Subresources
Keep on Learning!
If you liked what you've learned so far, dive in! Subscribe to get access to this tutorial plus video, code and script downloads.
With a Subscription, click any sentence in the script to jump to that part of the video!
Login SubscribeWe have two different ways to get the dragon treasures for a user. First, we could fetch the User and read its dragonTreasures property. The second is via the filter that we added a moment ago. In the API, that looks like owner=/api/users/4 on the GET collection operation for treasures.
This is my go-to way of getting the data... because if I want to fetch treasures, it make sense to use a treasures endpoint. Besides, if a user owns a lot of treasures, that'll give us pagination!
But you may sometimes choose to add a special way to fetch a resource or collection of resources... almost like a vanity URL. For example, imagine that, to get this same collection, we want the user to be able to go to /api/users/4/treasures.jsonld. That, of course, doesn't work. But it can be done. This is called a subresource, and subresources are much nicer in API platform 3.
Adding a Subresource via Another ApiResource
Okay, let's think. This endpoint will return treasures. So to add this subresource, we need to update the DragonTreasure class.
How? By adding a second ApiResource attribute. We already have this main one, so now add a new one. But this time, control the URL with a uriTemplate option set to exactly what we want: /users/{user_id} for the wildcard part (we'll see how that's used in a moment) then /treasures.
That's it! Well... also add .{_format}. This is optional, but that's the magic that lets us "cheat" and add this .jsonld to the end of the URL.
| // ... lines 1 - 54 | |
| ( | |
| uriTemplate: '/users/{user_id}/treasures.{_format}', | |
| // ... line 57 | |
| ) | |
| // ... lines 59 - 62 | |
| class DragonTreasure | |
| { | |
| // ... lines 65 - 222 | |
| } |
Next, add operations... because we don't need all six... we really need just one. So, say [new GetCollection()] because we will return a collection of treasures.
| // ... lines 1 - 54 | |
| ( | |
| uriTemplate: '/users/{user_id}/treasures.{_format}', | |
| operations: [new GetCollection()], | |
| ) | |
| // ... lines 59 - 62 | |
| class DragonTreasure | |
| { | |
| // ... lines 65 - 222 | |
| } |
Ok, let's see what this did! Head back to the documentation and refresh. Suddenly we have... three resources and this one has the correct URL!
Oh, and we have three resources because, if you recall, we customized the shortName. Copy that and paste it onto the new ApiResource so they match. And to make PhpStorm happy, I'll put them in order.
| // ... lines 1 - 54 | |
| ( | |
| uriTemplate: '/users/{user_id}/treasures.{_format}', | |
| shortName: 'Treasure', | |
| operations: [new GetCollection()], | |
| ) | |
| // ... lines 60 - 63 | |
| class DragonTreasure | |
| { | |
| // ... lines 66 - 223 | |
| } |
Now when we refresh... perfect! That's what we want!
Understanding uriVariables
We now have a new operation for fetching treasures. But does it work? It says that it will retrieve a collection of treasure resources, so that's good. But... we have a problem. It thinks that we need to pass the id of a DragonTreasure... but it should be the id of a User! And even if we pass something, like 4... and hit "Execute"... look at the URL! It didn't even use the 4: it still has {user_id} in the URL! So of course it comes back with a 404 error.
The problem is that we need to help API Platform understand what {user_id} means. We need to tell it that this is the id of the user and that it should use that to query WHERE owner_id equals the value.
To do that, add a new option called uriVariables. This is where we describe any "wildcards" in your URL. Pass user_id set to a new Link() object. There are multiple... we want the one from ApiPlatform\Metadata.
| // ... lines 1 - 11 | |
| use ApiPlatform\Metadata\Link; | |
| // ... lines 13 - 55 | |
| ( | |
| uriTemplate: '/users/{user_id}/treasures.{_format}', | |
| shortName: 'Treasure', | |
| operations: [new GetCollection()], | |
| uriVariables: [ | |
| 'user_id' => new Link( | |
| // ... lines 62 - 63 | |
| ), | |
| ], | |
| ) | |
| // ... lines 67 - 70 | |
| class DragonTreasure | |
| { | |
| // ... lines 73 - 230 | |
| } |
This object needs two things. First, point to the class that the {user_id} is referring to. Do that by passing a fromClass option set to User::class.
