Chapters

37 Chapters | 3:43:31 |

01

API Docs on Production?

8:22
02

API Tokens? Session Cookies?

8:07
03

API Login Form with json_login

5:36
04

Handling Authentication Errors

3:47
05

On Authentication Success

6:03
06

Logout & Passing API Data to JavaScript

5:45
07

Passing Values to Stimulus

4:32
08

Token Types & The ApiToken Entity

5:59
09

Generating the API Token & Fixtures

5:58
10

Access Token Authenticator

8:56
11

Customizing the OpenAPI Docs

7:31
12

API Token Scopes

5:51
13

Deny Access with The "security" Option

7:11
14

Bootstrapping a Killer Test System

8:18
15

JSON Test Assertions & Seeding the Database

3:41
16

Advanced & Flexible JSON Test Assertions

4:04
17

Testing Authentication

4:59
18

Customizing Browser Globally

3:50
19

Testing Token Authentication

3:24
20

New PUT Behavior

4:46
21

Only Allow Owners to Edit

7:49
22

Allow Admin Users to Edit any Treasure

4:11
23

Security Voter

6:13
24

Conditional Fields by User: ApiProperty

5:13
25

User Test + Plain Password

4:21
26

State Processors: Hashing the User Password

6:55
27

Validation Groups & Patch Formats

8:01
28

Dynamic Groups: Context Builder

8:26
29

Custom Normalizer

5:08
30

Normalizer Decoration & "Normalizer Aware"

6:29
31

Totally Custom Fields

3:24
32

Custom Validator

7:58
33

Validating how Values Change

8:30
34

Auto Setting the "owner"

4:19
35

Query Extension: Auto-Filter a Collection

6:15
36

404 On Unpublished Items

8:00
37

Filtering Relation Collection

5:39

> APIs > API Platform 3 Part 2: Security for your Treasures

Buy Access to Course

35.

Query Extension: Auto-Filter a Collection

Autoplay

Keep on Learning!

If you liked what you've learned so far, dive in! Subscribe to get
access to this tutorial plus video, code and script downloads.

Start your All-Access Pass

Buy just this tutorial for $12.00

Previous Chapter

Next Challenge

With a Subscription, click any sentence in the script to jump to that part of the video!

When we get a collection of treasures, we currently return every treasure, even unpublished treasures. Probably some of these are unpublished. We did add a filter to control this... but let's be honest, that's not the best solution. Really, we need to not return unpublished treasures at all.

Find the API Platform Upgrade Guide... and search for the word "state" to find a section that talks about "providers" and "processors". We talked about state processors earlier, like the PersistProcessor on the Put and Post operations, which is responsible for saving the item to the database.

State Providers

But each operation also has something called a state provider. This is what's responsible for loading the object or collection of objects. For example, when we make a GET request for a single item, the ItemProvider is what's responsible for taking the ID and querying the database. There's also a CollectionProvider to load a collection of items.

So if we want to automatically hide unpublished treasures, one option would be to decorate this CollectionProvider, very much like we did with the PersistProcessor. Except... that won't quite work. Why? The CollectionProvider from Doctrine executes the query and returns the results. So all we would be able to do is take those results... then hide the ones we don't want. That's... not ideal for performance - imagine loading 50 treasures then only showing 10 - and it would confuse pagination. What we really want to do is modify the query itself: to add a WHERE isPublished = true.

Testing for the Behavior

Luckily for us, this CollectionProvider "provides" its own extension point that lets us do exactly that.

Before we dive in, let's update a test to show the behavior we want. Find testGetCollectionOfTreasures(). Take control of these 5 treasures and make them all isPublished => true:

            Copy Code

                            Show All Lines

                        185 lines
            |
            tests/Functional/DragonTreasureResourceTest.php
        
                Show Lines

                                                    // ... lines 1 - 12
                            
            class DragonTreasureResourceTest extends ApiTestCase
        
            {
        
                Show Lines

                                                    // ... lines 15 - 16
                            
                public function testGetCollectionOfTreasures(): void
        
                {
        
                    DragonTreasureFactory::createMany(5, [
        
                        'isPublished' => true,
        
                    ]);
        
                Show Lines

                                                    // ... lines 22 - 44
                            
                }
        
                Show Lines

                                                    // ... lines 46 - 183
                            
            }

because right now, in DragonTreasureFactory, isPublished is set to a random value:

