fix: wrong resource iri

soyuka · soyuka · commit 66a49fd949d7 · 2024-07-09T07:47:20.000+02:00
diff --git a/features/main/standard_put.feature b/features/main/standard_put.feature
@@ -52,6 +52,20 @@ Feature: Spec-compliant PUT support
     }
     """
 
+  Scenario: Fails to create a new resource with the wrong JSON-LD @id
+    When I add "Content-Type" header equal to "application/ld+json"
+    And I send a "PUT" request to "/standard_puts/7" with body:
+    """
+    {
+      "@id": "/dummies/6",
+      "@context": "/contexts/StandardPut",
+      "@type": "StandardPut",
+      "foo": "a",
+      "bar": "b"
+    }
+    """
+    Then the response status code should be 400
+
   Scenario: Replace an existing resource
     When I add "Content-Type" header equal to "application/ld+json"
     And I send a "PUT" request to "/standard_puts/5" with body:
diff --git a/src/JsonLd/Serializer/ItemNormalizer.php b/src/JsonLd/Serializer/ItemNormalizer.php
@@ -49,6 +49,29 @@ final class ItemNormalizer extends AbstractItemNormalizer
     use JsonLdContextTrait;
 
     public const FORMAT = 'jsonld';
+    public const JSONLD_KEYWORDS = [
+        '@context',
+        '@direction',
+        '@graph',
+        '@id',
+        '@import',
+        '@included',
+        '@index',
+        '@json',
+        '@language',
+        '@list',
+        '@nest',
+        '@none',
+        '@prefix',
+        '@propagate',
+        '@protected',
+        '@reverse',
+        '@set',
+        '@type',
+        '@value',
+        '@version',
+        '@vocab',
+    ];
 
     public function __construct(ResourceMetadataCollectionFactoryInterface $resourceMetadataCollectionFactory, PropertyNameCollectionFactoryInterface $propertyNameCollectionFactory, PropertyMetadataFactoryInterface $propertyMetadataFactory, IriConverterInterface|LegacyIriConverterInterface $iriConverter, ResourceClassResolverInterface|LegacyResourceClassResolverInterface $resourceClassResolver, private readonly ContextBuilderInterface $contextBuilder, ?PropertyAccessorInterface $propertyAccessor = null, ?NameConverterInterface $nameConverter = null, ?ClassMetadataFactoryInterface $classMetadataFactory = null, array $defaultContext = [], ?ResourceAccessCheckerInterface $resourceAccessChecker = null, protected ?TagCollectorInterface $tagCollector = null)
     {
@@ -151,7 +174,7 @@ public function denormalize(mixed $data, string $class, ?string $format = null,
             }
 
             try {
-                $context[self::OBJECT_TO_POPULATE] = $this->iriConverter->getResourceFromIri($data['@id'], $context + ['fetch_data' => true]);
+                $context[self::OBJECT_TO_POPULATE] = $this->iriConverter->getResourceFromIri($data['@id'], $context + ['fetch_data' => true], $context['operation'] ?? null);
             } catch (ItemNotFoundException $e) {
                 $operation = $context['operation'] ?? null;
                 if (!($operation instanceof Put && ($operation->getExtraProperties()['standard_put'] ?? false))) {
@@ -167,7 +190,7 @@ protected function getAllowedAttributes(string|object $classOrObject, array $con
     {
         $allowedAttributes = parent::getAllowedAttributes($classOrObject, $context, $attributesAsString);
         if (\is_array($allowedAttributes) && ($context['api_denormalize'] ?? false)) {
-            $allowedAttributes = array_merge($allowedAttributes, ['@id', '@type', '@context']);
+            $allowedAttributes = array_merge($allowedAttributes, self::JSONLD_KEYWORDS);
         }
 
         return $allowedAttributes;
diff --git a/src/Symfony/Routing/IriConverter.php b/src/Symfony/Routing/IriConverter.php
@@ -78,6 +78,10 @@ public function getResourceFromIri(string $iri, array $context = [], ?Operation
             throw new InvalidArgumentException(sprintf('No resource associated to "%s".', $iri));
         }
 
+        if ($operation && $operation->getClass() !== $parameters['_api_resource_class']) {
+            throw new InvalidArgumentException(sprintf('The iri "%s" does not reference the correct resource.', $iri));
+        }
+
         $operation = $parameters['_api_operation'] = $this->resourceMetadataCollectionFactory->create($parameters['_api_resource_class'])->getOperation($parameters['_api_operation_name']);
 
         if ($operation instanceof CollectionOperationInterface) {

Original file line number	Diff line number	Diff line change
`@@ -78,6 +78,10 @@ public function getResourceFromIri(string $iri, array $context = [], ?Operation`
`78`	`78`	`throw new InvalidArgumentException(sprintf('No resource associated to "%s".', $iri));`
`79`	`79`	`}`
`80`	`80`
	`81`	`+ if ($operation && $operation->getClass() !== $parameters['_api_resource_class']) {`
	`82`	`+ throw new InvalidArgumentException(sprintf('The iri "%s" does not reference the correct resource.', $iri));`
	`83`	`+ }`
	`84`	`+`
`81`	`85`	`$operation = $parameters['_api_operation'] = $this->resourceMetadataCollectionFactory->create($parameters['_api_resource_class'])->getOperation($parameters['_api_operation_name']);`
`82`	`86`
`83`	`87`	`if ($operation instanceof CollectionOperationInterface) {`