. }
  409. $class = $this->getClassDiscriminatorResolvedClass($data, $class);
  410. $reflectionClass = new \ReflectionClass($class);
  412. $constructor = $this->getConstructor($data, $class, $context, $reflectionClass, $allowedAttributes);
  413. if ($constructor) {
  414. $constructorParameters = $constructor->getParameters();
  416. $params = [];
  417. foreach ($constructorParameters as $constructorParameter) {
  418. $paramName = $constructorParameter->name;
  419. $key = $this->nameConverter ? $this->nameConverter->normalize($paramName, $class, $format, $context) : $paramName;
  421. $allowed = false === $allowedAttributes || (\is_array($allowedAttributes) && \in_array($paramName, $allowedAttributes, true));
  422. $ignored = !$this->isAllowedAttribute($class, $paramName, $format, $context);
  423. if ($constructorParameter->isVariadic()) {
  424. if ($allowed && !$ignored && (isset($data[$key]) || \array_key_exists($key, $data))) {
  425. if (!\is_array($data[$paramName])) {
  426. throw new RuntimeException(sprintf('Cannot create an instance of %s from serialized data because the variadic parameter %s can only accept an array.', $class, $constructorParameter->name));
  427. }
  429. $params = array_merge($params, $data[$paramName]);
  430. }
  431. } elseif ($allowed && !$ignored && (isset($data[$key]) || \array_key_exists($key, $data))) {
  432. $params[] = $this->createConstructorArgument($data[$key], $key, $constructorParameter, $context, $format);
  434. // Don't run set for a parameter passed to the constructor
  435. unset($data[$key]);
  436. } elseif (isset($context[static::DEFAULT_CONSTRUCTOR_ARGUMENTS][$class][$key])) {
  437. $params[] = $context[static::DEFAULT_CONSTRUCTOR_ARGUMENTS][$class][$key];
  438. } elseif ($constructorParameter->isDefaultValueAvailable()) {
  439. $params[] = $constructorParameter->getDefaultValue();
  440. } else {
  441. throw new MissingConstructorArgumentsException(sprintf('Cannot create an instance of %s from serialized data because its constructor requires parameter "%s" to be present.', $class, $constructorParameter->name));
  442. }
  443. }
  445. if ($constructor->isConstructor()) {
  446. return $reflectionClass->newInstanceArgs($params);
  447. }
  449. return $constructor->invokeArgs(null, $params);
  450. }
  452. return new $class();
  453. }
  455. protected function getClassDiscriminatorResolvedClass(array &$data, string $class): string
  456. {
  457. if (null === $this->classDiscriminatorResolver || (null === $mapping = $this->classDiscriminatorResolver->getMappingForClass($class))) {
  458. return $class;
  459. }
  461. if (!isset($data[$mapping->getTypeProperty()])) {
  462. throw new RuntimeException(sprintf('Type property "%s" not found for the abstract object "%s"', $mapping->getTypeProperty(), $class));
  463. }
  465. $type = $data[$mapping->getTypeProperty()];
  466. if (null === ($mappedClass = $mapping->getClassForType($type))) {
  467. throw new RuntimeException(sprintf('The type "%s" has no mapped class for the abstract object "%s"', $type, $class));
  468. }
  470. return $mappedClass;
  471. }
  473. protected function createConstructorArgument($parameterData, string $key, \ReflectionParameter $constructorParameter, array &$context, string $format = null)
  474. {
  475. return $this->createAttributeValue($constructorParameter->name, $parameterData, $format, $context);
  476. }
  478. /**
  479. * {@inheritdoc}
  480. *
  481. * Unused in this context.
