core icon indicating copy to clipboard operation
core copied to clipboard

Published 20 hours ago verified publisher icon api-platform

Security attributes for openAPI documentation

Open Bartheyrman22 opened this issue 9 months ago • 3 comments

Description
Evaluate the security attributes when building the openAPI documentation. This for Resources and Operations.

Example

<?php
// ApiPlatform\OpenApi\Factory\OpenApiFactory

// inside function collectPaths
if (null !== $security = $operation->getSecurity()) {
    $variables = [
        'trust_resolver' => $this->authenticationTrustResolver,
        'auth_checker' => $this->authorizationChecker, // needed for the is_granted expression function
    ];

    $granted = (bool) $this->expressionLanguage->evaluate($security, $variables);
    if (!$granted) {
        continue;
    }
}

Bartheyrman22 avatar Feb 26 '25 21:02 Bartheyrman22

@Bartheyrman22 If I understand your bug report, is this where the generation of the OpenAPI doc for the UI is not hiding endpoints where the security for either/both ApiResource and, for example, GetCollection evaluates to false, but the UI still shows the endpoint?

ricardoee avatar May 14 '25 12:05 ricardoee

@ricardoee Yes this is correct.

Bartheyrman22 avatar May 22 '25 18:05 Bartheyrman22

Hi there's a flag on openapi to do something similar (implemented at https://github.com/api-platform/core/pull/6945):

        new GetCollection(openapi: new Operation(extensionProperties: [OpenApiFactory::API_PLATFORM_TAG => ['internal', 'anotherone']])),

Then you can filter the spec using /docs?filter_tags[]=internal or using the command --filter-tags=internal.

soyuka avatar May 24 '25 07:05 soyuka