8000 [FrameworkBundle][Serializer] Add an ArgumentResolver to deserialize & validate user input by GaryPEGEOT · Pull Request #45628 · symfony/symfony · GitHub
[go: up one dir, main page]
Skip to content

[FrameworkBundle][Serializer] Add an ArgumentResolver to deserialize & validate user input #45628

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 13 commits into from
Closed

[FrameworkBundle][Serializer] Add an ArgumentResolver to deserialize & validate user input #45628

Changes from 1 commit
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
da5e8a4
[FrameworkBundle] Add an ArgumentResolver to deserialize & validate u…
GaryPEGEOT Mar 3, 2022
3012614
fix: tests & update changelog
GaryPEGEOT Mar 3, 2022
6000089
fix: empty reason
GaryPEGEOT Mar 3, 2022
4bb2235
fix: switch from Marker Interface to Argument
GaryPEGEOT Mar 5, 2022
642c7d0
fix: make FabBot happy
GaryPEGEOT Mar 5, 2022
2368c7f
Apply suggestion
GaryPEGEOT Mar 6, 2022
5905ae0
fix: remove getters
GaryPEGEOT Mar 6, 2022
406f1eb
feat: make validation optional
GaryPEGEOT Mar 6, 2022
7f7500c
fix: cs
GaryPEGEOT Mar 6, 2022
eae458f
fix: tests
GaryPEGEOT Mar 6, 2022
1523617
fix: content-type guessing
GaryPEGEOT Mar 7, 2022
5976a4b
refactor: rename Input to RequestBody, remove validator from UserInpu…
GaryPEGEOT Mar 9, 2022
ebeee98
fix: remove useless argument
GaryPEGEOT Mar 9, 2022
8000 File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
fix: content-type guessing
  • Loading branch information
@GaryPEGEOT
GaryPEGEOT committed Mar 9, 2022
commit 15236179bd292b34ba82c70359bfbff9efa55a91
4 changes: 2 additions & 2 deletions src/Symfony/Component/Serializer/ArgumentResolver/UserInputResolver.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,10 +54,10 @@ public function resolve(Request $request, ArgumentMetadata $argument): iterable
$context = array_merge($attribute->serializationContext, [
DenormalizerInterface::COLLECT_DENORMALIZATION_ERRORS => true,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about adding AbstractObjectNormalizer::ALLOW_EXTRA_ATTRIBUTES => false?

]);
$format = $attribute->format ?? $request->attributes->get('_format', 'json');
$format = $attribute->format ?? $request->getContentType() ?? 'json';
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For security reasons, I suggest to throw an exception if the format isn't provided in the Content-Type header and if the excepted format (the format explicitly passed as parameter by the user) doesn't match the value of Content-Type.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we just use $request->toArray()? Or it may be too restrictive in terms of format?


try {
$input = $this->serializer->deserialize(data: $request->getContent(), type: $argument->getType(), format: $format, context: $context);
$input = $this->serializer->deserialize($request->getContent(), $argument->getType(), $format, $context);
} catch (PartialDenormalizationException $e) {
if (null === $this->validator) {
throw new UnprocessableEntityHttpException(message: $e->getMessage(), previous: $e);
Copy link
Member
@yceruto yceruto Mar 7, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will show an empty message which is not useful. However, we can still normalize the PartialDenormalizationException to show all errors. I mean, it shouldn't depend exclusively on the Validator ConstraintViolationList as it's optional.

Expand Down
0