Merge pull request from GHSA-vr2x-7687-h6qv

Author: soyuka

features/authorization/deny.feature

@@ -181,3 +181,25 @@ Feature: Authorization checking
     Then the response status code should be 200
     And the response should contain "ownerOnlyProperty"
     And the JSON node "ownerOnlyProperty" should be equal to the string "updated"
+
+  Scenario: A user retrieves a resource with an admin only viewable property
+    When I add "Accept" header equal to "application/json"
+    And I add "Authorization" header equal to "Basic ZHVuZ2xhczprZXZpbg=="
+    And I send a "GET" request to "/secured_dummies"
+    Then the response status code should be 200
+    And the response should contain "ownerOnlyProperty"
+
+  Scenario: A user retrieves a resource with an admin only viewable property
+    When I add "Accept" header equal to "application/hal+json"
+    And I add "Authorization" header equal to "Basic ZHVuZ2xhczprZXZpbg=="
+    And I send a "GET" request to "/secured_dummies"
+    Then the response status code should be 200
+    And the response should contain "ownerOnlyProperty"
+
+  Scenario: A user retrieves a resource with an admin only viewable property
+    Given I add "Accept" header equal to "application/vnd.api+json"
+    And I add "Authorization" header equal to "Basic ZHVuZ2xhczprZXZpbg=="
+    And I send a "GET" request to "/secured_dummies"
+    Then the response status code should be 200
+    And the response should contain "ownerOnlyProperty"
+

src/Hal/Serializer/ItemNormalizer.php

@@ -62,10 +62,6 @@ public function normalize($object, $format = null, array $context = [])
             return parent::normalize($object, $format, $context);
         }
 
-        if (!isset($context['cache_key'])) {
-            $context['cache_key'] = $this->getCacheKey($format, $context);
-        }
-
         if ($this->resourceClassResolver->isResourceClass($resourceClass)) {
             $resourceClass = $this->resourceClassResolver->getResourceClass($object, $context['resource_class'] ?? null);
         }
@@ -75,6 +71,10 @@ public function normalize($object, $format = null, array $context = [])
         $context['iri'] = $iri;
         $context['api_normalize'] = true;
 
+        if (!isset($context['cache_key'])) {
+            $context['cache_key'] = $this->getCacheKey($format, $context);
+        }
+
         $data = parent::normalize($object, $format, $context);
         if (!\is_array($data)) {
             return $data;

src/JsonApi/Serializer/ItemNormalizer.php

@@ -78,11 +78,7 @@ public function normalize($object, $format = null, array $context = [])
             return parent::normalize($object, $format, $context);
         }
 
-        if (!isset($context['cache_key'])) {
-            $context['cache_key'] = $this->getCacheKey($format, $context);
-        }
-
-        if ($isResourceClass = $this->resourceClassResolver->isResourceClass($resourceClass)) {
+        if ($this->resourceClassResolver->isResourceClass($resourceClass)) {
             $resourceClass = $this->resourceClassResolver->getResourceClass($object, $context['resource_class'] ?? null);
         }
 
@@ -91,6 +87,10 @@ public function normalize($object, $format = null, array $context = [])
         $context['iri'] = $iri;
         $context['api_normalize'] = true;
 
+        if (!isset($context['cache_key'])) {
+            $context['cache_key'] = $this->getCacheKey($format, $context);
+        }
+
         $data = parent::normalize($object, $format, $context);
         if (!\is_array($data)) {
             return $data;

src/Serializer/AbstractItemNormalizer.php

@@ -27,6 +27,7 @@
 use ApiPlatform\Exception\InvalidValueException;
 use ApiPlatform\Exception\ItemNotFoundException;
 use ApiPlatform\Metadata\ApiProperty;
+use ApiPlatform\Metadata\CollectionOperationInterface;
 use ApiPlatform\Metadata\Property\Factory\PropertyMetadataFactoryInterface;
 use ApiPlatform\Metadata\Property\Factory\PropertyNameCollectionFactoryInterface;
 use ApiPlatform\Metadata\Resource\Factory\ResourceMetadataCollectionFactoryInterface;
@@ -207,6 +208,11 @@ public function normalize($object, $format = null, array $context = [])
             $context = $this->initContext($resourceClass, $context);
         }
 
+        if (isset($context['operation']) && $context['operation'] instanceof CollectionOperationInterface) {
+            unset($context['operation']);
+            unset($context['iri']);
+        }
+
         $iri = null;
         if (isset($context['iri'])) {
             $iri = $context['iri'];

src/Serializer/CacheKeyTrait.php

@@ -13,6 +13,12 @@
 
 namespace ApiPlatform\Serializer;
 
+/**
+ * Used to override Symfony\Component\Serializer\Normalizer\AbstractObjectNormalizer::getCacheKey which is private
+ * We need the cache_key in JsonApi and Hal before it is computed in Symfony.
+ *
+ * @see https://github.com/symfony/symfony/blob/49b6ab853d81e941736a1af67845efa3401e7278/src/Symfony/Component/Serializer/Normalizer/AbstractObjectNormalizer.php#L723 which isn't protected
+ */
 trait CacheKeyTrait
 {
     /**
@@ -24,11 +30,15 @@ private function getCacheKey(?string $format, array $context)
             unset($context[$key]);
         }
         unset($context[self::EXCLUDE_FROM_CACHE_KEY]);
+        unset($context[self::OBJECT_TO_POPULATE]);
         unset($context['cache_key']); // avoid artificially different keys
 
         try {
-            return md5($format.serialize($context));
-        } catch (\Exception $exception) {
+            return hash('xxh128', $format.serialize([
+                'context' => $context,
+                'ignored' => $context[self::IGNORED_ATTRIBUTES] ?? $this->defaultContext[self::IGNORED_ATTRIBUTES],
+            ]));
+        } catch (\Exception) {
             // The context cannot be serialized, skip the cache
             return false;
         }