#[ApiProperty(security)] doesn't work with nested object

[w-aurelien]

API Platform version(s) affected: 3.1.18

Description

I'm trying to use the ApiProperty attribute to secure a field present in an nested object of the object I'm querying.

But the property seems to have no effect when I use it on a field of the parent object, it works perfectly!

How to reproduce

Project.php

    #[ORM\JoinColumn(nullable: false)]
    #[Groups(['read:Project'])]
    private ?User $owner = null;

    #[ORM\Column]
    #[Groups(['read:Project'])]
    #[ApiProperty(security: 'is_granted("ROLE_ADMIN")')]
    private ?int $size = null;

    #[ORM\Column]
    #[Groups(['read:Project'])]
    private ?string $label = null;

User.php (abstract class)

    #[Groups(['read:Project'])]
    #[ApiProperty(security: 'is_granted("ROLE_ADMIN")')]
    private ?string $email = null;

    #[ORM\Column(length: 180, unique: true)]
    #[Groups(['read:Project'])]
    private ?string $name = null;

Response

label: 'Test',
owner: {
    email: 'test@test.com',
    name: 'Test Test'
}

[acornforth]

I am having a similar problem using ApiProperty on nested objects to provide description text to openapiContext

[mikitafreeman]

The same for me. I confirm, this happens when you set this attribute on a field that is in the base class, not the child class.
APIP v3.2.26

[soyuka]

Confirmed limitation. #[ApiProperty(security)] is evaluated by API Platform's AbstractItemNormalizer, which only handles classes registered as #[ApiResource]. A nested non-resource (your abstract User) is normalized by Symfony's default ObjectNormalizer, so the per-property security expression is never invoked.

This is by design: property-level metadata is resource-scoped. Extending the walk to every referenced non-resource class would duplicate Symfony's voter system and add normalizer overhead for all embedded objects.

Workarounds:

1. Declare User as #[ApiResource(operations: [])] — registers metadata without exposing endpoints; security on email will then be enforced when User is read as a nested object.
2. Filter the field via a custom SerializerContextBuilder (drop the read group when the role check fails).
3. Use a custom normalizer for User if you need finer control.

Closing as wontfix (and the report is from 3.1.18, 2023). Reopen if you have a concrete proposal that doesn't pull arbitrary classes into the resource-metadata pipeline.