src/Core/Framework/Api/Controller/ApiController.php line 253

  1. <?php declare(strict_types=1);
  3. namespace Shopware\Core\Framework\Api\Controller;
  5. use Shopware\Core\Defaults;
  6. use Shopware\Core\Framework\Api\Acl\AclCriteriaValidator;
  7. use Shopware\Core\Framework\Api\Acl\Role\AclRoleDefinition;
  8. use Shopware\Core\Framework\Api\Converter\ApiVersionConverter;
  9. use Shopware\Core\Framework\Api\Converter\Exceptions\ApiConversionException;
  10. use Shopware\Core\Framework\Api\Exception\InvalidVersionNameException;
  11. use Shopware\Core\Framework\Api\Exception\LiveVersionDeleteException;
  12. use Shopware\Core\Framework\Api\Exception\MissingPrivilegeException;
  13. use Shopware\Core\Framework\Api\Exception\NoEntityClonedException;
  14. use Shopware\Core\Framework\Api\Exception\ResourceNotFoundException;
  15. use Shopware\Core\Framework\Api\Response\ResponseFactoryInterface;
  16. use Shopware\Core\Framework\Context;
  17. use Shopware\Core\Framework\DataAbstractionLayer\DefinitionInstanceRegistry;
  18. use Shopware\Core\Framework\DataAbstractionLayer\Entity;
  19. use Shopware\Core\Framework\DataAbstractionLayer\EntityDefinition;
  20. use Shopware\Core\Framework\DataAbstractionLayer\EntityProtection\EntityProtection;
  21. use Shopware\Core\Framework\DataAbstractionLayer\EntityProtection\EntityProtectionValidator;
  22. use Shopware\Core\Framework\DataAbstractionLayer\EntityProtection\ReadProtection;
  23. use Shopware\Core\Framework\DataAbstractionLayer\EntityProtection\WriteProtection;
  24. use Shopware\Core\Framework\DataAbstractionLayer\EntityRepository;
  25. use Shopware\Core\Framework\DataAbstractionLayer\EntityTranslationDefinition;
  26. use Shopware\Core\Framework\DataAbstractionLayer\Event\EntityWrittenContainerEvent;
  27. use Shopware\Core\Framework\DataAbstractionLayer\Event\EntityWrittenEvent;
  28. use Shopware\Core\Framework\DataAbstractionLayer\Exception\DefinitionNotFoundException;
  29. use Shopware\Core\Framework\DataAbstractionLayer\Exception\MissingReverseAssociation;
  30. use Shopware\Core\Framework\DataAbstractionLayer\Field\AssociationField;
  31. use Shopware\Core\Framework\DataAbstractionLayer\Field\Field;
  32. use Shopware\Core\Framework\DataAbstractionLayer\Field\ManyToManyAssociationField;
  33. use Shopware\Core\Framework\DataAbstractionLayer\Field\ManyToOneAssociationField;
  34. use Shopware\Core\Framework\DataAbstractionLayer\Field\OneToManyAssociationField;
  35. use Shopware\Core\Framework\DataAbstractionLayer\Field\OneToOneAssociationField;
  36. use Shopware\Core\Framework\DataAbstractionLayer\Field\TranslationsAssociationField;
  37. use Shopware\Core\Framework\DataAbstractionLayer\FieldCollection;
  38. use Shopware\Core\Framework\DataAbstractionLayer\MappingEntityDefinition;
  39. use Shopware\Core\Framework\DataAbstractionLayer\Search\Criteria;
  40. use Shopware\Core\Framework\DataAbstractionLayer\Search\EntitySearchResult;
  41. use Shopware\Core\Framework\DataAbstractionLayer\Search\Filter\EqualsFilter;
  42. use Shopware\Core\Framework\DataAbstractionLayer\Search\IdSearchResult;
  43. use Shopware\Core\Framework\DataAbstractionLayer\Search\RequestCriteriaBuilder;
  44. use Shopware\Core\Framework\DataAbstractionLayer\Write\CloneBehavior;
  45. use Shopware\Core\Framework\Log\Package;
  46. use Shopware\Core\Framework\Uuid\Exception\InvalidUuidException;
  47. use Shopware\Core\Framework\Uuid\Uuid;
  48. use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
  49. use Symfony\Component\HttpFoundation\JsonResponse;
  50. use Symfony\Component\HttpFoundation\Request;
  51. use Symfony\Component\HttpFoundation\Response;
  52. use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
  53. use Symfony\Component\HttpKernel\Exception\MethodNotAllowedHttpException;
  54. use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
  55. use Symfony\Component\HttpKernel\Exception\UnsupportedMediaTypeHttpException;
  56. use Symfony\Component\Routing\Annotation\Route;
  57. use Symfony\Component\Serializer\Encoder\DecoderInterface;
  58. use Symfony\Component\Serializer\Exception\InvalidArgumentException;
  59. use Symfony\Component\Serializer\Exception\UnexpectedValueException;
  61. /**
  62.  * @phpstan-type EntityPathSegment array{entity: string, value: ?string, definition: EntityDefinition, field: ?Field}
  63.  */
