Chapters
-
Course Code
Subscribe to download the code!Compatible PHP versions: ^7.1.3
-
This Video
Subscribe to download the video!
-
Subtitles
Subscribe to download the subtitles!
-
Course Script
Subscribe to download the script!
Scroll down to the script below, click on any sentence (including terminal blocks) to jump to that spot in the video!
Keep on Learning!
If you liked what you've learned so far, dive in! Subscribe to get access to this tutorial plus video, code and script downloads.
With a Subscription, click any sentence in the script to jump to that part of the video!
Login SubscribeClose up the POST operation. I want to make a GET request to the collection of users. Let's see here - the user with id 4 has one CheeseListing attached to it - id 2. Ok, close up that operation and open up the operation for PUT: I want to edit that User. Enter 4 for the id.
First, I'm going to do something that we've already seen: let's just update the cheeseListings field: set it to an array with one IRI inside: /api/cheeses/2. If we did nothing else, this would set this property to... exactly what it already equals: user id 4 already has this one CheeseListing.
But now, add another IRI: /api/cheeses/3. That already exists, but is owned by another user. When I hit Execute.... pfff - I get a syntax error, because I left an extra comma on my JSON. Boo Ryan. Let's... try that again. This time... bah! A 400 status code:
This value should not be blank
My experiments with validation just came back to bite me! We set the title for CheeseListing 3 to an empty string in the database... it's basically a "bad" record that snuck in when we were playing with embedded validation. We could fix that title.. or... just change this to /api/cheeses/1. Execute!
The Serializer only Calls Adders for New Items
This time, it works! But, no surprise - we've basically done this! Internally, the serializer sees the existing CheeseListing IRI - /api/cheeses/2, realizes that this is already set on our User, and... does nothing. I mean, maybe it goes and gets a coffee or takes a walk. But, it most definitely does not call $user->addCheeseListing()... or really do anything. But when it sees the new IRI - /api/cheeses/1, it figures out that this CheeseListing does not exist on the User yet, and so, it does call $user->addCheeseListing(). That's why adder and remover methods are so handy: the serializer is smart enough to only call them when an object is truly being added or removed.
Removing Items from a Collection
Now, let's do the opposite: pretend that we want to remove a CheeseListing from this User - remove /api/cheeses/2. What do you think will happen? Execute and... woh! An integrity constraint error!
An exception occurred when executing UPDATE cheese_listing SET owner_id=NULL - column
owner_idcannot be null.
This is cool! The serializer noticed that we removed the CheeseListing with id = 2. And so, it correctly called $user->removeCheeseListing() and passed CheeseListing id 2. Then, our generated code set the owner on that CheeseListing to null.
Depending on the situation and the nature of the relationship and entities, this might be exactly what you want! Or, if this were a ManyToMany relationship, the result of that generated code would basically be to "unlink" the two objects.
orphanRemoval
But in our case, we don't ever want a CheeseListing to be an "orphan" in the database. In fact... that's exactly why we made owner nullable=false and why we're seeing this error! Nope, if a CheeseListing is removed from a User... I guess we really need to just delete that CheeseListing entirely!
And... yea, doing that is easy! All the way back up above the $cheeseListings property, add orphanRemoval=true.
|
Show Lines
|
// ... lines 1 - 22 |
| class User implements UserInterface | |
| { | |
|
Show Lines
|
// ... lines 25 - 58 |
| /** | |
| * @ORM\OneToMany(targetEntity="App\Entity\CheeseListing", mappedBy="owner", cascade={"persist"}, orphanRemoval=true) | |
|
Show Lines
|
// ... lines 61 - 62 |
| */ | |
| private $cheeseListings; | |
|
Show Lines
|
// ... lines 65 - 185 |
| } |
This means, if any of the CheeseListings in this array suddenly... are not in this array, Doctrine will delete them. Just, realize that if you try to reassign a CheeseListing to another User, it will still delete that CheeseListing. So, just make sure you only use this when that's not a use-case. We've been changing the owner of cheese listings a bunch... but only as an example: it doesn't really make sense, so this is perfect.
Execute one more time. It works... and only /api/cheeses/1 is there. And if we go all the way back up to fetch the collection of cheese listings... yea, CheeseListing id 2 is gone.
