sajad torkamani

What is securityPostDenormalize?

In API Platform route definitions, you might see the securityPostDenormalize attribute like so:

new Post(
    uriTemplate: '/articles',
    securityPostDenormalize: 'is_granted("ROLE_EDITOR")',
    name: 'article:write'
),

When you use securityPostDenormalize, the security expression is evaluated after the incoming request data has been deserialized (converted) into an object, but before the controller or processor logic is executed.

This makes it useful in scenarios when the security expression depends on the actual contents of the deserialized object (e.g., entity fields that the user actually submitted).

security vs securityPostDenormalize

security

The security expression is evaluated before deserialization (before the raw request is converted into a PHP object). This is useful when the security expression doesn’t depend on the PHP object content.

securityPostDenormalize

The security expression (is_granted("ROLE_EDITOR")) is evaluated after deserialization (after the raw request has converted into a PHP object). This is useful when the security expression depends on the PHP object content.