  64. #[Route(defaults: ['_routeScope' => ['api']])]
  65. #[Package('core')]
  66. class ApiController extends AbstractController
  67. {
  68.     final public const WRITE_UPDATE 'update';
  69.     final public const WRITE_CREATE 'create';
  70.     final public const WRITE_DELETE 'delete';
  72.     /**
  73.      * @internal
  74.      */
  75.     public function __construct(private readonly DefinitionInstanceRegistry $definitionRegistry, private readonly DecoderInterface $serializer, private readonly RequestCriteriaBuilder $criteriaBuilder, private readonly ApiVersionConverter $apiVersionConverter, private readonly EntityProtectionValidator $entityProtectionValidator, private readonly AclCriteriaValidator $criteriaValidator)
  76.     {
  77.     }
  79.     #[Route(path'/api/_action/clone/{entity}/{id}'name'api.clone'methods: ['POST'], requirements: ['version' => '\d+''entity' => '[a-zA-Z-]+''id' => '[0-9a-f]{32}'])]
  80.     public function clone(Context $contextstring $entitystring $idRequest $request): JsonResponse
  81.     {
  82.         $behavior = new CloneBehavior(
  83.             $request->request->all('overwrites'),
  84.             $request->request->getBoolean('cloneChildren'true)
  85.         );
  87.         $entity $this->urlToSnakeCase($entity);
  89.         $definition $this->definitionRegistry->getByEntityName($entity);
  90.         $missing $this->validateAclPermissions($context$definitionAclRoleDefinition::PRIVILEGE_CREATE);
  91.         if ($missing) {
  92.             throw new MissingPrivilegeException([$missing]);
  93.         }
  95.         $eventContainer $context->scope(Context::CRUD_API_SCOPE, function (Context $context) use ($definition$id$behavior): EntityWrittenContainerEvent {
  96.             /** @var EntityRepository $entityRepo */
  97.             $entityRepo $this->definitionRegistry->getRepository($definition->getEntityName());
  99.             return $entityRepo->clone($id$contextnull$behavior);
  100.         });
  102.         $event $eventContainer->getEventByEntityName($definition->getEntityName());
  103.         if (!$event) {
  104.             throw new NoEntityClonedException($entity$id);
  105.         }
  107.         $ids $event->getIds();
  108.         $newId array_shift($ids);
  110.         return new JsonResponse(['id' => $newId]);
  111.     }
  113.     #[Route(path'/api/_action/version/{entity}/{id}'name'api.createVersion'methods: ['POST'], requirements: ['version' => '\d+''entity' => '[a-zA-Z-]+''id' => '[0-9a-f]{32}'])]
  114.     public function createVersion(Request $requestContext $contextstring $entitystring $id): Response
  115.     {
  116.         $entity $this->urlToSnakeCase($entity);
  118.         $versionId $request->request->has('versionId') ? (string) $request->request->get('versionId') : null;
  119.         $versionName $request->request->has('versionName') ? (string) $request->request->get('versionName') : null;
  121.         if ($versionId !== null && !Uuid::isValid($versionId)) {
  122.             throw new InvalidUuidException($versionId);
  123.         }
  125.         if ($versionName !== null && !ctype_alnum($versionName)) {
  126.             throw new InvalidVersionNameException();
  127.         }
  129.         try {
  130.             $entityDefinition $this->definitionRegistry->getByEntityName($entity);
  131.         } catch (DefinitionNotFoundException $e) {
  132.             throw new NotFoundHttpException($e->getMessage(), $e);
  133.         }
  135.         $versionId $context->scope(Context::CRUD_API_SCOPE, fn (Context $context): string => $this->definitionRegistry->getRepository($entityDefinition->getEntityName())->createVersion($id$context$versionName$versionId));
  137.         return new JsonResponse([
  138.             'versionId' => $versionId,
  139.             'versionName' => $versionName,
  140.             'id' => $id,
  141.             'entity' => $entity,
  142.         ]);
  143.     }
  145.     #[Route(path'/api/_action/version/merge/{entity}/{versionId}'name'api.mergeVersion'methods: ['POST'], requirements: ['version' => '\d+''entity' => '[a-zA-Z-]+''versionId' => '[0-9a-f]{32}'])]
  146.     public function mergeVersion(Context $contextstring $entitystring $versionId): JsonResponse
  147.     {
  148.         $entity $this->urlToSnakeCase($entity);