Next, when you combine relations and filtering... well... you get some pretty serious power.
22 Comments
weaverryan
SFCASTS
Jakub
1 year ago
Hey Jakub!
Sorry for the very slow reply! Apparently I'm still catching up from Symfony's conference week :p.
I'm not familiar with this error. However, I can see that this class has been modified in later versions. For example, str_replace() exists in this class in API Platform 2.4 and 2.5, but not in 2.6: they may have fixed some bugs or find a better way to do something. I would try upgrading if you can. If you can't, the problem is on this line - https://github.com/api-platform/core/blob/1a811560d55c5f479fddcc8b7b0f7b36b6e734aa/src/Bridge/Doctrine/Orm/Extension/FilterEagerLoadingExtension.php#L155 - I'm not sure what it is, but something is going wrong with getting information about how to join to make this filter.
Cheers!
Gab
2 years ago
edited
Hello,
Am trying to remove an 'attribute' IRI but i got an error Invalid IRI, its a ManyToOne
{
"@id": "/api/document_attribute_values/1",
"@type": "DocumentAttributeValue",
"id": 2,
"attribute":"",
"document": "/api/documents/1",
"lang": "/api/langs/1",
"createdBy": "/api/users/1",
"createdAt": "2021-04-28T09:32:48+02:00",
"label": "test"
Thanks in Advance.
weaverryan
SFCASTS
Gab
2 years ago
Hey @Gab!
Hmm. Can you add some more information? What is the URL, method and data for the request that you're sending? What does the class look like that has the ManyToOne? I'm... not sure I understand the situation yet :).
Cheers!
Gab
weaverryan
2 years ago
edited
This is object in post method :
DocumentAttributeValue.jsonld{
document string($iri-reference)
attribute string($iri-reference)
lang string($iri-reference)
createdBy string($iri-reference)
createdAt string($date-time)
label string
}
Hey @Gab!
Sorry for the VERY slow reply - it was a particularly busy week - my apologies.
Hmm. I still don't understand. I think what you posted here is a description of part of the API - from maybe the API docs/homepage? You originally said:
Am trying to remove an 'attribute' IRI but i got an error Invalid IRI
I was curious exactly what URL you are hitting and what data you are sending. For example, you might be making a request like this:
POST /api/documents/1
{
"document_attribute_value": "/api/document_attribute_values/5"
}
This is almost definitely not correct - I am totally guessing. But this is the format I'm hoping to see: what is the URL and JSON data you are sending. Also what is the exact error you get back?
Cheers!
Tianyu W.
3 years ago
Hi there,
It works well in RESTFul api. I'd like to know if there is a way to handle adding and removing element from ManyToMany collection using Graphql? I tried to use updateResource but it seems that the property always got overridden. Thanks.
weaverryan
SFCASTS
Tianyu W.
3 years ago
edited
Hi Tianyu W.!
Sorry for the slow reply! Unfortunately, none of us on the team have worked with GraphQL, so we don't know the answer here :/. I would expect it to be possible, but I don't know for sure. Just keep in mind that the system works (and I'm almost positive this is true with GraphQL) by calling getter, setter, adder and remover methods on your object. So if you can get API Platform to call the right method... and that method does it's job, it "should" work. But... this is a very high level answer. Sorry I can't do better!
Cheers!
tuancode
3 years ago
edited
Hi Ryan,
Is it a good practice to allow nullable setter for a not null field? For example, the $owner property in this case, while it is a not null column in database, we need to allow setter and getter nullable, to allow orphanRemoval=true feature can be workable. For me, it looks like a workaround approach. I'm not sure any better approach.
/**
* @ORM\ManyToOne(targetEntity=User::class, inversedBy="cheeseListings")
* @ORM\JoinColumn(nullable=false)
* @Assert\Valid()
*
* @Groups({"cheese_listing:read","cheese_listing:write"})
*/
private ?User $owner;
public function getOwner(): ?User
{
return $this->owner;
}
public function setOwner(?User $owner): self
{
$this->owner = $owner;
return $this;
}
Victor
SFCASTS
tuancode
3 years ago
Hey Tuancode,
Yes, unfortunately, you need to allow null for setters/getters even if you do not allow nullable fields in the database. That's because an entity might be in an invalid state and Symfony validator could work properly. So yes, it's not perfect but practical thing to do. Another way probably to use Data Transfer Objects (DTO) instead where you will allow null in setters/getters for such fields, they might be in an invalid state, and when they pass validation - map all their values to the specific entity and when you will do it - you will be sure that all required not nullable fields will be set correctly. But allowing null in entities just easier and less extra work, and fairly speaking I'm not sure 100% this approach with DTO will work with APiPlatform, probably you would need to write more custom code for this.