| // ... lines 1 - 11 | |
| use ApiPlatform\Metadata\Link; | |
| // ... lines 13 - 55 | |
| ( | |
| uriTemplate: '/users/{user_id}/treasures.{_format}', | |
| shortName: 'Treasure', | |
| operations: [new GetCollection()], | |
| uriVariables: [ | |
| 'user_id' => new Link( | |
| // ... line 62 | |
| fromClass: User::class, | |
| ), | |
| ], | |
| ) | |
| // ... lines 67 - 70 | |
| class DragonTreasure | |
| { | |
| // ... lines 73 - 230 | |
| } |
Second, we need to define which property on User points to DragonTreasure so that it can figure out how to structure the query. To do this, set fromProperty to treasures. So, inside User, we're saying that this property describes the relationship. Oh, but I totally messed that up: the property is dragonTreasures.
| // ... lines 1 - 11 | |
| use ApiPlatform\Metadata\Link; | |
| // ... lines 13 - 55 | |
| ( | |
| uriTemplate: '/users/{user_id}/treasures.{_format}', | |
| shortName: 'Treasure', | |
| operations: [new GetCollection()], | |
| uriVariables: [ | |
| 'user_id' => new Link( | |
| fromProperty: 'dragonTreasures', | |
| fromClass: User::class, | |
| ), | |
| ], | |
| ) | |
| // ... lines 67 - 70 | |
| class DragonTreasure | |
| { | |
| // ... lines 73 - 230 | |
| } |
Ok, cruise back over and refresh. Under the endpoint... yea! It says "User identifier". Let's put 4 in there again, hit "Execute" and... got it. There are the five treasures for this user!
And in the other browser tab... if we refresh... it works!
How the Query is Made
Behind the scenes, thanks to the Link, API Platform basically makes the following query:
SELECT * FROM dragon_treasure WHERE owner_id =
whatever we pass for {user_id}. It knows how to make that query by looking at the Doctrine relationship and figuring out which column to use. It's super smart.
We can actually see this in the profiler. Go to /_profiler, click on our request... and, down here, we see 2 queries... which are basically the same: the 2nd is used for the "total items" for pagination.
If you click "View formatted query" on the main query... it's even more complex than I expected! It has an INNER JOIN... but it's basically selecting all the dragon treasures data where owner_id = the ID of that user.
What about toProperty?
By the way, if you look at the documentation, there's also a way to set all of this up via the other side of the relationship: by saying toProperty: 'owner'.
This still works... and works exactly the same. But I recommend sticking with fromProperty, which is consistent and, I think, more clear. The toProperty is needed only if you didn't map the inverse side of a relationship... like if there was no dragonTreasures property on User. Unless you have that situation, stick with fromProperty.
Don't Forget normalizationContext!
This is all working nicely except for one small problem. If you look back at the data, it shows the wrong fields! It's returning everything, like id and isPublished.
Those aren't supposed to be included thanks of our normalization groups. But since we haven't specified any normalization groups on the new ApiResource, the serializer returns everything.
To fix this, copy the normalizationContext and paste it down here. We don't need to worry about denormalizationContext because we don't have any operations that do any denormalizing.
| // ... lines 1 - 11 | |
| use ApiPlatform\Metadata\Link; | |
| // ... lines 13 - 55 | |
| ( | |
| uriTemplate: '/users/{user_id}/treasures.{_format}', | |
| shortName: 'Treasure', | |
| operations: [new GetCollection()], | |
| uriVariables: [ | |
| 'user_id' => new Link( | |
| fromProperty: 'dragonTreasures', | |
| fromClass: User::class, | |
| ), | |
| ], | |
| normalizationContext: [ | |
| 'groups' => ['treasure:read'], | |
| ], | |
| ) | |
| // ... lines 70 - 73 | |
| class DragonTreasure | |
| { | |
| // ... lines 76 - 233 | |
| } |
If we refresh now... got it!
A Single Subresource Endpoint
Let's add one more subresource to see a slightly different case. I'll show you the URL I want first. We have a treasure with ID 11. This means we can go to /api/treasures/11.jsonld to see that. Now I want to be able to add /owner to the end to get the user that owns this treasure. Right now, that doesn't work.... so let's get to work!
Because the resource that will be returned is a User, that's the class that needs the new API Resource.