  150.         if (!Uuid::isValid($versionId)) {
  151.             throw new InvalidUuidException($versionId);
  152.         }
  154.         $entityDefinition $this->getEntityDefinition($entity);
  155.         $repository $this->definitionRegistry->getRepository($entityDefinition->getEntityName());
  157.         // change scope to be able to update write protected fields
  158.         $context->scope(Context::SYSTEM_SCOPE, function (Context $context) use ($repository$versionId): void {
  159.             $repository->merge($versionId$context);
  160.         });
  162.         return new JsonResponse(nullResponse::HTTP_NO_CONTENT);
  163.     }
  165.     #[Route(path'/api/_action/version/{versionId}/{entity}/{entityId}'name'api.deleteVersion'methods: ['POST'], requirements: ['version' => '\d+''entity' => '[a-zA-Z-]+''id' => '[0-9a-f]{32}'])]
  166.     public function deleteVersion(Context $contextstring $entitystring $entityIdstring $versionId): JsonResponse
  167.     {
  168.         if ($versionId !== null && !Uuid::isValid($versionId)) {
  169.             throw new InvalidUuidException($versionId);
  170.         }
  172.         if ($versionId === Defaults::LIVE_VERSION) {
  173.             throw new LiveVersionDeleteException();
  174.         }
  176.         if ($entityId !== null && !Uuid::isValid($entityId)) {
  177.             throw new InvalidUuidException($entityId);
  178.         }
  180.         try {
  181.             $entityDefinition $this->definitionRegistry->getByEntityName($this->urlToSnakeCase($entity));
  182.         } catch (DefinitionNotFoundException $e) {
  183.             throw new NotFoundHttpException($e->getMessage(), $e);
  184.         }
  186.         $versionContext $context->createWithVersionId($versionId);
  188.         $entityRepository $this->definitionRegistry->getRepository($entityDefinition->getEntityName());
  190.         $versionContext->scope(Context::CRUD_API_SCOPE, function (Context $versionContext) use ($entityId$entityRepository): void {
  191.             $entityRepository->delete([['id' => $entityId]], $versionContext);
  192.         });
  194.         $versionRepository $this->definitionRegistry->getRepository('version');
  195.         $versionRepository->delete([['id' => $versionId]], $context);
  197.         return new JsonResponse();
  198.     }
  200.     public function detail(Request $requestContext $contextResponseFactoryInterface $responseFactorystring $entityNamestring $path): Response
  201.     {
  202.         $pathSegments $this->buildEntityPath($entityName$path$context);
  203.         $permissions $this->validatePathSegments($context$pathSegmentsAclRoleDefinition::PRIVILEGE_READ);
  205.         $root $pathSegments[0]['entity'];
  206.         /** @var string $id id is always set, otherwise the route would not match */
  207.         $id $pathSegments[\count($pathSegments) - 1]['value'];
  209.         $definition $this->definitionRegistry->getByEntityName($root);
  211.         $associations array_column($pathSegments'entity');
  212.         array_shift($associations);
  214.         if (empty($associations)) {
  215.             $repository $this->definitionRegistry->getRepository($definition->getEntityName());
  216.         } else {
  217.             $field $this->getAssociation($definition->getFields(), $associations);
  219.             $definition $field->getReferenceDefinition();
  220.             if ($field instanceof ManyToManyAssociationField) {
  221.                 $definition $field->getToManyReferenceDefinition();
  222.             }
  224.             $repository $this->definitionRegistry->getRepository($definition->getEntityName());
  225.         }
  227.         $criteria = new Criteria();
  228.         $criteria $this->criteriaBuilder->handleRequest($request$criteria$definition$context);
  230.         $criteria->setIds([$id]);
  232.         // trigger acl validation
  233.         $missing $this->criteriaValidator->validate($definition->getEntityName(), $criteria$context);
  234.         $permissions array_unique(array_filter(array_merge($permissions$missing)));
  236.         if (!empty($permissions)) {
  237.             throw new MissingPrivilegeException($permissions);
  238.         }
  240.         $entity $context->scope(Context::CRUD_API_SCOPE, fn (Context $context): ?Entity => $repository->search($criteria$context)->get($id));