  482. *
  483. * @return string[]
  484. */
  485. protected function extractAttributes($object, $format = null, array $context = [])
  486. {
  487. return [];
  488. }
  490. /**
  491. * @return array|bool
  492. */
  493. protected function getAllowedAttributes($classOrObject, array $context, $attributesAsString = false)
  494. {
  495. if (!$this->resourceClassResolver->isResourceClass($context['resource_class'])) {
  496. return parent::getAllowedAttributes($classOrObject, $context, $attributesAsString);
  497. }
  499. $resourceClass = $this->resourceClassResolver->getResourceClass(null, $context['resource_class']); // fix for abstract classes and interfaces
  500. $options = $this->getFactoryOptions($context);
  501. $propertyNames = $this->propertyNameCollectionFactory->create($resourceClass, $options);
  503. $allowedAttributes = [];
  504. foreach ($propertyNames as $propertyName) {
  505. $propertyMetadata = $this->propertyMetadataFactory->create($resourceClass, $propertyName, $options);
  507. if (
  508. $this->isAllowedAttribute($classOrObject, $propertyName, null, $context)
  509. && (
  510. isset($context['api_normalize']) && $propertyMetadata->isReadable()
  511. || isset($context['api_denormalize']) && ($propertyMetadata->isWritable() || !\is_object($classOrObject) && $propertyMetadata->isInitializable())
  512. )
  513. ) {
  514. $allowedAttributes[] = $propertyName;
  515. }
  516. }
  518. return $allowedAttributes;
  519. }
  521. /**
  522. * @param mixed|null $format
  523. *
  524. * @return bool
  525. */
  526. protected function isAllowedAttribute($classOrObject, $attribute, $format = null, array $context = [])
  527. {
  528. if (!parent::isAllowedAttribute($classOrObject, $attribute, $format, $context)) {
  529. return false;
  530. }
  532. return $this->canAccessAttribute(\is_object($classOrObject) ? $classOrObject : null, $attribute, $context);
  533. }
  535. /**
  536. * Check if access to the attribute is granted.
  537. *
  538. * @param object $object
  539. */
  540. protected function canAccessAttribute($object, string $attribute, array $context = []): bool
  541. {
  542. if (!$this->resourceClassResolver->isResourceClass($context['resource_class'])) {
  543. return true;
  544. }
  546. $options = $this->getFactoryOptions($context);
  547. /** @var PropertyMetadata|ApiProperty */
  548. $propertyMetadata = $this->propertyMetadataFactory->create($context['resource_class'], $attribute, $options);
  549. $security = $propertyMetadata instanceof PropertyMetadata ? $propertyMetadata->getAttribute('security') : $propertyMetadata->getSecurity();
  550. if ($this->resourceAccessChecker && $security) {
  551. return $this->resourceAccessChecker->isGranted($context['resource_class'], $security, [
  552. 'object' => $object,
  553. ]);
  554. }
  556. return true;
  557. }
  559. /**
  560. * Check if access to the attribute is granted.
  561. *
  562. * @param object $object
  563. * @param object|null $previousObject
  564. */
  565. protected function canAccessAttributePostDenormalize($object, $previousObject, string $attribute, array $context = []): bool
  566. {
  567. $options = $this->getFactoryOptions($context);
  568. /** @var PropertyMetadata|ApiProperty */
  569. $propertyMetadata = $this->propertyMetadataFactory->create($context['resource_class'], $attribute, $options);
  570. $security = $propertyMetadata instanceof PropertyMetadata ? $propertyMetadata->getAttribute('security_post_denormalize') : $propertyMetadata->getSecurityPostDenormalize();
  571. if ($this->resourceAccessChecker && $security) {
  572. return $this->resourceAccessChecker->isGranted($context['resource_class'], $security, [
  573. 'object' => $object,
  574. 'previous_object' => $previousObject,
  575. ]);
  576. }
  578. return true;
  579. }
  581. protected function setAttributeValue($object, $attribute, $value, $format = null, array $context = [])
  582. {
  583. $this->setValue($object, $attribute, $this->createAttributeValue($attribute, $value, $format, $context));
  584. }
  586. /**
  587. * Validates the type of the value. Allows using integers as floats for JSON formats.
  588. *
  589. * @throws InvalidArgumentException
  590. */
  591. protected function validateType(string $attribute, Type $type, $value, string $format = null)
  592. {
  593. $builtinType = $type->getBuiltinType();
  594. if (Type::BUILTIN_TYPE_FLOAT === $builtinType && null !== $format && str_contains($format, 'json')) {
  595. $isValid = \is_float($value) || \is_int($value);
  596. } else {
  597. $isValid = \call_user_func('is_'.$builtinType, $value);
  598. }
  600. if (!$isValid) {
  601. throw new UnexpectedValueException(sprintf('The type of the "%s" attribute must be "%s", "%s" given.', $attribute, $builtinType, \gettype($value)));
  602. }
  603. }
  605. /**
  606. * Denormalizes a collection of objects.
