Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Validation on DELETE action

See original GitHub issue

It looks like validation on DELETE action has been explicitly prevented in ValidateListener::onKernelView()

//src\Validator\EventListener\ValidateListener.php::onKernelView()
        if (   
            $controllerResult instanceof Response   
            || $request->isMethodSafe()   
            || $request->isMethod('DELETE')  //<========================== here, why so much hate?   
            || !($attributes = RequestAttributesExtractor::extractAttributes($request))   
            || !$attributes['receive']   
            || $this->isOperationAttributeDisabled($attributes, self::OPERATION_ATTRIBUTE_KEY)   
        ) {   
            return;   
        }

However validation is very useful to enforce some business logic on the action itself (and share its behavior with the regular controller form view and the api platform). Would it be possible to let validation occurs on DELETE action? Alternatively add a parameter to enable it?

Issue Analytics

State:
Created 2 years ago
Reactions:2
Comments:6 (1 by maintainers)

Top GitHub Comments

1reaction

benblubcommented, Jun 16, 2021

The current recommendation would be to use DataPersister https://api-platform.com/docs/core/data-persisters/

    use ApiPlatform\Core\Validator\ValidatorInterface;

    // ...

    /**
     * @param mixed $data
     */
    public function remove($data, array $context = []): void
    {
        /** @var User $data */
        $this->validator->validate($data, ['groups' => 'Delete']);

        $this->em->remove($data);
        $this->em->flush();
    }

1reaction

CedricYiicommented, Jun 7, 2021

Thanks for sharing your workaround. It’s working great, however it means duplicating this code for every delete actions. We tried to solve this hard-coded behavior by reversing it in an event subscriber:

<?php
//src\EventSubscriber\DeleteValidationSubscriber.php

namespace App\EventSubscriber;

use ApiPlatform\Core\Exception\ResourceClassNotFoundException;
use ApiPlatform\Core\Metadata\Resource\Factory\ResourceMetadataFactoryInterface;
use ApiPlatform\Core\Util\RequestAttributesExtractor;
use ApiPlatform\Core\Validator\ValidatorInterface;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpKernel\Event\ViewEvent;
use Symfony\Component\HttpKernel\KernelEvents;

class DeleteValidationSubscriber implements EventSubscriberInterface
{
    private $validator;
    private $resourceMetadataFactory;

    /**
     * @param ValidatorInterface $validator
     * @param ResourceMetadataFactoryInterface $resourceMetadataFactory
     */
    public function __construct(ValidatorInterface $validator, ResourceMetadataFactoryInterface $resourceMetadataFactory)
    {
        $this->validator = $validator;
        $this->resourceMetadataFactory = $resourceMetadataFactory;
    }

    /**
     * Validates data returned by the controller for DELETE action because api-platform is ignoring it
     *
     * @param ViewEvent $event
     * @throws ResourceClassNotFoundException
     */
    public function onKernelView(ViewEvent $event)
    {
        $controllerResult = $event->getControllerResult();
        $request = $event->getRequest();

        if (
            $controllerResult instanceof Response
            || !$request->isMethod('DELETE')
            || $request->isMethodSafe()
            || !($attributes = RequestAttributesExtractor::extractAttributes($request))
            || !$attributes['receive']
        ) {
            return;
        }

        $resourceMetadata = $this->resourceMetadataFactory->create($attributes['resource_class']);

        $validationGroups = $resourceMetadata->getOperationAttribute($attributes, 'validation_groups', null, true);
        if (!is_null($validationGroups)) {
            $this->validator->validate($controllerResult, ['groups' => $validationGroups]);
        }
    }

    /**
     * @return array|string[]
     */
    public static function getSubscribedEvents()
    {
        return [
            KernelEvents::VIEW => ['onKernelView', 64],
        ];
    }
}

With that in place, validation is working as expected whenever “validation_groups” is explicitly defined on the “delete” item operation without other extra code. Does it make sense?