            Copy Code

                            Show All Lines

                        75 lines
            |
            src/Factory/DragonTreasureFactory.php
        
                Show Lines

                                                    // ... lines 1 - 29
                            
            final class DragonTreasureFactory extends ModelFactory
        
            {
        
                Show Lines

                                                    // ... lines 32 - 46
                            
                protected function getDefaults(): array
        
                {
        
                    return [
        
                Show Lines

                                                    // ... lines 50 - 51
                            
                        'isPublished' => self::faker()->boolean(),
        
                Show Lines

                                                    // ... lines 53 - 56
                            
                    ];
        
                }
        
                Show Lines

                                                    // ... lines 59 - 73
                            
            }

Then add one more with createOne() and isPublished false:

            Copy Code

                            Show All Lines

                        185 lines
            |
            tests/Functional/DragonTreasureResourceTest.php
        
                Show Lines

                                                    // ... lines 1 - 12
                            
            class DragonTreasureResourceTest extends ApiTestCase
        
            {
        
                Show Lines

                                                    // ... lines 15 - 16
                            
                public function testGetCollectionOfTreasures(): void
        
                {
        
                    DragonTreasureFactory::createMany(5, [
        
                        'isPublished' => true,
        
                    ]);
        
                    DragonTreasureFactory::createOne([
        
                        'isPublished' => false,
        
                    ]);
        
                Show Lines

                                                    // ... lines 25 - 44
                            
                }
        
                Show Lines

                                                    // ... lines 46 - 183
                            
            }

Awesome! And we still want to assert that this returns just 5 items. So... let's make sure it fails:

symfony php bin/phpunit --filter=testGetCollectionOfTreasures

And... yea! It returns 6 items.

Collection Query Extensions

Ok, to modify the query for a collection endpoint, we're going to create something called a query extension. Anywhere in src/ - I'll do it in the ApiPlatform/ directory - create a new class called DragonTreasureIsPublishedExtension. Make this implement QueryCollectionExtensionInterface, then go to "Code"->"Generate" or Command+N on a Mac - and generate the one method we need: applyToCollection():

            Copy Code

                            Show All Lines

                        17 lines
            |
            src/ApiPlatform/DragonTreasureIsPublishedExtension.php
        
                Show Lines

                                                    // ... lines 1 - 2
                            
            namespace App\ApiPlatform;
        
            use ApiPlatform\Doctrine\Orm\Extension\QueryCollectionExtensionInterface;
        
            use ApiPlatform\Doctrine\Orm\Util\QueryNameGeneratorInterface;
        
            use ApiPlatform\Metadata\Operation;
        
            use Doctrine\ORM\QueryBuilder;
        
            class DragonTreasureIsPublishedExtension implements QueryCollectionExtensionInterface
        
            {
        
                public function applyToCollection(QueryBuilder $queryBuilder, QueryNameGeneratorInterface $queryNameGenerator, string $resourceClass, Operation $operation = null, array $context = []): void
        
                {
        
                    // TODO: Implement applyToCollection() method.
        
                }
        
            }

This is pretty cool: it passes us the $queryBuilder and a few other pieces of info. Then, we can modify that QueryBuilder. The best part? The QueryBuilder already takes into account things like pagination and any filters that have been applied. So those are not things we need to worry about.

Also, thanks to Symfony's autoconfiguration system, just by creating this class and making it implement this interface, it will already be called whenever a collection endpoint is used!

Query Extension Logic

In fact, it will be called for any resource. So the first thing we need is if (DragonTreasure::class !== $resourceClass) - fortunately it passes us the class name - then return:

            Copy Code

                            Show All Lines

                        24 lines
            |
            src/ApiPlatform/DragonTreasureIsPublishedExtension.php
        
                Show Lines

                                                    // ... lines 1 - 7
                            
            use App\Entity\DragonTreasure;
        
                Show Lines

                                                    // ... lines 9 - 10
                            
            class DragonTreasureIsPublishedExtension implements QueryCollectionExtensionInterface
        
            {
        
                public function applyToCollection(QueryBuilder $queryBuilder, QueryNameGeneratorInterface $queryNameGenerator, string $resourceClass, Operation $operation = null, array $context = []): void
        
                {
        
                    if (DragonTreasure::class !== $resourceClass) {
        
                        return;
        
                    }
        
                Show Lines

                                                    // ... lines 18 - 21
                            
                }
        
            }

Below, this is where we get to work. Now, every QueryBuilder object has a root alias that refers to the class or table that you're querying. Usually, we create the QueryBuilder... like from inside a repository we say something like $this->createQueryBuilder('d') and d becomes that "root alias". Then we use that in other parts of the query.