  607. *
  608. * @param ApiProperty|PropertyMetadata $propertyMetadata
  609. *
  610. * @throws InvalidArgumentException
  611. */
  612. protected function denormalizeCollection(string $attribute, $propertyMetadata, Type $type, string $className, $value, ?string $format, array $context): array
  613. {
  614. if (!\is_array($value)) {
  615. throw new InvalidArgumentException(sprintf('The type of the "%s" attribute must be "array", "%s" given.', $attribute, \gettype($value)));
  616. }
  618. $collectionKeyType = method_exists(Type::class, 'getCollectionKeyTypes') ? ($type->getCollectionKeyTypes()[0] ?? null) : $type->getCollectionKeyType();
  619. $collectionKeyBuiltinType = null === $collectionKeyType ? null : $collectionKeyType->getBuiltinType();
  620. $childContext = $this->createChildContext($this->createOperationContext($context, $className), $attribute, $format);
  622. $values = [];
  623. foreach ($value as $index => $obj) {
  624. if (null !== $collectionKeyBuiltinType && !\call_user_func('is_'.$collectionKeyBuiltinType, $index)) {
  625. throw new InvalidArgumentException(sprintf('The type of the key "%s" must be "%s", "%s" given.', $index, $collectionKeyBuiltinType, \gettype($index)));
  626. }
  628. $values[$index] = $this->denormalizeRelation($attribute, $propertyMetadata, $className, $obj, $format, $childContext);
  629. }
  631. return $values;
  632. }
  634. /**
  635. * Denormalizes a relation.
  636. *
  637. * @param ApiProperty|PropertyMetadata $propertyMetadata
  638. *
  639. * @throws LogicException
  640. * @throws UnexpectedValueException
  641. * @throws ItemNotFoundException
  642. *
  643. * @return object|null
  644. */
  645. protected function denormalizeRelation(string $attributeName, $propertyMetadata, string $className, $value, ?string $format, array $context)
  646. {
  647. $supportsPlainIdentifiers = $this->supportsPlainIdentifiers();
  649. if (\is_string($value)) {
  650. try {
  651. return $this->iriConverter instanceof LegacyIriConverterInterface ? $this->iriConverter->getItemFromIri($value, $context + ['fetch_data' => true]) : $this->iriConverter->getResourceFromIri($value, $context + ['fetch_data' => true]);
  652. } catch (ItemNotFoundException $e) {
  653. if (!$supportsPlainIdentifiers) {
  654. throw new UnexpectedValueException($e->getMessage(), $e->getCode(), $e);
  655. }
  656. } catch (InvalidArgumentException $e) {
  657. if (!$supportsPlainIdentifiers) {
  658. throw new UnexpectedValueException(sprintf('Invalid IRI "%s".', $value), $e->getCode(), $e);
  659. }
  660. }
  661. }
  663. if ($propertyMetadata->isWritableLink()) {
  664. $context['api_allow_update'] = true;
  666. if (!$this->serializer instanceof DenormalizerInterface) {
  667. throw new LogicException(sprintf('The injected serializer must be an instance of "%s".', DenormalizerInterface::class));
  668. }
  670. try {
  671. $item = $this->serializer->denormalize($value, $className, $format, $context);
  672. if (!\is_object($item) && null !== $item) {
  673. throw new \UnexpectedValueException('Expected item to be an object or null.');
  674. }
  676. return $item;
  677. } catch (InvalidValueException $e) {
  678. if (!$supportsPlainIdentifiers) {
  679. throw $e;
  680. }
  681. }
  682. }
  684. if (!\is_array($value)) {
  685. if (!$supportsPlainIdentifiers) {
  686. throw new UnexpectedValueException(sprintf('Expected IRI or nested document for attribute "%s", "%s" given.', $attributeName, \gettype($value)));
  687. }
  689. $item = $this->itemDataProvider->getItem($className, $value, null, $context + ['fetch_data' => true]);
  690. if (null === $item) {
  691. throw new ItemNotFoundException(sprintf('Item not found for resource "%s" with id "%s".', $className, $value));
  692. }
  694. return $item;
  695. }
  697. throw new UnexpectedValueException(sprintf('Nested documents for attribute "%s" are not allowed. Use IRIs instead.', $attributeName));
  698. }
  700. /**
  701. * Gets the options for the property name collection / property metadata factories.
