Chapters
27 Chapters
|
2:54:11
|
Login to bookmark this video
-
Course Code
Subscribe to download the code!Compatible PHP versions: ^7.1.3
Subscribe to download the code!Compatible PHP versions: ^7.1.3
-
This Video
Subscribe to download the video!
Subscribe to download the video!
-
Subtitles
Subscribe to download the subtitles!
Subscribe to download the subtitles!
-
Course Script
Subscribe to download the script!
Subscribe to download the script!
Scroll down to the script below, click on any sentence (including terminal blocks) to jump to that spot in the video!
Subscribe to jump to this part in the video!
Keep on Learning!
If you liked what you've learned so far, dive in! Subscribe to get access to this tutorial plus video, code and script downloads.
Este tutorial funciona muy bien para Symfony 5 y la Plataforma API 2.5/2.6.
What PHP libraries does this tutorial use?
// composer.json
{
"require": {
"php": "^7.1.3",
"ext-ctype": "*",
"ext-iconv": "*",
"api-platform/core": "^2.1", // v2.4.3
"composer/package-versions-deprecated": "^1.11", // 1.11.99
"doctrine/annotations": "^1.0", // 1.10.2
"doctrine/doctrine-bundle": "^1.6", // 1.11.2
"doctrine/doctrine-migrations-bundle": "^2.0", // v2.0.0
"doctrine/orm": "^2.4.5", // v2.7.2
"nelmio/cors-bundle": "^1.5", // 1.5.5
"nesbot/carbon": "^2.17", // 2.19.2
"phpdocumentor/reflection-docblock": "^3.0 || ^4.0", // 4.3.1
"symfony/asset": "4.2.*|4.3.*|4.4.*", // v4.3.11
"symfony/console": "4.2.*", // v4.2.12
"symfony/dotenv": "4.2.*", // v4.2.12
"symfony/expression-language": "4.2.*|4.3.*|4.4.*", // v4.3.11
"symfony/flex": "^1.1", // v1.21.6
"symfony/framework-bundle": "4.2.*", // v4.2.12
"symfony/security-bundle": "4.2.*|4.3.*", // v4.3.3
"symfony/twig-bundle": "4.2.*|4.3.*", // v4.2.12
"symfony/validator": "4.2.*|4.3.*", // v4.3.11
"symfony/yaml": "4.2.*" // v4.2.12
},
"require-dev": {
"symfony/maker-bundle": "^1.11", // v1.11.6
"symfony/stopwatch": "4.2.*|4.3.*", // v4.2.9
"symfony/web-profiler-bundle": "4.2.*|4.3.*" // v4.2.9
}
}
22 Comments
Hello again,
now I have problem with
owner.usernamefilter. When I try to filter cheese listings by owner username the response code is 500 and the error message is:I don't know why this function is given a null argument instead something to be replaced.
I'm using Symfony 4.4.32 and OpenAPI 3.0.2.
I would be grateful for reply.
Jakub
Hey Jakub!
Sorry for the very slow reply! Apparently I'm still catching up from Symfony's conference week :p.
I'm not familiar with this error. However, I can see that this class has been modified in later versions. For example,
str_replace()exists in this class in API Platform 2.4 and 2.5, but not in 2.6: they may have fixed some bugs or find a better way to do something. I would try upgrading if you can. If you can't, the problem is on this line - https://github.com/api-platform/core/blob/1a811560d55c5f479fddcc8b7b0f7b36b6e734aa/src/Bridge/Doctrine/Orm/Extension/FilterEagerLoadingExtension.php#L155 - I'm not sure what it is, but something is going wrong with getting information about how to join to make this filter.Cheers!
Hello,
Am trying to remove an 'attribute' IRI but i got an error Invalid IRI, its a ManyToOne
Thanks in Advance.
Hey @Gab!
Hmm. Can you add some more information? What is the URL, method and data for the request that you're sending? What does the class look like that has the ManyToOne? I'm... not sure I understand the situation yet :).
Cheers!
This is object in post method :
Hey @Gab!
Sorry for the VERY slow reply - it was a particularly busy week - my apologies.
Hmm. I still don't understand. I think what you posted here is a description of part of the API - from maybe the API docs/homepage? You originally said:
I was curious exactly what URL you are hitting and what data you are sending. For example, you might be making a request like this:
This is almost definitely not correct - I am totally guessing. But this is the format I'm hoping to see: what is the URL and JSON data you are sending. Also what is the exact error you get back?
Cheers!
Hi there,
It works well in RESTFul api. I'd like to know if there is a way to handle adding and removing element from ManyToMany collection using Graphql? I tried to use updateResource but it seems that the property always got overridden. Thanks.
Hi Tianyu W.!
Sorry for the slow reply! Unfortunately, none of us on the team have worked with GraphQL, so we don't know the answer here :/. I would expect it to be possible, but I don't know for sure. Just keep in mind that the system works (and I'm almost positive this is true with GraphQL) by calling getter, setter, adder and remover methods on your object. So if you can get API Platform to call the right method... and that method does it's job, it "should" work. But... this is a very high level answer. Sorry I can't do better!
Cheers!