  242.         if ($entity === null) {
  243.             throw new ResourceNotFoundException($definition->getEntityName(), ['id' => $id]);
  244.         }
  246.         return $responseFactory->createDetailResponse($criteria$entity$definition$request$context);
  247.     }
  249.     public function searchIds(Request $requestContext $contextResponseFactoryInterface $responseFactorystring $entityNamestring $path): Response
  250.     {
  251.         [$criteria$repository] = $this->resolveSearch($request$context$entityName$path);
  253.         $result $context->scope(Context::CRUD_API_SCOPE, fn (Context $context): IdSearchResult => $repository->searchIds($criteria$context));
  255.         return new JsonResponse([
  256.             'total' => $result->getTotal(),
  257.             'data' => array_values($result->getIds()),
  258.         ]);
  259.     }
  261.     public function search(Request $requestContext $contextResponseFactoryInterface $responseFactorystring $entityNamestring $path): Response
  262.     {
  263.         [$criteria$repository] = $this->resolveSearch($request$context$entityName$path);
  265.         $result $context->scope(Context::CRUD_API_SCOPE, fn (Context $context): EntitySearchResult => $repository->search($criteria$context));
  267.         $definition $this->getDefinitionOfPath($entityName$path$context);
  269.         return $responseFactory->createListingResponse($criteria$result$definition$request$context);
  270.     }
  272.     public function list(Request $requestContext $contextResponseFactoryInterface $responseFactorystring $entityNamestring $path): Response
  273.     {
  274.         [$criteria$repository] = $this->resolveSearch($request$context$entityName$path);
  276.         $result $context->scope(Context::CRUD_API_SCOPE, fn (Context $context): EntitySearchResult => $repository->search($criteria$context));
  278.         $definition $this->getDefinitionOfPath($entityName$path$context);
  280.         return $responseFactory->createListingResponse($criteria$result$definition$request$context);
  281.     }
  283.     public function create(Request $requestContext $contextResponseFactoryInterface $responseFactorystring $entityNamestring $path): Response
  284.     {
  285.         return $this->write($request$context$responseFactory$entityName$pathself::WRITE_CREATE);
  286.     }
  288.     public function update(Request $requestContext $contextResponseFactoryInterface $responseFactorystring $entityNamestring $path): Response
  289.     {
  290.         return $this->write($request$context$responseFactory$entityName$pathself::WRITE_UPDATE);
  291.     }
  293.     public function delete(Request $requestContext $contextResponseFactoryInterface $responseFactorystring $entityNamestring $path): Response
  294.     {
  295.         $pathSegments $this->buildEntityPath($entityName$path$context, [WriteProtection::class]);
  297.         $last $pathSegments[\count($pathSegments) - 1];
  299.         /** @var string $id id is always set, otherwise the route would not match */
  300.         $id $last['value'];
  302.         /** @var EntityPathSegment $first */
  303.         $first array_shift($pathSegments);
  305.         if (\count($pathSegments) === 0) {
  306.             //first api level call /product/{id}
  307.             $definition $first['definition'];
  309.             $this->executeWriteOperation($definition, ['id' => $id], $contextself::WRITE_DELETE);
  311.             return $responseFactory->createRedirectResponse($definition$id$request$context);
  312.         }
  314.         $child array_pop($pathSegments);
  315.         $parent $first;
  316.         if (!empty($pathSegments)) {
  317.             $parent array_pop($pathSegments);
  318.         }
  320.         $definition $child['definition'];
  322.         /** @var AssociationField $association */
  323.         $association $child['field'];
  325.         // DELETE api/product/{id}/manufacturer/{id}
  326.         if ($association instanceof ManyToOneAssociationField || $association instanceof OneToOneAssociationField) {
  327.             $this->executeWriteOperation($definition, ['id' => $id], $contextself::WRITE_DELETE);
  329.             return $responseFactory->createRedirectResponse($definition$id$request$context);