Cheers!
Tuan Vu
Victor
3 years ago
edited
Thanks victor , that's an awesome response.
Victor
SFCASTS
Tuan Vu
3 years ago
Hey Tuan,
Thanks! I'm happy it was useful for you :)
Cheers!
Daniel W.
3 years ago
edited
Hi,
I think there is some kind of bug in swagger-ui or api platform.
The schema "cheeses:jsonld-write" does not show that there is an owner property on cheeses.
The thing is the owner property actually exists and works, but swagger does not show it.
Here are some images describing this better:
some more info:
The owner property is annotated like this:
`
/**
* @ORM\ManyToOne(targetEntity=User::class, inversedBy="cheeseListings")
* @ORM\JoinColumn(nullable=false)
* @Groups({"cheese_listing:read", "cheese_listing:write"})
* @Assert\Valid
*/
private $owner;
`
Daniel W.
Daniel W.
3 years ago
Edit: It seems the problem was bad named "swagger_definition_name" on user. Instead of naming it Read and Write I named it User-read and User-Write which fixed it. Kinda really strange how renaming the schema can have such a side effect.
weaverryan
SFCASTS
Daniel W.
3 years ago
edited
Hey Daniel W.!
That *is* strange... I'm not super familiar with this area so I'm not sure *why* that would be the case.
Cheers!
Eric
4 years ago
Having a hard time wrapping my head around how one would leverage reassigning ownership of an entity, like being done here, in an application that has more strict ownership rules.
For example:
If we had 3 entities (User, UserGroup and CheeseListing) where users should not be able to interact with cheese listings that are outside of their user's user group - how would one apply those rules? As it stands now, a user could be assigned any cheese listing - instead of only being able to be assigned a subset of cheese listings in which it should have access. I've been trying to search the docs to figure this out but not coming up with any right way to implement this. I see mention of using access control to limit access to sub-resources (https://api-platform.com/do... but if that is limited to roles and such, and a user could have the same role across user groups, I'm not sure how to approach the problem.
Any suggestions are appreciated. Figure this is probably a pretty common situation so perhaps I am just overlooking something. My mind goes to multi-tenant applications where this would be needed on most any related resource.
Eric
Eric
4 years ago
Was thinking about this last night and I guess you could just use custom validation constraints to handle this - which I believe would be the most appropriate way to handle this.
Victor
SFCASTS
Eric
4 years ago
Hey Eric,
Good question! I think you're on the right direction here, probably using custom validation constraints in this case would be the most flexible and powerful solution. Nothing much except this can advise here :/
Cheers!
weaverryan
SFCASTS
Victor
4 years ago
edited
Hey victor !
Cool question :). We've just started releasing our security tutorial - https://symfonycasts.com/screencast/api-platform-security - and this is exactly the kind of stuff I hope to clear up there. But, let me answer now and we can make sure that I'm answering everything clearly :).
There are two parts to this that I can see:
1) How do I restrict access (e.g. GET) to a specific CheeseListing so that only a User that belongs to a UserGroup that owns a CheeseListing can access it?
First, don't use sub resources :). I just wanted to mention that first - because it can complicate things a bit (as you might successfully secure the GET operation for cheese listings, but forget that you've exposed cheeseListings as a sub-resource of some other entity... or something like that ;).
To solve this problem, you'll use two things: (A) access_control (https://api-platform.com/docs/core/security/#configuring-the-access-control-message) with voters. So, I might use something like access_control"="is_granted('READ', previous_object)". Then you would have a custom voter that is able to decide whether or not the current user has "READ" access (I just invented that string) to this CheeseListing (that's what "previous_object" represents, and is passed to your voter - it is the CheeseListing object before it was modified by the request). And (B) you will probably need a custom Doctrine extension (https://api-platform.com/docs/core/extensions/#custom-doctrine-orm-extension) so that you can also filter the collection resource by this same logic (so that when you make a GET collection to /api/cheeses, you only see what you should see).
