api-platform
feat: spec-compliant PUT method
| Q | A |
|---|---|
| Branch? | main |
| Tickets | n/a |
| License | MIT |
| Doc PR | todo |
Our current implementation of the PUT HTTP method is not standard-compliant: according to the spec, a PUT must create or replace the resource at the requested URL.
However, currently, we don't allow the creation of new resources using PUT, and we update the existing resources instead of replacing them: untouched properties are kept instead of being reset to their default values. Basically, our PUT behaves as PATCH.
The main reason behind that non-conform behavior is a Doctrine ORM limitation.
This patch adds support for spec-compliant PUT and provides a workaround for Doctrine ORM.
Making PUT spec-compliant is opt-in to preserve backward compatibility, but using the non-conform version will be deprecated (use PATCH instead), and removed in API Platform 4.
Allowing resource creation is not enabled by default because it can cause security issues.
TODO:
- [ ] Use dedicated attribute properties instead of relying on
extra_properties - [ ] Deprecate not setting
standard_puttotrue - [ ] Update the recipe to disable
PUTby default (usingPATCHis probably a better solution for most common use cases, so we should makePUTopt-in)