Above it, add #[ApiResource()] with uriTemplate set to /treasures/{treasure_id} for the wildcard (though this can be called anything), followed by /owner.{_format}.
| // ... lines 1 - 24 | |
| ( | |
| uriTemplate: '/treasures/{treasure_id}/owner.{_format}', | |
| // ... lines 27 - 34 | |
| ) | |
| // ... lines 36 - 38 | |
| class User implements UserInterface, PasswordAuthenticatedUserInterface | |
| { | |
| // ... lines 41 - 187 | |
| } |
Next pass uriVariables with treasure_id set to a new Link() - the one from ApiPlatform\Metadata. Inside, set fromClass to DragonTreasure::class. And since the property inside DragonTreasure that refers to this relationship is owner, add fromProperty: 'owner'.
| // ... lines 1 - 7 | |
| use ApiPlatform\Metadata\Link; | |
| // ... lines 9 - 24 | |
| ( | |
| uriTemplate: '/treasures/{treasure_id}/owner.{_format}', | |
| // ... line 27 | |
| uriVariables: [ | |
| 'treasure_id' => new Link( | |
| fromProperty: 'owner', | |
| fromClass: DragonTreasure::class, | |
| ), | |
| ], | |
| // ... line 34 | |
| ) | |
| // ... lines 36 - 38 | |
| class User implements UserInterface, PasswordAuthenticatedUserInterface | |
| { | |
| // ... lines 41 - 187 | |
| } |
We also know that we're going to need the normalizationContext... so copy that... and paste it here. Finally, we only want one operation: a GET operation to return a single User. So, add operations set to [new Get()].
| // ... lines 1 - 6 | |
| use ApiPlatform\Metadata\Get; | |
| use ApiPlatform\Metadata\Link; | |
| // ... lines 9 - 24 | |
| ( | |
| uriTemplate: '/treasures/{treasure_id}/owner.{_format}', | |
| operations: [new Get()], | |
| uriVariables: [ | |
| 'treasure_id' => new Link( | |
| fromProperty: 'owner', | |
| fromClass: DragonTreasure::class, | |
| ), | |
| ], | |
| normalizationContext: ['groups' => ['user:read']], | |
| ) | |
| // ... lines 36 - 38 | |
| class User implements UserInterface, PasswordAuthenticatedUserInterface | |
| { | |
| // ... lines 41 - 187 | |
| } |
That should do it! Move back over to the documentation, refresh, and take a look under "User". Yep! We have a new operation! And it even sees that the wildcard is a "DragonTreasure identifier".
If we go refresh the other tab... it works!
Ok team, I lied about this being the last topic because... it's bonus topic time! Next: let's create a React-based admin area automatically from our API docs. Woh.
24 Comments
Just a nitpick at Api platform I guess (Using Symfony 6.2 from the project code but api platform 3.2 as that is what is installed with 'composer require api'):
The subresource works, I can enter '4' in the docs for the user_id field and I get all treasures that have /api/users/4 as owner...
... but it is still called 'Treasure identifier' in my docs (even after a cache clear), while it's called 'User identifier' in your tutorial?
Same small issue here.
I found this comment which sounds like the solution: https://github.com/api-platform/core/issues/5343#issuecomment-1400434403
I am not going to try this fix right now since this is just tutorial code so I am not sure if it works.
Remember that it's just an array you are passing to an Attribute Class.
As in, you could make a class somewhere that returns that array from a static function, and just reference to that function from inside the ApiResource block. That way you cut down on the amount of openapi stuff that's there, specially if it's just for touching up the documentation.
Another method is to decorate the
api_platform.openapi.factoryservice.In the __invoke() method of your decorator:
Now your decorator does nothing, it's a no-op. But before the
return $openApicall, you can modify the returned OpenApi object, to do as you wish. As in, fix descriptions, change names, add (more) example payloads, add whole operations, etc..We use it to add custom endpoints from other bundles, or from the auth system, to add it to the OpenApi dump so it's a neat complete documentation, even filled with endpoints and resources that don't come from API platform.
Hey Joris-Mak,
Thanks for sharing this trick with others!
Cheers!
Hi,
I was wondering how to make posts to subresources because you don't show it in the screencast and it does not appear anywhere in the docs.
for example lets say I have a company-employee relationship and want to create new employees for a specific company like /api/companies/1/employees
This is my resource:
But when i post I get this error:
Can someone explain to me how to POST a sub-resource that then gets automatically associated with it's base resource via the id of the base resource given as url parameter?
Hey @Fireball!
Sorry for the very slow reply, life is getting in the way of my availability, and sometimes the team saves tough questions like this for me :).
