Flag of Ukraine
SymfonyCasts stands united with the people of Ukraine

Removing Items from a Collection

Keep on Learning!

If you liked what you've learned so far, dive in!
Subscribe to get access to this tutorial plus
video, code and script downloads.

Start your All-Access Pass
Buy just this tutorial for $12.00

With a Subscription, click any sentence in the script to jump to that part of the video!

Login Subscribe

Close up the POST operation. I want to make a GET request to the collection of users. Let's see here - the user with id 4 has one CheeseListing attached to it - id 2. Ok, close up that operation and open up the operation for PUT: I want to edit that User. Enter 4 for the id.

First, I'm going to do something that we've already seen: let's just update the cheeseListings field: set it to an array with one IRI inside: /api/cheeses/2. If we did nothing else, this would set this property to... exactly what it already equals: user id 4 already has this one CheeseListing.

But now, add another IRI: /api/cheeses/3. That already exists, but is owned by another user. When I hit Execute.... pfff - I get a syntax error, because I left an extra comma on my JSON. Boo Ryan. Let's... try that again. This time... bah! A 400 status code:

This value should not be blank

My experiments with validation just came back to bite me! We set the title for CheeseListing 3 to an empty string in the database... it's basically a "bad" record that snuck in when we were playing with embedded validation. We could fix that title.. or... just change this to /api/cheeses/1. Execute!

The Serializer only Calls Adders for New Items

This time, it works! But, no surprise - we've basically done this! Internally, the serializer sees the existing CheeseListing IRI - /api/cheeses/2, realizes that this is already set on our User, and... does nothing. I mean, maybe it goes and gets a coffee or takes a walk. But, it most definitely does not call $user->addCheeseListing()... or really do anything. But when it sees the new IRI - /api/cheeses/1, it figures out that this CheeseListing does not exist on the User yet, and so, it does call $user->addCheeseListing(). That's why adder and remover methods are so handy: the serializer is smart enough to only call them when an object is truly being added or removed.

Removing Items from a Collection

Now, let's do the opposite: pretend that we want to remove a CheeseListing from this User - remove /api/cheeses/2. What do you think will happen? Execute and... woh! An integrity constraint error!

An exception occurred when executing UPDATE cheese_listing SET owner_id=NULL - column owner_id cannot be null.

This is cool! The serializer noticed that we removed the CheeseListing with id = 2. And so, it correctly called $user->removeCheeseListing() and passed CheeseListing id 2. Then, our generated code set the owner on that CheeseListing to null.

Depending on the situation and the nature of the relationship and entities, this might be exactly what you want! Or, if this were a ManyToMany relationship, the result of that generated code would basically be to "unlink" the two objects.

orphanRemoval

But in our case, we don't ever want a CheeseListing to be an "orphan" in the database. In fact... that's exactly why we made owner nullable=false and why we're seeing this error! Nope, if a CheeseListing is removed from a User... I guess we really need to just delete that CheeseListing entirely!

And... yea, doing that is easy! All the way back up above the $cheeseListings property, add orphanRemoval=true.

... lines 1 - 22
class User implements UserInterface
{
... lines 25 - 58
/**
* @ORM\OneToMany(targetEntity="App\Entity\CheeseListing", mappedBy="owner", cascade={"persist"}, orphanRemoval=true)
... lines 61 - 62
*/
private $cheeseListings;
... lines 65 - 185
}

This means, if any of the CheeseListings in this array suddenly... are not in this array, Doctrine will delete them. Just, realize that if you try to reassign a CheeseListing to another User, it will still delete that CheeseListing. So, just make sure you only use this when that's not a use-case. We've been changing the owner of cheese listings a bunch... but only as an example: it doesn't really make sense, so this is perfect.

Execute one more time. It works... and only /api/cheeses/1 is there. And if we go all the way back up to fetch the collection of cheese listings... yea, CheeseListing id 2 is gone.

Next, when you combine relations and filtering... well... you get some pretty serious power.

Leave a comment!

