mark providers final, disable feature by default

Author: KDederichs

behat.yml.dist

@@ -203,7 +203,7 @@ legacy:
         - 'Behat\MinkExtension\Context\MinkContext'
         - 'behatch:context:rest'
       filters:
-        tags: '~@postgres&&~@mongodb&&~@elasticsearch'
+        tags: '~@postgres&&~@mongodb&&~@elasticsearch&&~@link_security'
   extensions:
     'FriendsOfBehat\SymfonyExtension':
       bootstrap: 'tests/Fixtures/app/bootstrap.php'

features/authorization/deny.feature

@@ -211,13 +211,15 @@ Feature: Authorization checking
     And the response should contain "ownerOnlyProperty"
     And the JSON node "ownerOnlyProperty" should be equal to the string "updated"
 
+  @link_security
   Scenario: An non existing entity should return Not found
     When I add "Accept" header equal to "application/ld+json"
     And I add "Content-Type" header equal to "application/ld+json"
     And I add "Authorization" header equal to "Basic ZHVuZ2xhczprZXZpbg=="
     And I send a "GET" request to "/secured_dummies/40000/to_from"
     Then the response status code should be 404
 
+  @link_security
   Scenario: An user can get related linked dummies for an secured dummy they own
     Given there are 1 SecuredDummy objects owned by dunglas with related dummies
     When I add "Accept" header equal to "application/ld+json"
@@ -228,6 +230,7 @@ Feature: Authorization checking
     And the response should contain "securedDummy"
     And the JSON node "hydra:member[0].id" should be equal to 1
 
+  @link_security
   Scenario: I define a custom name of the security object
     When I add "Accept" header equal to "application/ld+json"
     And I add "Content-Type" header equal to "application/ld+json"
@@ -237,6 +240,7 @@ Feature: Authorization checking
     And the response should contain "securedDummy"
     And the JSON node "hydra:member[0].id" should be equal to 1
 
+  @link_security
   Scenario: I define a from from link
     When I add "Accept" header equal to "application/ld+json"
     And I add "Content-Type" header equal to "application/ld+json"
@@ -246,6 +250,7 @@ Feature: Authorization checking
     And the response should contain "id"
     And the JSON node "hydra:member[0].id" should be equal to 4
 
+  @link_security
   Scenario: I define multiple links with security
     When I add "Accept" header equal to "application/ld+json"
     And I add "Content-Type" header equal to "application/ld+json"
@@ -255,6 +260,7 @@ Feature: Authorization checking
     And the response should contain "id"
     And the JSON node "hydra:member[0].id" should be equal to 1
 
+  @link_security
   Scenario: An user can not get related linked dummies for an secured dummy they do not own
     Given there are 1 SecuredDummy objects owned by someone with related dummies
     When I add "Accept" header equal to "application/ld+json"
@@ -263,20 +269,23 @@ Feature: Authorization checking
     And I send a "GET" request to "/secured_dummies/5/to_from"
     Then the response status code should be 403
 
+  @link_security
   Scenario: I define a custom name of the security object
     When I add "Accept" header equal to "application/ld+json"
     And I add "Content-Type" header equal to "application/ld+json"
     And I add "Authorization" header equal to "Basic ZHVuZ2xhczprZXZpbg=="
     And I send a "GET" request to "/secured_dummies/5/with_name"
     Then the response status code should be 403
 
+  @link_security
   Scenario: I define a from from link
     When I add "Accept" header equal to "application/ld+json"
     And I add "Content-Type" header equal to "application/ld+json"
     And I add "Authorization" header equal to "Basic ZHVuZ2xhczprZXZpbg=="
     And I send a "GET" request to "/related_linked_dummies/2/from_from"
     Then the response status code should be 403
 
+  @link_security
   Scenario: I define multiple links with security
     When I add "Accept" header equal to "application/ld+json"
     And I add "Content-Type" header equal to "application/ld+json"

src/Symfony/Bundle/DependencyInjection/ApiPlatformExtension.php

@@ -896,7 +896,7 @@ private function registerInflectorConfiguration(array $config): void
 
     private function registerLinkSecurityConfiguration(XmlFileLoader $loader, array $config): void
     {
-        if ($config['enable_link_security'] ?? true) {
+        if ($config['enable_link_security']) {
             $loader->load('link_security.xml');
         }
     }

src/Symfony/Bundle/DependencyInjection/Configuration.php

@@ -111,7 +111,7 @@ public function getConfigTreeBuilder(): TreeBuilder
                 ->booleanNode('enable_docs')->defaultTrue()->info('Enable the docs')->end()
                 ->booleanNode('enable_profiler')->defaultTrue()->info('Enable the data collector and the WebProfilerBundle integration.')->end()
                 ->booleanNode('keep_legacy_inflector')->defaultTrue()->info('Keep doctrine/inflector instead of symfony/string to generate plurals for routes.')->end()
-                ->booleanNode('enable_link_security')->defaultTrue()->info('Enable security for Links (sub resources)')->end()
+                ->booleanNode('enable_link_security')->defaultFalse()->info('Enable security for Links (sub resources)')->end()
                 ->arrayNode('collection')
                     ->addDefaultsIfNotSet()
                     ->children()

src/Symfony/Security/State/LinkAccessCheckerProvider.php

@@ -20,7 +20,11 @@
 use ApiPlatform\Symfony\Security\Exception\AccessDeniedException;
 use ApiPlatform\Symfony\Security\ResourceAccessCheckerInterface;
 
-class LinkAccessCheckerProvider implements ProviderInterface
+/**
+ * Checks the individual parts of the linked resource for access rights.
+ * @experimental
+ */
+final class LinkAccessCheckerProvider implements ProviderInterface
 {
     public function __construct(
         private readonly ProviderInterface $decorated,

src/Symfony/Security/State/LinkedReadProvider.php

@@ -23,7 +23,11 @@
 use ApiPlatform\State\ProviderInterface;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
 
-class LinkedReadProvider implements ProviderInterface
+/**
+ * Checks if the linked resources have security attributes and prepares them for access checking.
+ * @experimental
+ */
+final class LinkedReadProvider implements ProviderInterface
 {
     public function __construct(
         private readonly ProviderInterface $decorated,

tests/Fixtures/app/config/config_common.yml

@@ -78,6 +78,7 @@ api_platform:
         invalidation:
             enabled: true
     keep_legacy_inflector: false
+    enable_link_security: true
     # see also defaults in AppKernel
 
     doctrine_mongodb_odm: false

tests/Symfony/Bundle/DependencyInjection/ConfigurationTest.php

@@ -227,7 +227,7 @@ private function runDefaultConfigTests(array $doctrineIntegrationsToLoad = ['orm
             'keep_legacy_inflector' => true,
             'event_listeners_backward_compatibility_layer' => true,
             'handle_symfony_errors' => false,
-            'enable_link_security' => true,
+            'enable_link_security' => false,
         ], $config);
     }