  330.         }
  332.         // DELETE api/product/{id}/category/{id}
  333.         if ($association instanceof ManyToManyAssociationField) {
  334.             /** @var Field $local */
  335.             $local $definition->getFields()->getByStorageName(
  336.                 $association->getMappingLocalColumn()
  337.             );
  339.             /** @var Field $reference */
  340.             $reference $definition->getFields()->getByStorageName(
  341.                 $association->getMappingReferenceColumn()
  342.             );
  344.             $mapping = [
  345.                 $local->getPropertyName() => $parent['value'],
  346.                 $reference->getPropertyName() => $id,
  347.             ];
  348.             /** @var EntityDefinition $parentDefinition */
  349.             $parentDefinition $parent['definition'];
  351.             if ($parentDefinition->isVersionAware()) {
  352.                 $versionField $parentDefinition->getEntityName() . 'VersionId';
  353.                 $mapping[$versionField] = $context->getVersionId();
  354.             }
  356.             if ($association->getToManyReferenceDefinition()->isVersionAware()) {
  357.                 $versionField $association->getToManyReferenceDefinition()->getEntityName() . 'VersionId';
  359.                 $mapping[$versionField] = Defaults::LIVE_VERSION;
  360.             }
  362.             $this->executeWriteOperation($definition$mapping$contextself::WRITE_DELETE);
  364.             return $responseFactory->createRedirectResponse($definition$id$request$context);
  365.         }
  367.         if ($association instanceof TranslationsAssociationField) {
  368.             /** @var EntityTranslationDefinition $refClass */
  369.             $refClass $association->getReferenceDefinition();
  371.             /** @var Field $refField */
  372.             $refField $refClass->getFields()->getByStorageName($association->getReferenceField());
  373.             $refPropName $refField->getPropertyName();
  375.             /** @var Field $langField */
  376.             $langField $refClass->getPrimaryKeys()->getByStorageName($association->getLanguageField());
  377.             $refLanguagePropName $langField->getPropertyName();
  379.             $mapping = [
  380.                 $refPropName => $parent['value'],
  381.                 $refLanguagePropName => $id,
  382.             ];
  384.             $this->executeWriteOperation($definition$mapping$contextself::WRITE_DELETE);
  386.             return $responseFactory->createRedirectResponse($definition$id$request$context);
  387.         }
  389.         if ($association instanceof OneToManyAssociationField) {
  390.             $this->executeWriteOperation($definition, ['id' => $id], $contextself::WRITE_DELETE);
  392.             return $responseFactory->createRedirectResponse($definition$id$request$context);
  393.         }
  395.         throw new \RuntimeException(sprintf('Unsupported association for field %s'$association->getPropertyName()));
  396.     }
  398.     /**
  399.      * @return array{0: Criteria, 1: EntityRepository}
  400.      */
  401.     private function resolveSearch(Request $requestContext $contextstring $entityNamestring $path): array
  402.     {
  403.         $pathSegments $this->buildEntityPath($entityName$path$context);
  404.         $permissions $this->validatePathSegments($context$pathSegmentsAclRoleDefinition::PRIVILEGE_READ);
  406.         /** @var EntityPathSegment $first */
  407.         $first array_shift($pathSegments);
  409.         $definition $first['definition'];
  411.         $repository $this->definitionRegistry->getRepository($definition->getEntityName());
  413.         $criteria = new Criteria();
  414.         if (empty($pathSegments)) {
  415.             $criteria $this->criteriaBuilder->handleRequest($request$criteria$definition$context);
  417.             // trigger acl validation
  418.             $nested $this->criteriaValidator->validate($definition->getEntityName(), $criteria$context);
  419.             $permissions array_unique(array_filter(array_merge($permissions$nested)));
  421.             if (!empty($permissions)) {
  422.                 throw new MissingPrivilegeException($permissions);
  423.             }
