fix(graphql): property security might be cached w/ different objects

Author: soyuka

src/GraphQl/Serializer/ItemNormalizer.php

@@ -89,6 +89,8 @@ public function normalize(mixed $object, ?string $format = null, array $context
 
         if ($this->isCacheKeySafe($context)) {
             $context['cache_key'] = $this->getCacheKey($format, $context);
+        } else {
+            $context['cache_key'] = false;
         }
 
         unset($context['operation_name'], $context['operation']); // Remove operation and operation_name only when cache key has been created

tests/Fixtures/TestBundle/Document/SecuredDummyCollection.php

@@ -0,0 +1,60 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <dunglas@gmail.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\Tests\Fixtures\TestBundle\Document;
+
+use ApiPlatform\Metadata\ApiProperty;
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\GraphQl\Query;
+use ApiPlatform\Metadata\GraphQl\QueryCollection;
+use ApiPlatform\Metadata\NotExposed;
+use Doctrine\ODM\MongoDB\Mapping\Annotations as ODM;
+
+/**
+ * Secured resource.
+ */
+#[ApiResource(
+    operations: [
+        new NotExposed(),
+    ],
+    graphQlOperations: [
+        new Query(),
+        new QueryCollection(),
+    ],
+    security: 'is_granted(\'ROLE_USER\')'
+)]
+#[ODM\Document]
+class SecuredDummyCollection
+{
+    #[ODM\Id(strategy: 'AUTO', type: 'integer')]
+    public ?int $id = null;
+
+    /**
+     * @var string The title
+     */
+    #[ODM\Field]
+    public string $title;
+
+    /**
+     * @var string Secret property, only readable/writable by owners
+     */
+    #[ApiProperty(security: 'object == null or object.owner == user', securityPostDenormalize: 'object.owner == user')]
+    #[ODM\Field]
+    public ?string $ownerOnlyProperty = null;
+
+    /**
+     * @var string The owner
+     */
+    #[ODM\Field]
+    public string $owner;
+}

tests/Fixtures/TestBundle/Document/SecuredDummyCollectionParent.php

@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <dunglas@gmail.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\Tests\Fixtures\TestBundle\Document;
+
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\GraphQl\Query;
+use ApiPlatform\Metadata\GraphQl\QueryCollection;
+use ApiPlatform\Metadata\NotExposed;
+use Doctrine\ODM\MongoDB\Mapping\Annotations as ODM;
+
+/**
+ * Secured resource.
+ */
+#[ApiResource(
+    operations: [
+        new NotExposed(),
+    ],
+    graphQlOperations: [
+        new Query(),
+        new QueryCollection(),
+    ],
+    security: 'is_granted(\'ROLE_USER\')'
+)]
+#[ODM\Document]
+class SecuredDummyCollectionParent
+{
+    #[ODM\Id]
+    #[ODM\Field(type: 'id')]
+    public ?string $id = null;
+
+    #[ODM\ReferenceOne(targetDocument: SecuredDummyCollection::class, inversedBy: 'parents')]
+    #[ODM\Field(nullable: false)]
+    public SecuredDummyCollection $child;
+}

tests/Fixtures/TestBundle/Entity/SecuredDummyCollection.php

@@ -0,0 +1,62 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <dunglas@gmail.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\Tests\Fixtures\TestBundle\Entity;
+
+use ApiPlatform\Metadata\ApiProperty;
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\GraphQl\Query;
+use ApiPlatform\Metadata\GraphQl\QueryCollection;
+use ApiPlatform\Metadata\NotExposed;
+use Doctrine\ORM\Mapping as ORM;
+
+/**
+ * Secured resource.
+ */
+#[ApiResource(
+    operations: [
+        new NotExposed(),
+    ],
+    graphQlOperations: [
+        new Query(),
+        new QueryCollection(),
+    ],
+    security: 'is_granted(\'ROLE_USER\')'
+)]
+#[ORM\Entity]
+class SecuredDummyCollection
+{
+    #[ORM\Column(type: 'integer')]
+    #[ORM\Id]
+    #[ORM\GeneratedValue(strategy: 'AUTO')]
+    public ?int $id = null;
+
+    /**
+     * @var string The title
+     */
+    #[ORM\Column]
+    public string $title;
+
+    /**
+     * @var string Secret property, only readable/writable by owners
+     */
+    #[ApiProperty(security: 'object == null or object.owner == user', securityPostDenormalize: 'object.owner == user')]
+    #[ORM\Column]
+    public ?string $ownerOnlyProperty = null;
+
+    /**
+     * @var string The owner
+     */
+    #[ORM\Column]
+    public string $owner;
+}

tests/Fixtures/TestBundle/Entity/SecuredDummyCollectionParent.php

@@ -0,0 +1,46 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <dunglas@gmail.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\Tests\Fixtures\TestBundle\Entity;
+
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\GraphQl\Query;
+use ApiPlatform\Metadata\GraphQl\QueryCollection;
+use ApiPlatform\Metadata\NotExposed;
+use Doctrine\ORM\Mapping as ORM;
+
+/**
+ * Secured resource.
+ */
+#[ApiResource(
+    operations: [
+        new NotExposed(),
+    ],
+    graphQlOperations: [
+        new Query(),
+        new QueryCollection(),
+    ],
+    security: 'is_granted(\'ROLE_USER\')'
+)]
+#[ORM\Entity]
+class SecuredDummyCollectionParent
+{
+    #[ORM\Column(type: 'integer')]
+    #[ORM\Id]
+    #[ORM\GeneratedValue(strategy: 'AUTO')]
+    public ?int $id = null;
+
+    #[ORM\ManyToOne]
+    #[ORM\JoinColumn(nullable: false)]
+    public SecuredDummyCollection $child;
+}