Merge pull request api-platform#1339 from antograssiot/property-filter-whitelist

Simperfit · web-flow · commit 2fd1c355d0c7 · 2017-08-29T17:43:44.000+02:00
[2.1] Allow to specify a whitelist of properties for Property Filter
diff --git a/features/serializer/property_filter.feature b/features/serializer/property_filter.feature
@@ -168,6 +168,98 @@ Feature: Filter with serialization attributes on items and collections
     }
     """
 
+  Scenario: Get a collection of resources by attributes foo, bar, group.baz and group.qux
+    When I send a "GET" request to "/dummy_properties?whitelisted_properties[]=foo&whitelisted_properties[]=bar&whitelisted_properties[group][]=baz"
+    Then the response status code should be 200
+    And the response should be in JSON
+    And the header "Content-Type" should be equal to "application/ld+json; charset=utf-8"
+    And the JSON should be valid according to this schema:
+    """
+    {
+      "type": "object",
+      "properties": {
+        "@context": {"pattern": "^/contexts/DummyProperty$"},
+        "@id": {"pattern": "^/dummy_properties$"},
+        "@type": {"pattern": "^hydra:Collection$"},
+        "hydra:member": {
+          "type": "array",
+          "items": [
+            {
+              "type": "object",
+              "properties": {
+                "@id": {},
+                "@type": {},
+                "foo": {},
+                "group": {
+                  "type": "object",
+                  "properties": {
+                    "@id": {},
+                    "@type": {},
+                    "baz": {}
+                  },
+                  "additionalProperties": false,
+                  "required": ["@id", "@type", "baz"]
+                }
+              },
+              "additionalProperties": false,
+              "required": ["@id", "@type", "foo"]
+            },
+            {
+              "type": "object",
+              "properties": {
+                "@id": {},
+                "@type": {},
+                "foo": {},
+                "group": {
+                  "type": "object",
+                  "properties": {
+                    "@id": {},
+                    "@type": {},
+                    "baz": {}
+                  },
+                  "additionalProperties": false,
+                  "required": ["@id", "@type", "baz"]
+                }
+              },
+              "additionalProperties": false,
+              "required": ["@id", "@type", "foo"]
+            },
+            {
+              "type": "object",
+              "properties": {
+                "@id": {},
+                "@type": {},
+                "foo": {},
+                "group": {
+                  "type": "object",
+                  "properties": {
+                    "@id": {},
+                    "@type": {},
+                    "baz": {}
+                  },
+                  "additionalProperties": false,
+                  "required": ["@id", "@type"]
+                }
+              },
+              "additionalProperties": false,
+              "required": ["@id", "@type", "foo"]
+            }
+          ],
+          "additionalItems": false,
+          "maxItems": 3,
+          "minItems": 3
+        },
+        "hydra:view": {
+          "type": "object",
+          "properties": {
+            "@id": {"pattern": "^/dummy_properties\\?whitelisted_properties%5B%5D=foo&whitelisted_properties%5B%5D=bar&whitelisted_properties%5Bgroup%5D%5B%5D=baz&page=1$"},
+            "@type": {"pattern": "^hydra:PartialCollectionView$"}
+          }
+        }
+      }
+    }
+    """
+
   Scenario: Get a collection of resources by attributes empty
     When I send a "GET" request to "/dummy_properties?properties[]=&properties[group][]="
     Then the response status code should be 200
diff --git a/src/Serializer/Filter/PropertyFilter.php b/src/Serializer/Filter/PropertyFilter.php
@@ -24,11 +24,13 @@ final class PropertyFilter implements FilterInterface
 {
     private $overrideDefaultProperties;
     private $parameterName;
+    private $whitelist;
 
-    public function __construct(string $parameterName = 'properties', bool $overrideDefaultProperties = false)
+    public function __construct(string $parameterName = 'properties', bool $overrideDefaultProperties = false, array $whitelist = null)
     {
         $this->overrideDefaultProperties = $overrideDefaultProperties;
         $this->parameterName = $parameterName;
+        $this->whitelist = $whitelist;
     }
 
     /**
@@ -40,6 +42,10 @@ public function apply(Request $request, bool $normalization, array $attributes,
             return;
         }
 