2) How can I change ownership of a CheeseListing?
I think this might also be part of your question. In your model, changing ownership would mean that you're changing, for example, the "group" property on a CheeseListing. Other than security, that's trivial: you're just updating a property on CheeseListing. But to prevent a "bad" user from doing this (e.g. to prevent someone from changing the CheeseListing from some OTHER group to their OWN group) you would leverage access_control once again - the previous_object variable I mention above will contain the CheeseListing.group property before it was changed. So, naturally, your voter logic will see if the user making this request belongs to the group of this CheeseListing or not.
A similar question to 2 is: what if they "pass" my access_control successfully (they DO have access) but then I need to make sure that the new CheeseListing.group is a value that they are allowed to use? For example, suppose i CAN access this CheeseListing, but I'm trying to change its group to some group that I'm not part of. That should not be allowed. The answer to this is indeed a custom validation constraint.
Let me know if this helps! There are about 4 different subtle different "ways" to protect a resource (protect entire resource/operation, change fields based on the user, prevent bad data from being set, etc) and each has a specific solution. This will all be in the security tutorial :).
Cheers!
In a real situation nobody will remove the orphan, instead I want to set another field like isRemoved=1. Is there a way to do that or we have to update this field separately?
MolloKhan
SFCASTS
Rakodev
4 years ago
edited
Hey Rakodev
I'm not sure but I would say yes, you have to remove the "orphan" config and do the update yourself. But it seems to me that what you want is something similar as the "SoftDeleteable" extension. Give it a check and decide if it fits your needs or not (https://github.com/Atlantic... )
Cheers!
Rakodev
MolloKhan
4 years ago
edited
Hey MolloKhan ,
Thank you for the suggestion. Finally I did something by myself instead of using another vendor.
My solution is this one, and it works:
https://gist.github.com/rak...
If anyone try it, I will appreciate any feedback.
"Houston: no signs of life"
Start the conversation!
What PHP libraries does this tutorial use?
// composer.json
{
"require": {
"php": "^7.1.3",
"ext-ctype": "*",
"ext-iconv": "*",
"api-platform/core": "^2.1", // v2.4.3
"composer/package-versions-deprecated": "^1.11", // 1.11.99
"doctrine/annotations": "^1.0", // 1.10.2
"doctrine/doctrine-bundle": "^1.6", // 1.11.2
"doctrine/doctrine-migrations-bundle": "^2.0", // v2.0.0
"doctrine/orm": "^2.4.5", // v2.7.2
"nelmio/cors-bundle": "^1.5", // 1.5.5
"nesbot/carbon": "^2.17", // 2.19.2
"phpdocumentor/reflection-docblock": "^3.0 || ^4.0", // 4.3.1
"symfony/asset": "4.2.*|4.3.*|4.4.*", // v4.3.11
"symfony/console": "4.2.*", // v4.2.12
"symfony/dotenv": "4.2.*", // v4.2.12
"symfony/expression-language": "4.2.*|4.3.*|4.4.*", // v4.3.11
"symfony/flex": "^1.1", // v1.21.6
"symfony/framework-bundle": "4.2.*", // v4.2.12
"symfony/security-bundle": "4.2.*|4.3.*", // v4.3.3
"symfony/twig-bundle": "4.2.*|4.3.*", // v4.2.12
"symfony/validator": "4.2.*|4.3.*", // v4.3.11
"symfony/yaml": "4.2.*" // v4.2.12
},
"require-dev": {
"symfony/maker-bundle": "^1.11", // v1.11.6
"symfony/stopwatch": "4.2.*|4.3.*", // v4.2.9
"symfony/web-profiler-bundle": "4.2.*|4.3.*" // v4.2.9
}
}
Hello again,
now I have problem with
owner.usernamefilter. When I try to filter cheese listings by owner username the response code is 500 and the error message is:I don't know why this function is given a null argument instead something to be replaced.
I'm using Symfony 4.4.32 and OpenAPI 3.0.2.
I would be grateful for reply.
Jakub