However, in this situation, we didn't create the QueryBuilder, so we never chose that root alias. It was chosen for us. What is it? It's: "banana". Actually, I have no idea what it is! But we can get it with $queryBuilder->getRootAliases()[0]:

            Copy Code

                            Show All Lines

                        24 lines
            |
            src/ApiPlatform/DragonTreasureIsPublishedExtension.php
        
                Show Lines

                                                    // ... lines 1 - 10
                            
            class DragonTreasureIsPublishedExtension implements QueryCollectionExtensionInterface
        
            {
        
                public function applyToCollection(QueryBuilder $queryBuilder, QueryNameGeneratorInterface $queryNameGenerator, string $resourceClass, Operation $operation = null, array $context = []): void
        
                {
        
                    if (DragonTreasure::class !== $resourceClass) {
        
                        return;
        
                    }
        
                    $rootAlias = $queryBuilder->getRootAliases()[0];
        
                Show Lines

                                                    // ... lines 20 - 21
                            
                }
        
            }

Now it's just normal query logic: $queryBuilder->andWhere() passing sprintf(). This looks a little weird: %s.isPublished = :isPublished, then pass $rootAlias followed by ->setParameter('isPublished', true):

            Copy Code

                            Show All Lines

                        24 lines
            |
            src/ApiPlatform/DragonTreasureIsPublishedExtension.php
        
                Show Lines

                                                    // ... lines 1 - 10
                            
            class DragonTreasureIsPublishedExtension implements QueryCollectionExtensionInterface
        
            {
        
                public function applyToCollection(QueryBuilder $queryBuilder, QueryNameGeneratorInterface $queryNameGenerator, string $resourceClass, Operation $operation = null, array $context = []): void
        
                {
        
                    if (DragonTreasure::class !== $resourceClass) {
        
                        return;
        
                    }
        
                    $rootAlias = $queryBuilder->getRootAliases()[0];
        
                    $queryBuilder->andWhere(sprintf('%s.isPublished = :isPublished', $rootAlias))
        
                        ->setParameter('isPublished', true);
        
                }
        
            }

Cool! Spin over to try this thing!

symfony php bin/console phpunit --filter=testGetCollectionOfTreasures

Mission accomplished! It's just that easy.

Query Extensions on SubResources?

By the way, will this also work for sub-resources? For example, over in our docs, we can also fetch a collection of treasures by going to /api/users/{user_id}/treasures. Will this also hide the unpublished treasures? The answer is... yes! So, it's not something you need to worry about. I won't show it, but this also uses the query extension.

Oh, and if you wanted admin users to be able to see unpublished treasures, you could add logic to only modify this query if the current user is not an admin.

Next up: this query extension fixes the collection endpoint! But... someone could still fetch a single unpublished treasure directly by its id. Let's fix that!

10 Comments

Sort By

randomsymbols 1 month ago

Using QueryBuilder outside of Repository is mixing infrastructure and business logic, seems like a bad idea ... What if we move our dragon treasures from SQL to MongoDB?

| Reply |

MolloKhan SFCASTS randomsymbols 1 month ago edited

Hey @randomsymbols

yea, usually it is better to keep the database abstracted from your business rules, but in this case, the QueryBuilder is part of the ApiPlatform interface. I suppose they chose it that way for a good reason. Besides that, if you switch from SQL to MongoDB you'll still have these architecture issues.

