fix(symfony): query parameter validation after authentication (#5473)

Author: nawel-les-tilleuls

features/authorization/deny_authentication_before_filter.feature

@@ -0,0 +1,11 @@
+Feature: Authorization checking
+ In order to use the API
+ I need to be authorized to access a given resource.
+
+ @!mongodb
+ @createSchema
+ Scenario: An anonymous user retrieves a secured resource
+ When I add "Accept" header equal to "application/ld+json"
+ When I am on "/secured_dummy_with_filters?required=&required-allow-empty=&arrayRequired[foo]="
+ Then the response status code should be 401
+

src/Symfony/Bundle/Resources/config/symfony/validator.xml

@@ -27,7 +27,7 @@
  <argument type="service" id="api_platform.metadata.resource.metadata_collection_factory" />
  <argument>%api_platform.validator.query_parameter_validation%</argument>
 
- <tag name="kernel.event_listener" event="kernel.request" method="onKernelRequest" priority="16" />
+ <tag name="kernel.event_listener" event="kernel.request" method="onKernelRequest" priority="2" />
  </service>
  </services>
 

tests/Fixtures/TestBundle/Entity/SecuredDummyWithFilter.php

@@ -0,0 +1,41 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <dunglas@gmail.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\Tests\Fixtures\TestBundle\Entity;
+
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Tests\Fixtures\TestBundle\Filter\ArrayRequiredFilter;
+use Doctrine\ORM\Mapping as ORM;
+
+/**
+ * Secured resource.
+ *
+ * @author Kévin Dunglas <dunglas@gmail.com>
+ */
+#[ApiResource(
+ security: 'is_granted(\'ROLE_USER\')',
+ filters: [ArrayRequiredFilter::class],
+)]
+#[ORM\Entity]
+class SecuredDummyWithFilter
+{
+ #[ORM\Column(type: 'integer')]
+ #[ORM\Id]
+ #[ORM\GeneratedValue(strategy: 'AUTO')]
+ private ?int $id = null;
+
+ public function getId(): ?int
+ {
+ return $this->id;
+ }
+}