  425.             return [$criteria$repository];
  426.         }
  428.         $child array_pop($pathSegments);
  429.         $parent $first;
  431.         if (!empty($pathSegments)) {
  432.             /** @var EntityPathSegment $parent */
  433.             $parent array_pop($pathSegments);
  434.         }
  436.         $association $child['field'];
  438.         $parentDefinition $parent['definition'];
  440.         $definition $child['definition'];
  441.         if ($association instanceof ManyToManyAssociationField) {
  442.             $definition $association->getToManyReferenceDefinition();
  443.         }
  445.         $criteria $this->criteriaBuilder->handleRequest($request$criteria$definition$context);
  447.         if ($association instanceof ManyToManyAssociationField) {
  448.             //fetch inverse association definition for filter
  449.             $reverse $definition->getFields()->filter(
  450.                 fn (Field $field) => $field instanceof ManyToManyAssociationField && $association->getMappingDefinition() === $field->getMappingDefinition()
  451.             );
  453.             //contains now the inverse side association: category.products
  454.             $reverse $reverse->first();
  455.             if (!$reverse) {
  456.                 throw new MissingReverseAssociation($definition->getEntityName(), $parentDefinition->getEntityName());
  457.             }
  459.             $criteria->addFilter(
  460.                 new EqualsFilter(
  461.                     sprintf('%s.%s.id'$definition->getEntityName(), $reverse->getPropertyName()),
  462.                     $parent['value']
  463.                 )
  464.             );
  466.             /** @var EntityDefinition $parentDefinition */
  467.             if ($parentDefinition->isVersionAware()) {
  468.                 $criteria->addFilter(
  469.                     new EqualsFilter(
  470.                         sprintf('%s.%s.versionId'$definition->getEntityName(), $reverse->getPropertyName()),
  471.                         $context->getVersionId()
  472.                     )
  473.                 );
  474.             }
  475.         } elseif ($association instanceof OneToManyAssociationField) {
  476.             /*
  477.              * Example
  478.              * Route:           /api/product/SW1/prices
  479.              * $definition:     \Shopware\Core\Content\Product\Definition\ProductPriceDefinition
  480.              */
  482.             //get foreign key definition of reference
  483.             /** @var Field $foreignKey */
  484.             $foreignKey $definition->getFields()->getByStorageName(
  485.                 $association->getReferenceField()
  486.             );
  488.             $criteria->addFilter(
  489.                 new EqualsFilter(
  490.                 //add filter to parent value: prices.productId = SW1
  491.                     $definition->getEntityName() . '.' $foreignKey->getPropertyName(),
  492.                     $parent['value']
  493.                 )
  494.             );
  495.         } elseif ($association instanceof ManyToOneAssociationField) {
  496.             /*
  497.              * Example
  498.              * Route:           /api/product/SW1/manufacturer
  499.              * $definition:     \Shopware\Core\Content\Product\Aggregate\ProductManufacturer\ProductManufacturerDefinition
  500.              */
  502.             //get inverse association to filter to parent value
  503.             $reverse $definition->getFields()->filter(
  504.                 fn (Field $field) => $field instanceof AssociationField && $parentDefinition === $field->getReferenceDefinition()
  505.             );
  506.             $reverse $reverse->first();
  507.             if (!$reverse) {
  508.                 throw new MissingReverseAssociation($definition->getEntityName(), $parentDefinition->getEntityName());
  509.             }
  511.             $criteria->addFilter(
  512.                 new EqualsFilter(
  513.                 //filter inverse association to parent value:  manufacturer.products.id = SW1
  514.                     sprintf('%s.%s.id'$definition->getEntityName(), $reverse->getPropertyName()),
  515.                     $parent['value']
  516.                 )
  517.             );