Cheers!

| Reply |

Yangzhi 1 year ago

hi,my entity has endAt field,datetime type, when i getcollection, i want return DATEDIFF(endAt,NOW()) as leftDay and order by leftDay,
so i create custom Extensions

class ContractCollectionExtensions implements QueryCollectionExtensionInterface
{

    public function applyToCollection(QueryBuilder $queryBuilder, QueryNameGeneratorInterface $queryNameGenerator, string $resourceClass, Operation $operation = null, array $context = []): void
    {
        if ($resourceClass !== Contract::class || !$operation instanceof GetCollection) {
            return;
        }
        $rootAlias = $queryBuilder->getRootAliases()[0];
        if (isset($context['filters']['withOutSelf'])) {
            $queryBuilder->andWhere(
                $queryBuilder->expr()->neq(sprintf('%s.ourIdentity', $rootAlias), '\'甲方\'')
            );
        }
        $queryBuilder->addSelect(sprintf('DATELEFT(%s.endAt) as leftDay', $rootAlias));
        $queryBuilder->addOrderBy('leftDay', 'ASC');
    }
}

of course i create custom DQL function and work fine

but: return is array [Entity,leftDay] not Entity object, please how fix it.thanks

| Reply |

weaverryan SFCASTS Yangzhi 1 year ago

Hey @Yangzhi!

Sorry for the slow reply - holidays!

Try this:

$queryBuilder->addSelect(sprintf('DATELEFT(%s.endAt) as HIDDEN leftDay', $rootAlias));

The HIDDEN should allow you to select the field so that you can sort by it, but not include it in the results. Let me know if that works!

Cheers!

| Reply |

Yangzhi weaverryan 1 year ago

thank you,but in my case,i want use leftDay

| Reply |

MolloKhan SFCASTS Yangzhi 1 year ago edited

Hey @Yangzhi

If the leftDay field is not part of your entity data Doctrine will add it to the result along with the entity object. If you want both things in a single object you can create a DTO

Cheers!

1 | Reply |

Sylvain-B 1 year ago

Hello !
I think there is a typo, the correct command seems to be
symfony php bin/phpunit --filter=testGetCollectionOfTreasures
and not
symfony php bin/console phpunit --filter=testGetCollectionOfTreasures
Thanks :-)

| Reply |

MolloKhan SFCASTS Sylvain-B 1 year ago edited

Hey @Sylvain-B

You're right! Thank you, I'll fix it up

Cheers!

| Reply |

Oleguer-C 1 year ago

Hello!
This is not a technical inquiry, I just wanted to point out that in some videos, like this one, the subtitles are not well synchronized. As a non-native English speaker, I have to say that this makes it difficult for me to understand because when I don't understand something and go to the subtitles, they are at a different moment than the audio.
If you can review this, I'm sure that future users who need subtitles will appreciate it.
Thank you!

| Reply |

weaverryan SFCASTS Oleguer-C 1 year ago

Hey @Oleguer-C!

I appreciate you mentioning this - that's a bug in this video, from a mistake I made in the script. The subtitles should always be perfectly sync'ed, but that mistake definitely caused a bit un-sync starting at 2:42. We'll get that fixed up!

Cheers!

| Reply |

API Platform 3 Symfony 6.2

What PHP libraries does this tutorial use?

// composer.json
{
    "require": {
        "php": ">=8.1",
        "ext-ctype": "*",
        "ext-iconv": "*",
        "api-platform/core": "^3.0", // v3.1.2
        "doctrine/annotations": "^2.0", // 2.0.1
        "doctrine/doctrine-bundle": "^2.8", // 2.8.3
        "doctrine/doctrine-migrations-bundle": "^3.2", // 3.2.2
        "doctrine/orm": "^2.14", // 2.14.1
        "nelmio/cors-bundle": "^2.2", // 2.2.0
        "nesbot/carbon": "^2.64", // 2.66.0
        "phpdocumentor/reflection-docblock": "^5.3", // 5.3.0
        "phpstan/phpdoc-parser": "^1.15", // 1.16.1
        "symfony/asset": "6.2.*", // v6.2.5
        "symfony/console": "6.2.*", // v6.2.5
        "symfony/dotenv": "6.2.*", // v6.2.5
        "symfony/expression-language": "6.2.*", // v6.2.5
        "symfony/flex": "^2", // v2.2.4
        "symfony/framework-bundle": "6.2.*", // v6.2.5
        "symfony/property-access": "6.2.*", // v6.2.5
        "symfony/property-info": "6.2.*", // v6.2.5
        "symfony/runtime": "6.2.*", // v6.2.5
        "symfony/security-bundle": "6.2.*", // v6.2.6
        "symfony/serializer": "6.2.*", // v6.2.5
        "symfony/twig-bundle": "6.2.*", // v6.2.5
        "symfony/ux-react": "^2.6", // v2.7.1
        "symfony/ux-vue": "^2.7", // v2.7.1
        "symfony/validator": "6.2.*", // v6.2.5
        "symfony/webpack-encore-bundle": "^1.16", // v1.16.1
        "symfony/yaml": "6.2.*" // v6.2.5
    },
    "require-dev": {
        "doctrine/doctrine-fixtures-bundle": "^3.4", // 3.4.2
        "mtdowling/jmespath.php": "^2.6", // 2.6.1
        "phpunit/phpunit": "^9.5", // 9.6.3
        "symfony/browser-kit": "6.2.*", // v6.2.5
        "symfony/css-selector": "6.2.*", // v6.2.5
        "symfony/debug-bundle": "6.2.*", // v6.2.5
        "symfony/maker-bundle": "^1.48", // v1.48.0
        "symfony/monolog-bundle": "^3.0", // v3.8.0
        "symfony/phpunit-bridge": "^6.2", // v6.2.5
        "symfony/stopwatch": "6.2.*", // v6.2.5
        "symfony/web-profiler-bundle": "6.2.*", // v6.2.5
        "zenstruck/browser": "^1.2", // v1.2.0
        "zenstruck/foundry": "^1.26" // v1.28.0
    }
}