I maybe don't know the answer either, but I do have some thoughts:
1) You won't like this answer, but if it were me, I would just POST to the non-subresource URL and save yourself the trouble
2) Buuuuuut, let's look deeper at
POST /api/companies/1/employees. It looks like API Platform is trying to load the ONECompany, then getting surprised by the many results. The way you've structured the request makes sense to me, but you could also consider that what you're trying to do is "modify" the resource located at/api/companies/1/employees(modify the employees resource for the companies). Again, what you're doing makes sense to me, and maybe the solution is some simple tweak to youroperations(though I don't see it). My point is, API Platform might want you toPATCHto/api/companies/1/employeesand send the entire payload of all employees. Again, I realize that's not what you want, just trying to shine some possible reasons for why API Platform may not be playing nicely.... or maybe there IS a simple solution and someone can tell us ;). That'd be the best.
Cheers!
Hi Ryan,
thank you for your answer! A few days later I found the solution but forgot I posed here the question.
There is a Provider in ApiPlatform that is marked as experimental and internal but solves exactly this problem.
It's this one:
ApiPlatform\State\CreateProviderI needed it for the following case:
I have an Entity that can have one or more related files which are modeled as Entities using VichUploader. Now while it would work, it would be a bit ugly to mix multipart/form-data with additional variables like the id of the related parent collection, so I wanted to pass the id via url like POST
/api/post/12/files(my upload Endpoint). Files can't be edited, only created and deleted.I created a copy of the CreateProvider in my own code in case it gets deleted in a future ApiPlatform update.
Hi, how to make a subressouces with a ManyToMany relation ? Thanks in advance :)
Hey Julien,
With ManyToMany you need to make this relationship first. We talk about this kind of relationship here: https://symfonycasts.com/screencast/doctrine-relations/many-to-many - but you may want to use this approach with OneToMany / ManyToOne to be able to save some extra fields on ManyToMany relationship, see: https://symfonycasts.com/screencast/doctrine-relations/complex-many-to-many
I hope that helps!
Cheers!
Hey there,
unfortunately, the subresource produced an semantical error.
But I was able to fix it.
My entities are no treasures and users, but items and facets.
So, wehen I did this on the item entity:
I got: "[Semantical Error] line 0, col 40 near 'facets IN (SELECT': Error: Invalid PathExpression. StateFieldPathExpression or SingleValuedAssociationField expected."
This seems to be an SQL related issue, which I do not really understand
BUT! There is a fix! Using toClass and toProperty Attributes:
Working fine now :)
So if any of you got that problem, try this.
Hey @ulfgar-hammerschlag
That's unexpected :) - Perhaps it is due to how your entities relate to each other, but I can't know for certain. Anyways, thank you for sharing it!
Cheers!
When you created the dragon treasures sub resource the sql query used a sub query which I feel is less than ideal. Is there a particular reason it defaults to that approach? And how would I override that?
Hey @Ammar!
I don't know the specifics about why the query is done this way, but yes, I believe in the latest version of API Platform you can override this - see https://github.com/api-platform/core/pull/5732
However, I've never done this - so I'm passing along the hint but I'm not sure if this is exactly what you want. But, I'd love to know if it helps!
Cheers!
Hey Ryan, I have some question regarding subresource (maybe that's not even the solution to my problem):
So we're building a Web-App where a user can manage one or more projects, and the has DIFFERENT roles/permissions for every project. In one he is the manager and sees almost everything, in the other, he is just a normal user and sees only his own stuff. How should I handle the request/uris and permission?
1) With Subresources like
/project/123/task/456, so it's perfectly clear how to access the data, but every ApiResouce needs to be prefixed with "project/:projectId". How do I know the User has the sufficient privileges to access the project or the task? I can't use Default Role Voter, cause it uses the User->roles property that is unaware of the current project (like "is_granted")2) With Filters as payload (but won't work for GET requests, or?)
3) Maybe some kind of state, like a POST selectProject {id: 123} that sets some kind of session value that is automatically injected in every query (in a QueryExtension)
All in all I think it should be possible with the above ideas, but it feels like a lot of effort
Hey @Sebastian-K!
Hmm, interesting! Subresources are cool - and are MUCH nicer than in API Platform 2 (they were kind of a hacked addon the, but they're a first-class citizen now). And so, we can definitely use them. But we also may not need to.