  702. */
  703. protected function getFactoryOptions(array $context): array
  704. {
  705. $options = [];
  707. if (isset($context[self::GROUPS])) {
  708. /* @see https://github.com/symfony/symfony/blob/v4.2.6/src/Symfony/Component/PropertyInfo/Extractor/SerializerExtractor.php */
  709. $options['serializer_groups'] = (array) $context[self::GROUPS];
  710. }
  712. if (isset($context['resource_class']) && $this->resourceClassResolver->isResourceClass($context['resource_class']) && $this->resourceMetadataFactory instanceof ResourceMetadataCollectionFactoryInterface) {
  713. $resourceClass = $this->resourceClassResolver->getResourceClass(null, $context['resource_class']); // fix for abstract classes and interfaces
  714. // This is a hot spot, we should avoid calling this here but in many cases we can't
  715. $operation = $context['root_operation'] ?? $context['operation'] ?? $this->resourceMetadataFactory->create($resourceClass)->getOperation($context['root_operation_name'] ?? $context['operation_name'] ?? null);
  716. $options['normalization_groups'] = $operation->getNormalizationContext()['groups'] ?? null;
  717. $options['denormalization_groups'] = $operation->getDenormalizationContext()['groups'] ?? null;
  718. }
  720. if (isset($context['operation_name'])) {
  721. $options['operation_name'] = $context['operation_name'];
  722. }
  724. // Preserve this context here since its deprecated in 2.7 and removed in 3.0.
  725. if (isset($context['collection_operation_name'])) {
  726. $options['collection_operation_name'] = $context['collection_operation_name'];
  727. }
  729. if (isset($context['item_operation_name'])) {
  730. $options['item_operation_name'] = $context['item_operation_name'];
  731. }
  733. return $options;
  734. }
  736. /**
  737. * Creates the context to use when serializing a relation.
  738. *
  739. * @deprecated since version 2.1, to be removed in 3.0.
  740. */
  741. protected function createRelationSerializationContext(string $resourceClass, array $context): array
  742. {
  743. @trigger_error(sprintf('The method %s() is deprecated since 2.1 and will be removed in 3.0.', __METHOD__), \E_USER_DEPRECATED);
  745. return $context;
  746. }
  748. /**
  749. * @param mixed|null $format
  750. *
  751. * @throws UnexpectedValueException
  752. * @throws LogicException
  753. */
  754. protected function getAttributeValue($object, $attribute, $format = null, array $context = [])
  755. {
  756. $context['api_attribute'] = $attribute;
  757. /** @var ApiProperty|PropertyMetadata */
  758. $propertyMetadata = $this->propertyMetadataFactory->create($context['resource_class'], $attribute, $this->getFactoryOptions($context));
  760. try {
  761. $attributeValue = $this->propertyAccessor->getValue($object, $attribute);
  762. } catch (NoSuchPropertyException $e) {
  763. // BC to be removed in 3.0
  764. if ($propertyMetadata instanceof PropertyMetadata && !$propertyMetadata->hasChildInherited()) {
  765. throw $e;
  766. }
  767. if ($propertyMetadata instanceof ApiProperty) {
  768. throw $e;
  769. }
  771. $attributeValue = null;
  772. }
  774. if ($context['api_denormalize'] ?? false) {
  775. return $attributeValue;
  776. }
  778. $type = $propertyMetadata instanceof PropertyMetadata ? $propertyMetadata->getType() : ($propertyMetadata->getBuiltinTypes()[0] ?? null);
  780. if (
  781. $type
  782. && $type->isCollection()
  783. && ($collectionValueType = method_exists(Type::class, 'getCollectionValueTypes') ? ($type->getCollectionValueTypes()[0] ?? null) : $type->getCollectionValueType())
  784. && ($className = $collectionValueType->getClassName())
  785. && $this->resourceClassResolver->isResourceClass($className)
  786. ) {
  787. if (!is_iterable($attributeValue)) {
  788. throw new UnexpectedValueException('Unexpected non-iterable value for to-many relation.');
  789. }
  791. $resourceClass = $this->resourceClassResolver->getResourceClass($attributeValue, $className);
  792. $childContext = $this->createChildContext($this->createOperationContext($context, $resourceClass), $attribute, $format);
  794. return $this->normalizeCollectionOfRelations($propertyMetadata, $attributeValue, $resourceClass, $format, $childContext);
  795. }
  797. if (
  798. $type