  518.         } elseif ($association instanceof OneToOneAssociationField) {
  519.             /*
  520.              * Example
  521.              * Route:           /api/order/xxxx/orderCustomer
  522.              * $definition:     \Shopware\Core\Checkout\Order\Aggregate\OrderCustomer\OrderCustomerDefinition
  523.              */
  525.             //get inverse association to filter to parent value
  526.             $reverse $definition->getFields()->filter(
  527.                 fn (Field $field) => $field instanceof OneToOneAssociationField && $parentDefinition === $field->getReferenceDefinition()
  528.             );
  529.             $reverse $reverse->first();
  530.             if (!$reverse) {
  531.                 throw new MissingReverseAssociation($definition->getEntityName(), $parentDefinition->getEntityName());
  532.             }
  534.             $criteria->addFilter(
  535.                 new EqualsFilter(
  536.                 //filter inverse association to parent value:  order_customer.order_id = xxxx
  537.                     sprintf('%s.%s.id'$definition->getEntityName(), $reverse->getPropertyName()),
  538.                     $parent['value']
  539.                 )
  540.             );
  541.         }
  543.         $repository $this->definitionRegistry->getRepository($definition->getEntityName());
  545.         $nested $this->criteriaValidator->validate($definition->getEntityName(), $criteria$context);
  546.         $permissions array_unique(array_filter(array_merge($permissions$nested)));
  548.         if (!empty($permissions)) {
  549.             throw new MissingPrivilegeException($permissions);
  550.         }
  552.         return [$criteria$repository];
  553.     }
  555.     private function getDefinitionOfPath(string $entityNamestring $pathContext $context): EntityDefinition
  556.     {
  557.         $pathSegments $this->buildEntityPath($entityName$path$context);
  559.         /** @var EntityPathSegment $first */
  560.         $first array_shift($pathSegments);
  562.         $definition $first['definition'];
  564.         if (empty($pathSegments)) {
  565.             return $definition;
  566.         }
  568.         $child array_pop($pathSegments);
  570.         $association $child['field'];
  572.         if ($association instanceof ManyToManyAssociationField) {
  573.             /*
  574.              * Example:
  575.              * route:           /api/product/SW1/categories
  576.              * $definition:     \Shopware\Core\Content\Category\CategoryDefinition
  577.              */
  578.             return $association->getToManyReferenceDefinition();
  579.         }
  581.         return $child['definition'];
  582.     }
  584.     private function write(Request $requestContext $contextResponseFactoryInterface $responseFactorystring $entityNamestring $pathstring $type): Response
  585.     {
  586.         $payload $this->getRequestBody($request);
  587.         $noContent = !$request->query->has('_response');
  588.         // safari bug prevents us from using the location header
  589.         $appendLocationHeader false;
  591.         if ($this->isCollection($payload)) {
  592.             throw new BadRequestHttpException('Only single write operations are supported. Please send the entities one by one or use the /sync api endpoint.');
  593.         }
  595.         $pathSegments $this->buildEntityPath($entityName$path$context, [WriteProtection::class]);
  597.         $last $pathSegments[\count($pathSegments) - 1];
  599.         if ($type === self::WRITE_CREATE && !empty($last['value'])) {
  600.             $methods = ['GET''PATCH''DELETE'];
  602.             throw new MethodNotAllowedHttpException($methodssprintf('No route found for "%s %s": Method Not Allowed (Allow: %s)'$request->getMethod(), $request->getPathInfo(), implode(', '$methods)));
  603.         }
  605.         if ($type === self::WRITE_UPDATE && isset($last['value'])) {
  606.             $payload['id'] = $last['value'];
  607.         }
  609.         /** @var EntityPathSegment $first */
  610.         $first array_shift($pathSegments);
  612.         if (\count($pathSegments) === 0) {
  613.             $definition $first['definition'];
  614.             $events $this->executeWriteOperation($definition$payload$context$type);
