securityPostDenormalize attribute in API Platform

What is `securityPostDenormalize`?

In API Platform route definitions, you might see the securityPostDenormalize attribute like so:

new Post(
    uriTemplate: '/articles',
    securityPostDenormalize: 'is_granted("ROLE_EDITOR")',
    name: 'article:write'
),

When you use securityPostDenormalize, the security expression is evaluated after the incoming request data has been deserialized (converted) into an object, but before the controller or processor logic is executed.

This makes it useful in scenarios when the security expression depends on the actual contents of the deserialized object (e.g., entity fields that the user actually submitted).

`security` vs `securityPostDenormalize`

`security`

The security expression is evaluated before deserialization (before the raw request is converted into a PHP object). This is useful when the security expression doesn’t depend on the PHP object content.

`securityPostDenormalize`

The security expression (is_granted("ROLE_EDITOR")) is evaluated after deserialization (after the raw request has converted into a PHP object). This is useful when the security expression depends on the PHP object content.

What is securityPostDenormalize?

security vs securityPostDenormalize

security

securityPostDenormalize

What is `securityPostDenormalize`?

`security` vs `securityPostDenormalize`

`security`

`securityPostDenormalize`