  799. && ($className = $type->getClassName())
  800. && $this->resourceClassResolver->isResourceClass($className)
  801. ) {
  802. if (!\is_object($attributeValue) && null !== $attributeValue) {
  803. throw new UnexpectedValueException('Unexpected non-object value for to-one relation.');
  804. }
  806. $resourceClass = $this->resourceClassResolver->getResourceClass($attributeValue, $className);
  807. $childContext = $this->createChildContext($this->createOperationContext($context, $resourceClass), $attribute, $format);
  809. return $this->normalizeRelation($propertyMetadata, $attributeValue, $resourceClass, $format, $childContext);
  810. }
  812. if (!$this->serializer instanceof NormalizerInterface) {
  813. throw new LogicException(sprintf('The injected serializer must be an instance of "%s".', NormalizerInterface::class));
  814. }
  816. unset($context['resource_class']);
  818. if ($type && $type->getClassName()) {
  819. $childContext = $this->createChildContext($context, $attribute, $format);
  820. unset($childContext['iri'], $childContext['uri_variables']);
  822. if ($propertyMetadata instanceof PropertyMetadata) {
  823. $childContext['output']['iri'] = $propertyMetadata->getIri() ?? false;
  824. } else {
  825. $childContext['output']['gen_id'] = $propertyMetadata->getGenId() ?? false;
  826. }
  828. return $this->serializer->normalize($attributeValue, $format, $childContext);
  829. }
  831. return $this->serializer->normalize($attributeValue, $format, $context);
  832. }
  834. /**
  835. * Normalizes a collection of relations (to-many).
  836. *
  837. * @param ApiProperty|PropertyMetadata $propertyMetadata
  838. * @param iterable $attributeValue
  839. *
  840. * @throws UnexpectedValueException
  841. */
  842. protected function normalizeCollectionOfRelations($propertyMetadata, $attributeValue, string $resourceClass, ?string $format, array $context): array
  843. {
  844. $value = [];
  845. foreach ($attributeValue as $index => $obj) {
  846. if (!\is_object($obj) && null !== $obj) {
  847. throw new UnexpectedValueException('Unexpected non-object element in to-many relation.');
  848. }
  850. $value[$index] = $this->normalizeRelation($propertyMetadata, $obj, $resourceClass, $format, $context);
  851. }
  853. return $value;
  854. }
  856. /**
  857. * Normalizes a relation.
  858. *
  859. * @param ApiProperty|PropertyMetadata $propertyMetadata
  860. * @param object|null $relatedObject
  861. *
  862. * @throws LogicException
  863. * @throws UnexpectedValueException
  864. *
  865. * @return string|array|\ArrayObject|null IRI or normalized object data
  866. */
  867. protected function normalizeRelation($propertyMetadata, $relatedObject, string $resourceClass, ?string $format, array $context)
  868. {
  869. if (null === $relatedObject || !empty($context['attributes']) || $propertyMetadata->isReadableLink()) {
  870. if (!$this->serializer instanceof NormalizerInterface) {
  871. throw new LogicException(sprintf('The injected serializer must be an instance of "%s".', NormalizerInterface::class));
  872. }
  874. $relatedContext = $this->createOperationContext($context, $resourceClass);
  875. $normalizedRelatedObject = $this->serializer->normalize($relatedObject, $format, $relatedContext);
  876. if (!\is_string($normalizedRelatedObject) && !\is_array($normalizedRelatedObject) && !$normalizedRelatedObject instanceof \ArrayObject && null !== $normalizedRelatedObject) {
  877. throw new UnexpectedValueException('Expected normalized relation to be an IRI, array, \ArrayObject or null');
  878. }
  880. return $normalizedRelatedObject;
  881. }
  883. $iri = $this->iriConverter instanceof LegacyIriConverterInterface ? $this->iriConverter->getIriFromItem($relatedObject) : $this->iriConverter->getIriFromResource($relatedObject);
  885. if (isset($context['resources'])) {
  886. $context['resources'][$iri] = $iri;
  887. }
  889. $push = $propertyMetadata instanceof PropertyMetadata ? $propertyMetadata->getAttribute('push', false) : ($propertyMetadata->getPush() ?? false);
  890. if (isset($context['resources_to_push']) && $push) {
  891. $context['resources_to_push'][$iri] = $iri;
  892. }
  894. return $iri;
  895. }
  897. /**
  898. * Finds the first supported data transformer if any.
