fix(symfony): guard null ExpressionLanguage in ResourceAccessChecker::usesObjectVariable()#8219
Merged
soyuka merged 1 commit intoJun 2, 2026
Conversation
soyuka
commented
Jun 2, 2026
| public function usesObjectVariable(string $expression, array $variables = []): bool | ||
| { | ||
| if (null === $this->tokenStorage || null === $this->authenticationTrustResolver) { | ||
| throw new \LogicException('The "symfony/security" library must be installed to use the "security" attribute.'); |
Member
Author
There was a problem hiding this comment.
Suggested change
| throw new \LogicException('The "symfony/security" library must be installed to use the "security" attribute.'); | |
| throw new RuntimeException('The "symfony/security" library must be installed to use the "security" attribute.'); |
From ApiPlatform/Metadata/Exception namespace.
| } | ||
|
|
||
| if (null === $this->expressionLanguage) { | ||
| throw new \LogicException('The "symfony/expression-language" library must be installed to use the "security" attribute.'); |
Member
Author
There was a problem hiding this comment.
Suggested change
| throw new \LogicException('The "symfony/expression-language" library must be installed to use the "security" attribute.'); | |
| throw new RuntimeException('The "symfony/expression-language" library must be installed to use the "security" attribute.'); |
|
|
||
| public function testUsesObjectVariableThrowsWhenSecurityComponentNotAvailable(): void | ||
| { | ||
| $this->expectException(\LogicException::class); |
Member
Author
There was a problem hiding this comment.
Suggested change
| $this->expectException(\LogicException::class); | |
| $this->expectException(RuntimeException::class); |
|
|
||
| public function testUsesObjectVariableThrowsWhenExpressionLanguageNotInstalled(): void | ||
| { | ||
| $this->expectException(\LogicException::class); |
Member
Author
There was a problem hiding this comment.
Suggested change
| $this->expectException(\LogicException::class); | |
| $this->expectException(RuntimeException::class); |
ResourceAccessChecker::usesObjectVariable() called $this->expressionLanguage->parse() without a null check, fataling with "Call to a member function parse() on null" when expression-language is missing or the service has been pruned by RemoveUnusedDefinitionsPass (the dependency is nullOnInvalid). Mirror the existing isGranted() guards: throw LogicException for both a null security stack (tokenStorage/authTrustResolver) and a null expressionLanguage. Closes api-platform#8215
soyuka
force-pushed
the
fix/8215-resource-access-checker-null-expression-language
branch
from
5af110b to
adb2937
Compare
soyuka
changed the title
soyuka
deleted the
fix/8215-resource-access-checker-null-expression-language
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ResourceAccessChecker::usesObjectVariable()calls$this->expressionLanguage->parse()without a null check, fataling withCall to a member function parse() on nullwhenever the expression-language dependency is absent.The constructor permits
?ExpressionLanguage $expressionLanguage = null, andisGranted()already anticipates the null case with a descriptiveLogicException.usesObjectVariable()did not — the asymmetry is reachable viaAccessCheckerProviderduring normal access checking when:symfony/expression-languageis not installed.security.expression_language(the API Platform reference isnullOnInvalid(), soRemoveUnusedDefinitionsPassremoves the private definition and the argument resolves tonullin kernels that don't registeraccess_control/ the Symfony expression voter).This PR mirrors the
isGranted()guards inusesObjectVariable():nullsecurity stack (tokenStorage/authenticationTrustResolver) →LogicException('The "symfony/security" library must be installed to use the "security" attribute.')nullexpressionLanguage→LogicException('The "symfony/expression-language" library must be installed to use the "security" attribute.')Closes #8215
Test plan
testUsesObjectVariableThrowsWhenExpressionLanguageNotInstalled— failing before the fix withError: Call to a member function parse() on null, green after.testUsesObjectVariableThrowsWhenSecurityComponentNotAvailablecovers the symmetric security-stack guard.ResourceAccessCheckerTestsuite green (7/7, 18 assertions).