Previous Chapter

Next Challenge

Query Extension: Auto-Filter a Collection

Share this awesome video!

Keep on Learning!

State Providers

Testing for the Behavior

Collection Query Extensions

Query Extension Logic

Query Extensions on SubResources?

10 Comments

Delete comment?

What PHP libraries does this tutorial use?

Show Lines	// ... lines 1 - 12
	class DragonTreasureResourceTest extends ApiTestCase
	{
Show Lines	// ... lines 15 - 16
	public function testGetCollectionOfTreasures(): void
	{
	DragonTreasureFactory::createMany(5, [
	'isPublished' => true,
	]);
Show Lines	// ... lines 22 - 44
	}
Show Lines	// ... lines 46 - 183
	}

Show Lines	// ... lines 1 - 29
	final class DragonTreasureFactory extends ModelFactory
	{
Show Lines	// ... lines 32 - 46
	protected function getDefaults(): array
	{
	return [
Show Lines	// ... lines 50 - 51
	'isPublished' => self::faker()->boolean(),
Show Lines	// ... lines 53 - 56
	];
	}
Show Lines	// ... lines 59 - 73
	}

Show Lines	// ... lines 1 - 2
	namespace App\ApiPlatform;

	use ApiPlatform\Doctrine\Orm\Extension\QueryCollectionExtensionInterface;
	use ApiPlatform\Doctrine\Orm\Util\QueryNameGeneratorInterface;
	use ApiPlatform\Metadata\Operation;
	use Doctrine\ORM\QueryBuilder;

	class DragonTreasureIsPublishedExtension implements QueryCollectionExtensionInterface
	{
	public function applyToCollection(QueryBuilder $queryBuilder, QueryNameGeneratorInterface $queryNameGenerator, string $resourceClass, Operation $operation = null, array $context = []): void
	{
	// TODO: Implement applyToCollection() method.
	}
	}

Show Lines	// ... lines 1 - 7
	use App\Entity\DragonTreasure;
Show Lines	// ... lines 9 - 10
	class DragonTreasureIsPublishedExtension implements QueryCollectionExtensionInterface
	{
	public function applyToCollection(QueryBuilder $queryBuilder, QueryNameGeneratorInterface $queryNameGenerator, string $resourceClass, Operation $operation = null, array $context = []): void
	{
	if (DragonTreasure::class !== $resourceClass) {
	return;
	}
Show Lines	// ... lines 18 - 21
	}
	}

Show Lines	// ... lines 1 - 10
	class DragonTreasureIsPublishedExtension implements QueryCollectionExtensionInterface
	{
	public function applyToCollection(QueryBuilder $queryBuilder, QueryNameGeneratorInterface $queryNameGenerator, string $resourceClass, Operation $operation = null, array $context = []): void
	{
	if (DragonTreasure::class !== $resourceClass) {
	return;
	}

	$rootAlias = $queryBuilder->getRootAliases()[0];
Show Lines	// ... lines 20 - 21
	}
	}