  899. *
  900. * @param object|array $data object on normalize / array on denormalize
  901. */
  902. protected function getDataTransformer($data, string $to, array $context = []): ?DataTransformerInterface
  903. {
  904. foreach ($this->dataTransformers as $dataTransformer) {
  905. if ($dataTransformer->supportsTransformation($data, $to, $context)) {
  906. return $dataTransformer;
  907. }
  908. }
  910. return null;
  911. }
  913. /**
  914. * For a given resource, it returns an output representation if any
  915. * If not, the resource is returned.
  916. */
  917. protected function transformOutput($object, array $context = [], string $outputClass = null)
  918. {
  919. }
  921. private function createAttributeValue($attribute, $value, $format = null, array $context = [])
  922. {
  923. if (!$this->resourceClassResolver->isResourceClass($context['resource_class'])) {
  924. return $value;
  925. }
  927. /** @var ApiProperty|PropertyMetadata */
  928. $propertyMetadata = $this->propertyMetadataFactory->create($context['resource_class'], $attribute, $this->getFactoryOptions($context));
  929. $type = $propertyMetadata instanceof PropertyMetadata ? $propertyMetadata->getType() : ($propertyMetadata->getBuiltinTypes()[0] ?? null);
  931. if (null === $type) {
  932. // No type provided, blindly return the value
  933. return $value;
  934. }
  936. if (null === $value && $type->isNullable()) {
  937. return $value;
  938. }
  940. $collectionValueType = method_exists(Type::class, 'getCollectionValueTypes') ? ($type->getCollectionValueTypes()[0] ?? null) : $type->getCollectionValueType();
  942. /* From @see AbstractObjectNormalizer::validateAndDenormalize() */
  943. // Fix a collection that contains the only one element
  944. // This is special to xml format only
  945. if ('xml' === $format && null !== $collectionValueType && (!\is_array($value) || !\is_int(key($value)))) {
  946. $value = [$value];
  947. }
  949. if (
  950. $type->isCollection()
  951. && null !== $collectionValueType
  952. && null !== ($className = $collectionValueType->getClassName())
  953. && $this->resourceClassResolver->isResourceClass($className)
  954. ) {
  955. $resourceClass = $this->resourceClassResolver->getResourceClass(null, $className);
  956. $context['resource_class'] = $resourceClass;
  958. return $this->denormalizeCollection($attribute, $propertyMetadata, $type, $resourceClass, $value, $format, $context);
  959. }
  961. if (
  962. null !== ($className = $type->getClassName())
  963. && $this->resourceClassResolver->isResourceClass($className)
  964. ) {
  965. $resourceClass = $this->resourceClassResolver->getResourceClass(null, $className);
  966. $childContext = $this->createChildContext($this->createOperationContext($context, $resourceClass), $attribute, $format);
  968. return $this->denormalizeRelation($attribute, $propertyMetadata, $resourceClass, $value, $format, $childContext);
  969. }
  971. if (
  972. $type->isCollection()
  973. && null !== $collectionValueType
  974. && null !== ($className = $collectionValueType->getClassName())
  975. ) {
  976. if (!$this->serializer instanceof DenormalizerInterface) {
  977. throw new LogicException(sprintf('The injected serializer must be an instance of "%s".', DenormalizerInterface::class));
  978. }
  980. unset($context['resource_class']);
  982. return $this->serializer->denormalize($value, $className.'[]', $format, $context);
  983. }
  985. if (null !== $className = $type->getClassName()) {
  986. if (!$this->serializer instanceof DenormalizerInterface) {
  987. throw new LogicException(sprintf('The injected serializer must be an instance of "%s".', DenormalizerInterface::class));
  988. }
  990. unset($context['resource_class']);
  992. return $this->serializer->denormalize($value, $className, $format, $context);
  993. }
  995. /* From @see AbstractObjectNormalizer::validateAndDenormalize() */
  996. // In XML and CSV all basic datatypes are represented as strings, it is e.g. not possible to determine,
  997. // if a value is meant to be a string, float, int or a boolean value from the serialized representation.
