If you liked what you've learned so far, dive in!
Subscribe to get access to this tutorial plus
video, code and script downloads.
With a Subscription, click any sentence in the script to jump to that part of the video!
Login SubscribeIn DragonTreasure
, find the $isPublished
field. Earlier we added this ApiProperty
security
thing so that the field is only returned for admin users or owners of this treasure. This is a simple and 100% valid way to handle this situation.
However, there is another way to handle fields that should be dynamic based on the current user... and it may or may not have two advantages depending on your situation.
First, check out the documentation. Open the GET endpoint for a single DragonTreasure
. And, even without trying it, you can see that isPublished
is a field that is correctly advertised in our docs.
So, that's good, right? Yea! Well, probably. If isPublished
were truly an internal, admin-only field, we might not want it advertised to the world.
The second possible problem with security
is that, if you have this option on many properties, it's going to run that security check a lot of times when returning a collection of objects. Honestly, that probably won't cause performance issues, but it's something to be aware of.
To solve these two possible problems - and, honestly, just to learn more about how API Platform works under the hood - I want to show you an alternative solution. Remove the ApiProperty
attribute:
... lines 1 - 88 | |
class DragonTreasure | |
{ | |
... lines 91 - 129 | |
security: 'is_granted("EDIT", object)') ( | |
private bool $isPublished = false; | |
... lines 132 - 250 | |
} |
And replace it with two new groups. We're not going to use the normal treasure:read
and treasure:write
... because then the fields would always be part of our API. Instead, use admin:read
and admin:write
:
... lines 1 - 88 | |
class DragonTreasure | |
{ | |
... lines 91 - 128 | |
'admin:read', 'admin:write']) ([ | |
private bool $isPublished = false; | |
... lines 131 - 249 | |
} |
This won't work yet... because these groups are never used. But here's the idea: if the current user is an admin, then when we serialize, we'll add these two groups.
The tricky part is, right now, groups are static! We set them way up here on the ApiResource
attribute - or on a specific operation - and that's it! But we can make them dynamic.
Internally, API Platform has a system called a context builder, which is responsible for building the normalization or denormalization contexts that are then passed into the serializer. And, we can hook into that to change the context: like to add extra groups.
Let's do it! Over in src/ApiPlatform/
, create a new class called AdminGroupsContextBuilder
... and make this implement SerializerContextBuilderInterface
:
... lines 1 - 2 | |
namespace App\ApiPlatform; | |
use ApiPlatform\Serializer\SerializerContextBuilderInterface; | |
... lines 6 - 7 | |
class AdminGroupsContextBuilder implements SerializerContextBuilderInterface | |
{ | |
... lines 10 - 13 | |
} |
Then, go to "Code"->"Generate" - or Command
+N
on a Mac - and select "Implement methods" to create the one we need: createFromRequest()
:
... lines 1 - 5 | |
use Symfony\Component\HttpFoundation\Request; | |
class AdminGroupsContextBuilder implements SerializerContextBuilderInterface | |
{ | |
public function createFromRequest(Request $request, bool $normalization, array $extractedAttributes = null): array | |
{ | |
// TODO: Implement createFromRequest() method. | |
} | |
} |
It's pretty simple: API Platform will call this, pass us the Request
, whether or not we're normalizing or denormalizing... and then we return the context
array that should be passed to the serializer.
Like we've seen a few times already, our intention is not to replace the core context builder. Nope, we want the core context builder to do its thing... and then we'll add our own stuff.
To do this, once again, we'll use service decoration. We know how this works: add a __construct()
method that accepts a private SerializerContextBuilderInterface
and I'll call this $decorated
:
... lines 1 - 7 | |
class AdminGroupsContextBuilder implements SerializerContextBuilderInterface | |
{ | |
public function __construct(private SerializerContextBuilderInterface $decorated) | |
{ | |
} | |
... lines 13 - 20 | |
} |
Then, down here, say $context = this->decorated->createFromRequest()
passing $request
, $normalization
and $extractedAttributes
. Add a dump()
to make sure this is working and return $context
:
... lines 1 - 7 | |
class AdminGroupsContextBuilder implements SerializerContextBuilderInterface | |
{ | |
... lines 10 - 13 | |
public function createFromRequest(Request $request, bool $normalization, array $extractedAttributes = null): array | |
{ | |
$context = $this->decorated->createFromRequest($request, $normalization, $extractedAttributes); | |
dump('I AM WORKING!'); | |
return $context; | |
} | |
} |
To tell Symfony to use our context builder in place of the real one, add our #[AsDecorator()]
.