21
Login or Register to join the conversation
Jakub Avatar
Jakub Avatar Jakub | posted 10 days ago | edited

Hello again,
now I have problem with owner.username filter. When I try to filter cheese listings by owner username the response code is 500 and the error message is:

"str_replace(): Argument #3 ($subject) must be of type array|string, null given". This error is related to "./vendor/api-platform/core/src/Bridge/Doctrine/Orm/Extension/FilterEagerLoadingExtension.php" file and line 155.

I don't know why this function is given a null argument instead something to be replaced.
I'm using Symfony 4.4.32 and OpenAPI 3.0.2.
I would be grateful for reply.
Jakub

Reply
Default user avatar

Hello,
Am trying to remove an 'attribute' IRI but i got an error Invalid IRI, its a ManyToOne


{
"@id": "/api/document_attribute_values/1",
"@type": "DocumentAttributeValue",
"id": 2,
"attribute":"",
"document": "/api/documents/1",
"lang": "/api/langs/1",
"createdBy": "/api/users/1",
"createdAt": "2021-04-28T09:32:48+02:00",
"label": "test"
}

Thanks in Advance.

Reply

Hey @Gab!

Hmm. Can you add some more information? What is the URL, method and data for the request that you're sending? What does the class look like that has the ManyToOne? I'm... not sure I understand the situation yet :).

Cheers!

Reply
Default user avatar

This is object in post method :


DocumentAttributeValue.jsonld{
document string($iri-reference)
attribute string($iri-reference)
lang string($iri-reference)
createdBy string($iri-reference)
createdAt string($date-time)
label string
}
Reply

Hey @Gab!

Sorry for the VERY slow reply - it was a particularly busy week - my apologies.

Hmm. I still don't understand. I think what you posted here is a description of part of the API - from maybe the API docs/homepage? You originally said:

> Am trying to remove an 'attribute' IRI but i got an error Invalid IRI

I was curious exactly what URL you are hitting and what data you are sending. For example, you might be making a request like this:


POST /api/documents/1

{
"document_attribute_value": "/api/document_attribute_values/5"
}

This is almost definitely not correct - I am totally guessing. But this is the format I'm hoping to see: what is the URL and JSON data you are sending. Also what is the exact error you get back?

Cheers!

Reply
Tianyu W. Avatar
Tianyu W. Avatar Tianyu W. | posted 1 year ago

Hi there,
It works well in RESTFul api. I'd like to know if there is a way to handle adding and removing element from ManyToMany collection using Graphql? I tried to use updateResource but it seems that the property always got overridden. Thanks.

Reply

Hi Tianyu W.!

Sorry for the slow reply! Unfortunately, none of us on the team have worked with GraphQL, so we don't know the answer here :/. I would expect it to be possible, but I don't know for sure. Just keep in mind that the system works (and I'm almost positive this is true with GraphQL) by calling getter, setter, adder and remover methods on your object. So if you can get API Platform to call the right method... and that method does it's job, it "should" work. But... this is a very high level answer. Sorry I can't do better!

Cheers!

Reply
tuancode Avatar
tuancode Avatar tuancode | posted 1 year ago

Hi Ryan,
Is it a good practice to allow nullable setter for a not null field? For example, the $owner property in this case, while it is a not null column in database, we need to allow setter and getter nullable, to allow `orphanRemoval=true` feature can be workable. For me, it looks like a workaround approach. I'm not sure any better approach.


/**
* @ORM\ManyToOne(targetEntity=User::class, inversedBy="cheeseListings")
* @ORM\JoinColumn(nullable=false)
* @Assert\Valid()
*
* @Groups({"cheese_listing:read","cheese_listing:write"})
*/
private ?User $owner;

public function getOwner(): ?User
{
return $this->owner;
}

public function setOwner(?User $owner): self
{
$this->owner = $owner;

return $this;
}
Reply

Hey Tuancode,

Yes, unfortunately, you need to allow null for setters/getters even if you do not allow nullable fields in the database. That's because an entity might be in an invalid state and Symfony validator could work properly. So yes, it's not perfect but practical thing to do. Another way probably to use Data Transfer Objects (DTO) instead where you will allow null in setters/getters for such fields, they might be in an invalid state, and when they pass validation - map all their values to the specific entity and when you will do it - you will be sure that all required not nullable fields will be set correctly. But allowing null in entities just easier and less extra work, and fairly speaking I'm not sure 100% this approach with DTO will work with APiPlatform, probably you would need to write more custom code for this.

