What is securityPostDenormalize
?
In API Platform route definitions, you might see the securityPostDenormalize
attribute like so:
new Post(
uriTemplate: '/articles',
securityPostDenormalize: 'is_granted("ROLE_EDITOR")',
name: 'article:write'
),
When you use securityPostDenormalize
, the security expression is evaluated after the incoming request data has been deserialized (converted) into an object, but before the controller or processor logic is executed.
This makes it useful in scenarios when the security expression depends on the actual contents of the deserialized object (e.g., entity fields that the user actually submitted).
security
vs securityPostDenormalize
security
The security expression is evaluated before deserialization (before the raw request is converted into a PHP object). This is useful when the security expression doesn’t depend on the PHP object content.
securityPostDenormalize
The security expression (is_granted("ROLE_EDITOR")
) is evaluated after deserialization (after the raw request has converted into a PHP object). This is useful when the security expression depends on the PHP object content.