Here, we need the service ID of whatever the core context builder is. That's something you can find in the docs: it's api_platform.serializer.context_builder
:
... lines 1 - 5 | |
use Symfony\Component\DependencyInjection\Attribute\AsDecorator; | |
... lines 7 - 8 | |
'api_platform.serializer.context_builder') ( | |
class AdminGroupsContextBuilder implements SerializerContextBuilderInterface | |
{ | |
... lines 12 - 22 | |
} |
Oh, but be careful when using SerializerContextBuilderInterface
: there are two of them. One of is from GraphQL: make sure you select the one from ApiPlatform\Serializer
, unless you are using GraphQL.
Ok! Let's see if it hits our dump! Run all of our tests: I also want to see which fail:
symfony php bin/phpunit
And... okay! We see the dump a bunch of times, followed by two failures. The first is testAdminCanPatchToEditTreasure
. That's the case we're working on right now. We'll worry about testOwnerCanSeeIsPublishedFieldI
in a minute.
Copy the test method name and rerun that with --filter=
:
symfony php bin/phpunit --filter=testAdminCanPatchToEditTreasure
Perfect! We see the dump: actually three times, which is interesting. Open up that test so we can see what's going on. Yup! We're making a single PATCH
request to /api/treasure/1
. So, the context builder is called 3 times during just one request?
It is! It's called one time when API Platform is querying and loading the DragonTreasure
from the database. That's... kind of an odd situation because the context is meant to be used for the serializer... but we're simply querying for the object. But anyway, that's the first time.
The next two make sense: it's called when the JSON we're sending is denormalized into the object... and a third time when the final DragonTreasure
is normalized back into JSON.
Anyway, let's hop in and add the dynamic groups. To determine if the user is an admin, add a second constructor argument - private Security
from SecurityBundle
called $security
:
... lines 1 - 5 | |
use Symfony\Bundle\SecurityBundle\Security; | |
... lines 7 - 9 | |
'api_platform.serializer.context_builder') ( | |
class AdminGroupsContextBuilder implements SerializerContextBuilderInterface | |
{ | |
public function __construct(private SerializerContextBuilderInterface $decorated, private Security $security) | |
{ | |
} | |
... lines 16 - 26 | |
} |
Then down here, if isset($context['groups'])
and $this->security->isGranted('ROLE_ADMIN')
, then we'll add the groups: $context['groups'][] =
. If we're currently normalizing, add admin:read
else add admin:write
:
... lines 1 - 10 | |
class AdminGroupsContextBuilder implements SerializerContextBuilderInterface | |
{ | |
... lines 13 - 16 | |
public function createFromRequest(Request $request, bool $normalization, array $extractedAttributes = null): array | |
{ | |
$context = $this->decorated->createFromRequest($request, $normalization, $extractedAttributes); | |
if (isset($context['groups']) && $this->security->isGranted('ROLE_ADMIN')) { | |
$context['groups'][] = $normalization ? 'admin:read' : 'admin:write'; | |
} | |
... lines 24 - 25 | |
} | |
} |
Now, you might be wondering why we're checking if isset($context['groups'])
. Well, it doesn't apply to our app, but imagine if we were serializing an object that didn't have any groups
on it - like we never set the normalizationContext
on that ApiResource
. In that case, adding these groups
would cause it to return less fields! Remember, if there are no serialization groups, the serializer returns every accessible field. But as soon as you add even one group, it only serializes the things in that one group. So if there aren't any groups
, do nothing and let everything be serialized or deserialized like normal.
Ok! Let's try the test now!
symfony php bin/phpunit --filter=testAdminCanPatchToEditTreasure
It passes! The isPublished
field is being returned if we're an admin user. But... go refresh the docs... and open the GET one treasure endpoint. Now we do not see isPublished
advertised as a field in our docs... even though it will be returned if we're an admin. That might be good or bad. It is possible to make the docs load dynamically based on who is logged in, but that's not something we're going to tackle in this tutorial. We did talk about that in our API platform 2 tutorial... but the config system has changed.
