sfmok
commented
1 year ago I'm going to reproduce and push a fix soon. Thanks, @Alexandre-Fernandez to report it.
Closed Alexandre-Fernandez closed 1 year ago
sfmok
commented
1 year ago I'm going to reproduce and push a fix soon. Thanks, @Alexandre-Fernandez to report it.
sfmok
commented
1 year ago @Alexandre-Fernandez I couldn't reproduce this issue. If you could provide me with these details that would be great
PHP version RequestInputBundle version Request ContentType A snippet code of invocable or action controller
Meanwhile, I can see 4 ways to bypass resolving and validating the input argument: RequestInputBundle is disabled (it's enabled by default) skip_validation config option is enabled (it's disabled by default) the input DTO class not implemented the interface "InputInterface" the request content type is not one of the supported formats "application/json, application/xml, multipart/form-data"
Alexandre-Fernandez
commented
1 year ago I tried making a reproduction repository and after further testing it seems that this only happens when the Content-Type header is missing.
If possible it would be nice to still have an error for this such as ["title" => "Deserialization Failed", "detail" => "Wrong format"].
Atleast that's the behaviour I was expecting, if the DTO could not be parsed, be it because of wrong headers or something else, then the controller shouldn't be called.
sfmok
commented
1 year ago Thanks @Alexandre-Fernandez, You're right this is actually a bug. I will fix it and release a patch soon
sfmok
commented
1 year ago Issue fixed.
throw UnsupportedMediaTypeHttpException in case Content-Type header is missing or unsupported.
Alexandre-Fernandez
commented
1 year ago great thanks
Sending a POST request with an empty body will bypass the validation and still call the controller, even if your DTO has
#[Assert\NotBlank]decorators. This is counter intuitive and can lead to bugs since the controller is expecting a filled DTO.