Hi Ryan,
Is it a good practice to allow nullable setter for a not null field? For example, the $owner property in this case, while it is a not null column in database, we need to allow setter and getter nullable, to allow
orphanRemoval=truefeature can be workable. For me, it looks like a workaround approach. I'm not sure any better approach.Hey Tuancode,
Yes, unfortunately, you need to allow null for setters/getters even if you do not allow nullable fields in the database. That's because an entity might be in an invalid state and Symfony validator could work properly. So yes, it's not perfect but practical thing to do. Another way probably to use Data Transfer Objects (DTO) instead where you will allow null in setters/getters for such fields, they might be in an invalid state, and when they pass validation - map all their values to the specific entity and when you will do it - you will be sure that all required not nullable fields will be set correctly. But allowing null in entities just easier and less extra work, and fairly speaking I'm not sure 100% this approach with DTO will work with APiPlatform, probably you would need to write more custom code for this.
Cheers!
Thanks victor , that's an awesome response.
Hey Tuan,
Thanks! I'm happy it was useful for you :)
Cheers!
Hi,
I think there is some kind of bug in swagger-ui or api platform.
The schema "cheeses:jsonld-write" does not show that there is an owner property on cheeses.
The thing is the owner property actually exists and works, but swagger does not show it.
Here are some images describing this better:
https://imgur.com/a/gFjOoxP
some more info:
The owner property is annotated like this:
`
/**
`
Edit: It seems the problem was bad named "swagger_definition_name" on user. Instead of naming it Read and Write I named it User-read and User-Write which fixed it. Kinda really strange how renaming the schema can have such a side effect.
Hey Daniel W.!
That *is* strange... I'm not super familiar with this area so I'm not sure *why* that would be the case.
Cheers!
Having a hard time wrapping my head around how one would leverage reassigning ownership of an entity, like being done here, in an application that has more strict ownership rules.
For example:
If we had 3 entities (User, UserGroup and CheeseListing) where users should not be able to interact with cheese listings that are outside of their user's user group - how would one apply those rules? As it stands now, a user could be assigned any cheese listing - instead of only being able to be assigned a subset of cheese listings in which it should have access. I've been trying to search the docs to figure this out but not coming up with any right way to implement this. I see mention of using access control to limit access to sub-resources (https://api-platform.com/do... but if that is limited to roles and such, and a user could have the same role across user groups, I'm not sure how to approach the problem.
Any suggestions are appreciated. Figure this is probably a pretty common situation so perhaps I am just overlooking something. My mind goes to multi-tenant applications where this would be needed on most any related resource.
Was thinking about this last night and I guess you could just use custom validation constraints to handle this - which I believe would be the most appropriate way to handle this.
Hey Eric,
Good question! I think you're on the right direction here, probably using custom validation constraints in this case would be the most flexible and powerful solution. Nothing much except this can advise here :/
Cheers!
Hey victor !
Cool question :). We've just started releasing our security tutorial - https://symfonycasts.com/screencast/api-platform-security - and this is exactly the kind of stuff I hope to clear up there. But, let me answer now and we can make sure that I'm answering everything clearly :).
There are two parts to this that I can see:
First, don't use sub resources :). I just wanted to mention that first - because it can complicate things a bit (as you might successfully secure the GET operation for cheese listings, but forget that you've exposed cheeseListings as a sub-resource of some other entity... or something like that ;).
To solve this problem, you'll use two things: (A) access_control (https://api-platform.com/docs/core/security/#configuring-the-access-control-message) with voters. So, I might use something like
access_control"="is_granted('READ', previous_object)". Then you would have a custom voter that is able to decide whether or not the current user has "READ" access (I just invented that string) to this CheeseListing (that's what "previous_object" represents, and is passed to your voter - it is the CheeseListing object before it was modified by the request). And (B) you will probably need a custom Doctrine extension (https://api-platform.com/docs/core/extensions/#custom-doctrine-orm-extension) so that you can also filter the collection resource by this same logic (so that when you make a GET collection to /api/cheeses, you only see what you should see).I think this might also be part of your question. In your model, changing ownership would mean that you're changing, for example, the "group" property on a CheeseListing. Other than security, that's trivial: you're just updating a property on CheeseListing. But to prevent a "bad" user from doing this (e.g. to prevent someone from changing the CheeseListing from some OTHER group to their OWN group) you would leverage access_control once again - the previous_object variable I mention above will contain the CheeseListing.group property before it was changed. So, naturally, your voter logic will see if the user making this request belongs to the group of this CheeseListing or not.
A similar question to 2 is: what if they "pass" my access_control successfully (they DO have access) but then I need to make sure that the new CheeseListing.group is a value that they are allowed to use? For example, suppose i CAN access this CheeseListing, but I'm trying to change its group to some group that I'm not part of. That should not be allowed. The answer to this is indeed a custom validation constraint.
Let me know if this helps! There are about 4 different subtle different "ways" to protect a resource (protect entire resource/operation, change fields based on the user, prevent bad data from being set, etc) and each has a specific solution. This will all be in the security tutorial :).
Cheers!
In a real situation nobody will remove the orphan, instead I want to set another field like isRemoved=1. Is there a way to do that or we have to update this field separately?
Hey Rakodev
I'm not sure but I would say yes, you have to remove the "orphan" config and do the update yourself. But it seems to me that what you want is something similar as the "SoftDeleteable" extension. Give it a check and decide if it fits your needs or not (https://github.com/Atlantic... )
Cheers!
Hey MolloKhan ,
Thank you for the suggestion. Finally I did something by myself instead of using another vendor.
My solution is this one, and it works:
https://gist.github.com/rak...
If anyone try it, I will appreciate any feedback.
"Houston: no signs of life"
Start the conversation!