Let's dig into the next method, which tests that an owner can see the isPublished
field. This is currently failing... and it's even trickier than the admin situation because we need to include or not include the isPublished
field on an object-by-object basis.
Hey @Jay!
I think I can help here :). At the end of the video, I said that this is NOT something we're going to tackle in this tutorial actually, but I am pretty sure I have the answer for you.
In version 2 of this tutorial, we DID tackle this: it's this topic - https://symfonycasts.com/screencast/api-platform2-security/resource-metadata-factory
And, I've had several people ask me how to do this in API Platform 3. Fortunately, it works "basically the same" - you just need to change some class names / namespaces. And, double-fortunately, someone has shared their solution! You can check it out here - https://symfonycasts.com/screencast/api-platform/serialization-groups#comment-29548
This may, at first, not look exactly like what you are referring to. But by adding your dynamic groups here (e.g. if I'm an admin, I get an extra admin:read
group), they should show up in the docs. I think this won't work for all cases. If you are trying to add some sort of owner:read
group that depends on the object (e.g. you are the owner of some objects but not others), that can't show up in the docs, really. The docs can only say that a field does or doesn't exist... it doesn't have the ability to communicate that, when you try to fetch a Product
that you may or may not have a certain field... depending on the field.
Let me know if that helps!
Cheers!
// composer.json
{
"require": {
"php": ">=8.1",
"ext-ctype": "*",
"ext-iconv": "*",
"api-platform/core": "^3.0", // v3.1.2
"doctrine/annotations": "^2.0", // 2.0.1
"doctrine/doctrine-bundle": "^2.8", // 2.8.3
"doctrine/doctrine-migrations-bundle": "^3.2", // 3.2.2
"doctrine/orm": "^2.14", // 2.14.1
"nelmio/cors-bundle": "^2.2", // 2.2.0
"nesbot/carbon": "^2.64", // 2.66.0
"phpdocumentor/reflection-docblock": "^5.3", // 5.3.0
"phpstan/phpdoc-parser": "^1.15", // 1.16.1
"symfony/asset": "6.2.*", // v6.2.5
"symfony/console": "6.2.*", // v6.2.5
"symfony/dotenv": "6.2.*", // v6.2.5
"symfony/expression-language": "6.2.*", // v6.2.5
"symfony/flex": "^2", // v2.2.4
"symfony/framework-bundle": "6.2.*", // v6.2.5
"symfony/property-access": "6.2.*", // v6.2.5
"symfony/property-info": "6.2.*", // v6.2.5
"symfony/runtime": "6.2.*", // v6.2.5
"symfony/security-bundle": "6.2.*", // v6.2.6
"symfony/serializer": "6.2.*", // v6.2.5
"symfony/twig-bundle": "6.2.*", // v6.2.5
"symfony/ux-react": "^2.6", // v2.7.1
"symfony/ux-vue": "^2.7", // v2.7.1
"symfony/validator": "6.2.*", // v6.2.5
"symfony/webpack-encore-bundle": "^1.16", // v1.16.1
"symfony/yaml": "6.2.*" // v6.2.5
},
"require-dev": {
"doctrine/doctrine-fixtures-bundle": "^3.4", // 3.4.2
"mtdowling/jmespath.php": "^2.6", // 2.6.1
"phpunit/phpunit": "^9.5", // 9.6.3
"symfony/browser-kit": "6.2.*", // v6.2.5
"symfony/css-selector": "6.2.*", // v6.2.5
"symfony/debug-bundle": "6.2.*", // v6.2.5
"symfony/maker-bundle": "^1.48", // v1.48.0
"symfony/monolog-bundle": "^3.0", // v3.8.0
"symfony/phpunit-bridge": "^6.2", // v6.2.5
"symfony/stopwatch": "6.2.*", // v6.2.5
"symfony/web-profiler-bundle": "6.2.*", // v6.2.5
"zenstruck/browser": "^1.2", // v1.2.0
"zenstruck/foundry": "^1.26" // v1.28.0
}
}
Does any one know where I can read about how to make API Platform docs load dynamically based on who is logged in? @weaverryan said at the end of the video, "something we're going to tackle in this tutorial"