Cheers!

Reply
Default user avatar
Default user avatar Tuan Vu | victor | posted 1 year ago | edited

Thanks victor , that's an awesome response.

Reply

Hey Tuan,

Thanks! I'm happy it was useful for you :)

Cheers!

Reply
Daniel W. Avatar
Daniel W. Avatar Daniel W. | posted 1 year ago

Hi,
I think there is some kind of bug in swagger-ui or api platform.
The schema "cheeses:jsonld-write" does not show that there is an owner property on cheeses.
The thing is the owner property actually exists and works, but swagger does not show it.
Here are some images describing this better:

https://imgur.com/a/gFjOoxP

some more info:

The owner property is annotated like this:

/**
* @ORM\ManyToOne(targetEntity=User::class, inversedBy="cheeseListings")
* @ORM\JoinColumn(nullable=false)
* @Groups({"cheese_listing:read", "cheese_listing:write"})
* @Assert\Valid
*/
private $owner;

Reply
Daniel W. Avatar

Edit: It seems the problem was bad named "swagger_definition_name" on user. Instead of naming it Read and Write I named it User-read and User-Write which fixed it. Kinda really strange how renaming the schema can have such a side effect.

Reply

Hey Daniel W.!

That *is* strange... I'm not super familiar with this area so I'm not sure *why* that would be the case.

Cheers!

Reply
Eric Avatar

Having a hard time wrapping my head around how one would leverage reassigning ownership of an entity, like being done here, in an application that has more strict ownership rules.

For example:
If we had 3 entities (User, UserGroup and CheeseListing) where users should not be able to interact with cheese listings that are outside of their user's user group - how would one apply those rules? As it stands now, a user could be assigned any cheese listing - instead of only being able to be assigned a subset of cheese listings in which it should have access. I've been trying to search the docs to figure this out but not coming up with any right way to implement this. I see mention of using access control to limit access to sub-resources (https://api-platform.com/do... but if that is limited to roles and such, and a user could have the same role across user groups, I'm not sure how to approach the problem.

Any suggestions are appreciated. Figure this is probably a pretty common situation so perhaps I am just overlooking something. My mind goes to multi-tenant applications where this would be needed on most any related resource.

Reply
Eric Avatar

Was thinking about this last night and I guess you could just use custom validation constraints to handle this - which I believe would be the most appropriate way to handle this.

Reply

Hey Eric,

Good question! I think you're on the right direction here, probably using custom validation constraints in this case would be the most flexible and powerful solution. Nothing much except this can advise here :/

Cheers!

Reply

Hey victor !

Cool question :). We've just started releasing our security tutorial - https://symfonycasts.com/sc... - and this is *exactly* the kind of stuff I hope to clear up there. But, let me answer now and we can make sure that I'm answering everything clearly :).

There are two parts to this that I can see:

> 1) How do I restrict access (e.g. GET) to a specific CheeseListing so that only a User that belongs to a UserGroup that owns a CheeseListing can access it?

First, don't use sub resources :). I just wanted to mention that first - because it can complicate things a bit (as you might successfully secure the GET operation for cheese listings, but forget that you've exposed cheeseListings as a sub-resource of some other entity... or something like that ;).

To solve this problem, you'll use two things: (A) access_control (https://api-platform.com/do... with voters. So, I might use something like access_control"="is_granted('READ', previous_object)". Then you would have a custom voter that is able to decide whether or not the current user has "READ" access (I just invented that string) to this CheeseListing (that's what "previous_object" represents, and is passed to your voter - it is the CheeseListing object *before* it was modified by the request). And (B) you will probably need a custom Doctrine extension (https://api-platform.com/do... so that you can also *filter* the collection resource by this same logic (so that when you make a GET collection to /api/cheeses, you only see what you should see).