Look at the URL:
/project/123/task/456. That's gorgeous! But/task/456is technically just as functional. If eachTaskhas a relation to itsProject, then from/task/456, we can look up the project from theTaskand then see if the currently-authenticated user is an owner or not. Actually, even if I used subresources, I'd do the same thing: subresources are ultimately a bit of a "vanity" URL. At the end of the day, the object being loaded isTaskwith id456.So, for security, I'd create a custom voter (you're right that the default Role voter doesn't work when you need to decide permission based on some data - like I DO have permission to see Task 456, but not Task 123). Fortunately, we show this a bit in the next episode - https://symfonycasts.com/screencast/api-platform-security/access-control-voter - we first (in earlier chapters) show security using an expression, then we refactor it to a voter here. This strategy I think would work the same whether you decided to use a subresource or not. The
/project/123part of the URL just isn't that important (again, when you go to/project/123/task/456, it really just queries for Task456and THEN you run security checks. I DO think, though you could verify, that if a mischievous user changed the URL to/project/111/task/456, whereTaskDOES belong toProject123, then it would result in a 404).For "collection" resources, the strategy for filtering is slightly different - we talk about it here - https://symfonycasts.com/screencast/api-platform-security/query-extension
This part MAY differ slightly based on if you're using a subresource or not - but I'm not entirely sure:
A) If you do
/tasks, then you can use a query extension like above to modify the query to only return tasks that are related to projects that the current user should have access to.B) If you do
/project/123/tasks, then API Platform will automatically only show tasks for project 123. But, what if the user doesn't have access toProject123 at all? I'm actually not entirely sure how to handle this. The simplest solution is to, like with (A), create a query extension "to only return tasks that are related to projects that the current user should have access to". In that case, if the user doesn't have access toProject123, the query would effectively be:So you'd filter to only tasks for projects the user should be able to see... and if that doesn't include project 123, it would result in null rows. The other way to do it would be to make
/projects/123/tasksreturn a 404, but I'm not entirely sure how to do that :).Let me know if this helps!
Cheers!
Thanks for the reply. Gave me new points to think about
I would now have defined
/users/{user_id}/treasures.{_format}inUserand/treasures/{treasure_id}/owner.{_format}inDragonTreasure.Is there a reason why this is so twisted, purely from the grouping of the namespaces I find it so very strange.
Hey @urk!
I assume you're referring to how the sub-resources almost seem "backward" in the class they live in, right? Like the
/users/{user_id}/treasures.{_format}is a "subresource under user"... and yet we put it intoDragonTreasure.I agree that it's a bit weird... but I think it would be weird the other way too. No perfect option :). The logic is that, because
/users/{user_id}/treasures.{_format}will return "dragon treasures",. that's the class it should live on. It's almost like this is just a "vanity URL" / a different way to fetch dragon treasures. Of course, the downside is that the operations that we think of as "operations under /api/users" are split between multiple classes.Anyway, I hope that gives some explanation at least!
Cheers!
Hey Ryan
Yes, you heard me correctly and I know what you mean.
It depends from which side you look at it. But it doesn't really have a technical reason. Thank you.
Thanks and cheers, Urs
How can I generate the route from the $iriConverter class? That is, I don't want to hardcode the route (for the same reason I use path() in twig and never hard-code the route)
Version 2 of API Platform had a concept of subresources, version 3 doesn't, but I'm not sure what to pass to create the route.
Hey @Tac-Tacelosky!
Hmm, that's a good question! I've not done this yet, but... the
getIriFromResource()method has a 3rd argumentOperation $operation = null. But it looks a little tricky.First, I think you need to give your operation a name - apparently you can add
name: 'foo'inside an operation - like anew GetCollection(name: 'my_subresource_get_collection'). Then, to fetch that object, I think you can do this:Give that a try - I might not have things quite right - a bit of digging and guessing to find this - a new part of the code for me!
Cheers!
Hey!
Thanks a lot for this tutorial, but I found nothing about security in here. I mean especially the way to protect only read relations of a user for the user itself. Will there be another tutorial for handling voters etc.?
Thank you for your answer!
Hey Thomas,
yes, you're right, in this tutorial we don't talk about security, that's the topic of our next tutorial https://symfonycasts.com/screencast/api-platform3-security
it's going to be released soon :)
Cheers!
Wow - that's what I hoped!
Thank you for replying!
"Houston: no signs of life"
Start the conversation!