I am facing an issue with API Platform (using Symfony 6.4) where validations specified using validation groups are not being applied automatically during POST operations. Despite properly configuring annotations and serialization/deserialization groups, the validations are only triggered when I use a custom event subscriber.
Here is an excerpt from my Symfony entity:
<?php
#[ApiResource(
operations: [
new Post(
uriTemplate: '',
denormalizationContext: ['groups' => ['calibration_cards_write']],
security: 'user.isCanDoVcas() === true',
processor: CalibrationCardPostProcessor::class
)
],
routePrefix: '/calibration_cards',
normalizationContext: ["groups" => ["calibration_cards_read"]],
denormalizationContext: ["groups" => ["calibration_cards_write", 'calibration_cards_patch']]
)]
#[ORM\Entity]
class CalibrationCard {
#[ORM\Column(length: 255)]
#[Groups(["calibration_cards_read", "calibration_cards_write"])]
#[Assert\NotBlank(message: "The 'name' field is required.", groups: ["calibration_cards_write"])]
#[Assert\Regex("/^[A-Za-zÀ-úœ'\-\s]+$/", message: "The 'name' field contains invalid characters.", groups: ["calibration_cards_write"])]
private ?string $name = null;
}
Despite setting up everything correctly, when I send a POST request without the name field, the NotBlank validation does not trigger unless I manually invoke validation through an event subscriber in the API Platform lifecycle.
Interestingly, if I remove the groups from the Assert\NotBlank annotation, the validation triggers correctly for POST requests. However, this causes an unwanted side effect: the NotBlank error also appears on PATCH routes where the name field is not supposed to be modified.
Here's how I've set up my subscriber:
<?php
namespace App\EventSubscriber;
use ApiPlatform\Symfony\EventListener\EventPriorities;
use App\Entity\CalibrationCard;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\HttpKernel\Event\ViewEvent;
use Symfony\Component\HttpKernel\KernelEvents;
use Symfony\Component\Validator\Validator\ValidatorInterface;
class ValidationSubscriber implements EventSubscriberInterface {
private $validator;
public function __construct(ValidatorInterface $validator) {
this->validator = $validator;
}
public static function getSubscribedEvents() {
return [KernelEvents::VIEW => ['validateEntity', EventPriorities::PRE_VALIDATE]];
}
public function validateEntity(ViewEvent $event) {
$entity = $event->getControllerResult();
$method = $event->getRequest()->getMethod();
if (!$entity instanceof CalibrationCard || $method !== 'POST') {
return;
}
$errors = this->validator->validate($entity, null, ['calibration_cards_write']);
if (count($errors) > 0) {
dd($errors);
}
}
}
The validations work as expected when manually invoked (errors are dumped with the subscriber) but do not trigger automatically. Am I missing something in the API Platform configuration, or is there an issue with how validation groups are processed in the framework?
Any help or guidance would be greatly appreciated. Thank you in advance for your assistance!
You need to use a validation context instead of the denormalization context. See documentation chapter Using Validation Groups on Operations.
You may want to use sequential validation to chain multiple assertions and overcome potential issues here.
The Assert\Regex assertion will throw an UnexpectedValueException if $name is not a string (i.e. null).
See the documentation chapter Sequentually
Example:
// src/Localization/Place.php
namespace App\Localization;
use ApiPlatform\Metadata\ApiResource;
use ApiPlatform\Metadata\Post;
use Symfony\Component\Validator\Constraints as Assert;
#[ApiResource]
#[Post(validationContext: ['groups' => ['calibration_cards_write']])]
class CalibrationCard
{
#[Assert\Sequentially([
new Assert\NotNull,
new Assert\Type('string'),
new Assert\Length(min: 10),
new Assert\Regex(CalibrationCard::NAME_REGEX),
], groups: [
"calibration_cards_write"
]
)]
public ?string $name;
}