> 2) How can I change ownership of a CheeseListing?

I think this might also be part of your question. In your model, changing ownership would mean that you're changing, for example, the "group" property on a CheeseListing. Other than security, that's trivial: you're just updating a property on CheeseListing. But to prevent a "bad" user from doing this (e.g. to prevent someone from changing the CheeseListing from some OTHER group to their OWN group) you would leverage access_control once again - the previous_object variable I mention above will contain the CheeseListing.group property *before* it was changed. So, naturally, your voter logic will see if the user making this request belongs to the group of this CheeseListing or not.

A similar question to 2 is: what if they "pass" my access_control successfully (they DO have access) but then I need to make sure that the new CheeseListing.group is a value that they are allowed to use? For example, suppose i CAN access this CheeseListing, but I'm trying to change its group to some group that I'm not part of. That should not be allowed. The answer to this is indeed a custom validation constraint.

Let me know if this helps! There are about 4 different subtle different "ways" to protect a resource (protect entire resource/operation, change fields based on the user, prevent bad data from being set, etc) and each has a specific solution. This will all be in the security tutorial :).

Cheers!

Reply

In a real situation nobody will remove the orphan, instead I want to set another field like isRemoved=1. Is there a way to do that or we have to update this field separately?

Reply

Hey Rakodev

I'm not sure but I would say yes, you have to remove the "orphan" config and do the update yourself. But it seems to me that what you want is something similar as the "SoftDeleteable" extension. Give it a check and decide if it fits your needs or not (https://github.com/Atlantic... )

Cheers!

Reply

Hey MolloKhan ,

Thank you for the suggestion. Finally I did something by myself instead of using another vendor.
My solution is this one, and it works:
https://gist.github.com/rak...

If anyone try it, I will appreciate any feedback.

2 Reply
Cat in space

"Houston: no signs of life"
Start the conversation!

This tutorial works great for Symfony 5 and API Platform 2.5/2.6.

What PHP libraries does this tutorial use?

// composer.json
{
    "require": {
        "php": "^7.1.3",
        "ext-ctype": "*",
        "ext-iconv": "*",
        "api-platform/core": "^2.1", // v2.4.3
        "composer/package-versions-deprecated": "^1.11", // 1.11.99
        "doctrine/annotations": "^1.0", // 1.10.2
        "doctrine/doctrine-bundle": "^1.6", // 1.11.2
        "doctrine/doctrine-migrations-bundle": "^2.0", // v2.0.0
        "doctrine/orm": "^2.4.5", // v2.7.2
        "nelmio/cors-bundle": "^1.5", // 1.5.5
        "nesbot/carbon": "^2.17", // 2.19.2
        "phpdocumentor/reflection-docblock": "^3.0 || ^4.0", // 4.3.1
        "symfony/asset": "4.2.*|4.3.*|4.4.*", // v4.3.11
        "symfony/console": "4.2.*", // v4.2.12
        "symfony/dotenv": "4.2.*", // v4.2.12
        "symfony/expression-language": "4.2.*|4.3.*|4.4.*", // v4.3.11
        "symfony/flex": "^1.1", // v1.17.6
        "symfony/framework-bundle": "4.2.*", // v4.2.12
        "symfony/security-bundle": "4.2.*|4.3.*", // v4.3.3
        "symfony/twig-bundle": "4.2.*|4.3.*", // v4.2.12
        "symfony/validator": "4.2.*|4.3.*", // v4.3.11
        "symfony/yaml": "4.2.*" // v4.2.12
    },
    "require-dev": {
        "symfony/maker-bundle": "^1.11", // v1.11.6
        "symfony/stopwatch": "4.2.*|4.3.*", // v4.2.9
        "symfony/web-profiler-bundle": "4.2.*|4.3.*" // v4.2.9
    }
}