From 1d7d7b2a81b5a7e7b39d5546f63944e7bf8744ef Mon Sep 17 00:00:00 2001
From: nawel <nawel@les-tilleuls.coop>
Date: Fri, 17 Mar 2023 14:43:39 +0100
Subject: [PATCH] fix: query parameter validation after authentication

---
 .../deny_authentication_before_filter.feature | 11 +++++
 .../Resources/config/symfony/validator.xml    |  2 +-
 .../Entity/SecuredDummyWithFilter.php         | 41 +++++++++++++++++++
 3 files changed, 53 insertions(+), 1 deletion(-)
 create mode 100644 features/authorization/deny_authentication_before_filter.feature
 create mode 100644 tests/Fixtures/TestBundle/Entity/SecuredDummyWithFilter.php

diff --git a/features/authorization/deny_authentication_before_filter.feature b/features/authorization/deny_authentication_before_filter.feature
new file mode 100644
index 00000000000..a636383b7ab
--- /dev/null
+++ b/features/authorization/deny_authentication_before_filter.feature
@@ -0,0 +1,11 @@
+Feature: Authorization checking
+  In order to use the API
+  I need to be authorized to access a given resource.
+
+  @!mongodb
+  @createSchema
+  Scenario: An anonymous user retrieves a secured resource
+    When I add "Accept" header equal to "application/ld+json"
+    When I am on "/secured_dummy_with_filters?required=&required-allow-empty=&arrayRequired[foo]="
+    Then the response status code should be 401
+
diff --git a/src/Symfony/Bundle/Resources/config/symfony/validator.xml b/src/Symfony/Bundle/Resources/config/symfony/validator.xml
index 912757c247d..a7d402db4b7 100644
--- a/src/Symfony/Bundle/Resources/config/symfony/validator.xml
+++ b/src/Symfony/Bundle/Resources/config/symfony/validator.xml
@@ -27,7 +27,7 @@
             <argument type="service" id="api_platform.metadata.resource.metadata_collection_factory" />
             <argument>%api_platform.validator.query_parameter_validation%</argument>
 
-            <tag name="kernel.event_listener" event="kernel.request" method="onKernelRequest" priority="16" />
+            <tag name="kernel.event_listener" event="kernel.request" method="onKernelRequest" priority="2" />
         </service>
     </services>
 
diff --git a/tests/Fixtures/TestBundle/Entity/SecuredDummyWithFilter.php b/tests/Fixtures/TestBundle/Entity/SecuredDummyWithFilter.php
new file mode 100644
index 00000000000..a59f4438b3a
--- /dev/null
+++ b/tests/Fixtures/TestBundle/Entity/SecuredDummyWithFilter.php
@@ -0,0 +1,41 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <dunglas@gmail.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\Tests\Fixtures\TestBundle\Entity;
+
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Tests\Fixtures\TestBundle\Filter\ArrayRequiredFilter;
+use Doctrine\ORM\Mapping as ORM;
+
+/**
+ * Secured resource.
+ *
+ * @author Kévin Dunglas <dunglas@gmail.com>
+ */
+#[ApiResource(
+    security: 'is_granted(\'ROLE_USER\')',
+    filters: [ArrayRequiredFilter::class],
+)]
+#[ORM\Entity]
+class SecuredDummyWithFilter
+{
+    #[ORM\Column(type: 'integer')]
+    #[ORM\Id]
+    #[ORM\GeneratedValue(strategy: 'AUTO')]
+    private ?int $id = null;
+
+    public function getId(): ?int
+    {
+        return $this->id;
+    }
+}