+        if (null !== $this->whitelist) {
+            $properties = array_intersect_key($this->whitelist, $properties);
+        }
+
         if (!$this->overrideDefaultProperties && isset($context['attributes'])) {
             $properties = array_merge_recursive((array) $context['attributes'], $properties);
         }
diff --git a/tests/Fixtures/TestBundle/Entity/DummyProperty.php b/tests/Fixtures/TestBundle/Entity/DummyProperty.php
@@ -28,7 +28,8 @@
  *     "normalization_context"={"groups"={"dummy_read"}},
  *     "denormalization_context"={"groups"={"dummy_write"}},
  *     "filters"={
- *         "dummy_property.property"
+ *         "dummy_property.property",
+ *          "dummy_property.whitelist_property"
  *     }
  * })
  */
diff --git a/tests/Fixtures/app/config/config.yml b/tests/Fixtures/app/config/config.yml
@@ -147,6 +147,11 @@ services:
         parent:    'api_platform.serializer.property_filter'
         tags:      [ { name: 'api_platform.filter', id: 'dummy_property.property' } ]
 
+    app.entity.filter.dummy_property.whitelist_property:
+        parent:    'api_platform.serializer.property_filter'
+        arguments: [ 'whitelisted_properties', false, ['foo', {'group': ['baz', 'qux']}] ]
+        tags:      [ { name: 'api_platform.filter', id: 'dummy_property.whitelist_property' } ]
+
     app.entity.filter.dummy_group.group:
         parent:    'api_platform.serializer.group_filter'
         tags:      [ { name: 'api_platform.filter', id: 'dummy_group.group' } ]
diff --git a/tests/Serializer/Filter/PropertyFilterTest.php b/tests/Serializer/Filter/PropertyFilterTest.php
@@ -54,6 +54,28 @@ public function testApplyWithoutPropertiesInRequest()
         $this->assertEquals(['attributes' => ['foo', 'bar']], $context);
     }
 
+    public function testApplyWithPropertiesWhitelist()
+    {
+        $request = new Request(['properties' => ['foo', 'bar', 'group' => ['baz' => ['baz', 'qux'], 'qux']]]);
+        $context = ['attributes' => ['qux']];
+
+        $propertyFilter = new PropertyFilter('properties', false, ['foo', 'group' => ['baz' => ['qux']]]);
+        $propertyFilter->apply($request, true, [], $context);
+
+        $this->assertEquals(['attributes' => ['qux', 'foo',  'group' => ['baz' => ['qux']]]], $context);
+    }
+
+    public function testApplyWithoutPropertiesWhitelistWithOverriding()
+    {
+        $request = new Request(['properties' => ['foo', 'bar', 'baz']]);
+        $context = ['attributes' => ['qux']];
+
+        $propertyFilter = new PropertyFilter('properties', true, ['foo', 'baz']);
+        $propertyFilter->apply($request, true, [], $context);
+
+        $this->assertEquals(['attributes' => ['foo', 'baz']], $context);
+    }
+
     public function testApplyWithInvalidPropertiesInRequest()
     {
         $request = new Request(['properties' => 'foo,bar,baz']);

Original file line number	Diff line number	Diff line change
`@@ -24,11 +24,13 @@ final class PropertyFilter implements FilterInterface`
`24`	`24`	`{`
`25`	`25`	`private $overrideDefaultProperties;`
`26`	`26`	`private $parameterName;`
	`27`	`+ private $whitelist;`
`27`	`28`
`28`		`- public function __construct(string $parameterName = 'properties', bool $overrideDefaultProperties = false)`
	`29`	`+ public function __construct(string $parameterName = 'properties', bool $overrideDefaultProperties = false, array $whitelist = null)`
`29`	`30`	`{`
`30`	`31`	`$this->overrideDefaultProperties = $overrideDefaultProperties;`
`31`	`32`	`$this->parameterName = $parameterName;`
	`33`	`+ $this->whitelist = $whitelist;`
`32`	`34`	`}`
`33`	`35`
`34`	`36`	`/**`
`@@ -40,6 +42,10 @@ public function apply(Request $request, bool $normalization, array $attributes,`
`40`	`42`	`return;`
`41`	`43`	`}`
`42`	`44`
	`45`	`+ if (null !== $this->whitelist) {`
	`46`	`+ $properties = array_intersect_key($this->whitelist, $properties);`
	`47`	`+ }`
	`48`	`+`
`43`	`49`	`if (!$this->overrideDefaultProperties && isset($context['attributes'])) {`
`44`	`50`	`$properties = array_merge_recursive((array) $context['attributes'], $properties);`
`45`	`51`	`}`