  998. // That's why we have to transform the values, if one of these non-string basic datatypes is expected.
  999. if (\is_string($value) && (XmlEncoder::FORMAT === $format || CsvEncoder::FORMAT === $format)) {
  1000. if ('' === $value && $type->isNullable() && \in_array($type->getBuiltinType(), [Type::BUILTIN_TYPE_BOOL, Type::BUILTIN_TYPE_INT, Type::BUILTIN_TYPE_FLOAT], true)) {
  1001. return null;
  1002. }
  1004. switch ($type->getBuiltinType()) {
  1005. case Type::BUILTIN_TYPE_BOOL:
  1006. // according to https://www.w3.org/TR/xmlschema-2/#boolean, valid representations are "false", "true", "0" and "1"
  1007. if ('false' === $value || '0' === $value) {
  1008. $value = false;
  1009. } elseif ('true' === $value || '1' === $value) {
  1010. $value = true;
  1011. } else {
  1012. throw new NotNormalizableValueException(sprintf('The type of the "%s" attribute for class "%s" must be bool ("%s" given).', $attribute, $className, $value));
  1013. }
  1014. break;
  1015. case Type::BUILTIN_TYPE_INT:
  1016. if (ctype_digit($value) || ('-' === $value[0] && ctype_digit(substr($value, 1)))) {
  1017. $value = (int) $value;
  1018. } else {
  1019. throw new NotNormalizableValueException(sprintf('The type of the "%s" attribute for class "%s" must be int ("%s" given).', $attribute, $className, $value));
  1020. }
  1021. break;
  1022. case Type::BUILTIN_TYPE_FLOAT:
  1023. if (is_numeric($value)) {
  1024. return (float) $value;
  1025. }
  1027. switch ($value) {
  1028. case 'NaN':
  1029. return \NAN;
  1030. case 'INF':
  1031. return \INF;
  1032. case '-INF':
  1033. return -\INF;
  1034. default:
  1035. throw new NotNormalizableValueException(sprintf('The type of the "%s" attribute for class "%s" must be float ("%s" given).', $attribute, $className, $value));
  1036. }
  1037. }
  1038. }
  1040. if ($context[static::DISABLE_TYPE_ENFORCEMENT] ?? false) {
  1041. return $value;
  1042. }
  1044. $this->validateType($attribute, $type, $value, $format);
  1046. return $value;
  1047. }
  1049. /**
  1050. * Sets a value of the object using the PropertyAccess component.
  1051. *
  1052. * @param object $object
  1053. */
  1054. private function setValue($object, string $attributeName, $value)
  1055. {
  1056. try {
  1057. $this->propertyAccessor->setValue($object, $attributeName, $value);
  1058. } catch (NoSuchPropertyException $exception) {
  1059. // Properties not found are ignored
  1060. }
  1061. }
  1063. /**
  1064. * TODO: to remove in 3.0.
  1065. *
  1066. * @deprecated since 2.7
  1067. */
  1068. private function supportsPlainIdentifiers(): bool
  1069. {
  1070. return $this->allowPlainIdentifiers && null !== $this->itemDataProvider;
  1071. }
  1072. }
  1074. class_alias(AbstractItemNormalizer::class, \ApiPlatform\Core\Serializer\AbstractItemNormalizer::class);