  615.             /** @var EntityWrittenEvent $event */
  616.             $event $events->getEventByEntityName($definition->getEntityName());
  617.             $eventIds $event->getIds();
  618.             $entityId array_pop($eventIds);
  620.             if ($definition instanceof MappingEntityDefinition) {
  621.                 return new Response(nullResponse::HTTP_NO_CONTENT);
  622.             }
  624.             if ($noContent) {
  625.                 return $responseFactory->createRedirectResponse($definition$entityId$request$context);
  626.             }
  628.             $repository $this->definitionRegistry->getRepository($definition->getEntityName());
  629.             $criteria = new Criteria($event->getIds());
  630.             $entities $repository->search($criteria$context);
  632.             return $responseFactory->createDetailResponse($criteria$entities->first(), $definition$request$context$appendLocationHeader);
  633.         }
  635.         /** @var EntityPathSegment $child */
  636.         $child array_pop($pathSegments);
  638.         $parent $first;
  639.         if (!empty($pathSegments)) {
  640.             /** @var EntityPathSegment $parent */
  641.             $parent array_pop($pathSegments);
  642.         }
  644.         $definition $child['definition'];
  646.         $association $child['field'];
  648.         $parentDefinition $parent['definition'];
  650.         if ($association instanceof OneToManyAssociationField) {
  651.             /** @var Field $foreignKey */
  652.             $foreignKey $definition->getFields()
  653.                 ->getByStorageName($association->getReferenceField());
  655.             /** @var string $parentId, for parents the id is always set */
  656.             $parentId $parent['value'];
  657.             $payload[$foreignKey->getPropertyName()] = $parentId;
  659.             $events $this->executeWriteOperation($definition$payload$context$type);
  661.             if ($noContent) {
  662.                 return $responseFactory->createRedirectResponse($definition$parentId$request$context);
  663.             }
  665.             /** @var EntityWrittenEvent $event */
  666.             $event $events->getEventByEntityName($definition->getEntityName());
  668.             $repository $this->definitionRegistry->getRepository($definition->getEntityName());
  670.             $criteria = new Criteria($event->getIds());
  671.             $entities $repository->search($criteria$context);
  673.             return $responseFactory->createDetailResponse($criteria$entities->first(), $definition$request$context$appendLocationHeader);
  674.         }
  676.         if ($association instanceof ManyToOneAssociationField || $association instanceof OneToOneAssociationField) {
  677.             $events $this->executeWriteOperation($definition$payload$context$type);
  678.             /** @var EntityWrittenEvent $event */
  679.             $event $events->getEventByEntityName($definition->getEntityName());
  681.             $entityIds $event->getIds();
  682.             $entityId array_pop($entityIds);
  684.             /** @var Field $foreignKey */
  685.             $foreignKey $parentDefinition->getFields()->getByStorageName($association->getStorageName());
  687.             $payload = [
  688.                 'id' => $parent['value'],
  689.                 $foreignKey->getPropertyName() => $entityId,
  690.             ];
  692.             $repository $this->definitionRegistry->getRepository($parentDefinition->getEntityName());
  693.             $repository->update([$payload], $context);
  695.             if ($noContent) {
  696.                 return $responseFactory->createRedirectResponse($definition$entityId$request$context);
  697.             }
  699.             $criteria = new Criteria($event->getIds());
  700.             $entities $repository->search($criteria$context);
  702.             return $responseFactory->createDetailResponse($criteria$entities->first(), $definition$request$context$appendLocationHeader);
  703.         }
  705.         /** @var ManyToManyAssociationField $manyToManyAssociation */
  706.         $manyToManyAssociation $association;
  708.         $reference $manyToManyAssociation->getToManyReferenceDefinition();
  710.         // check if we need to create the entity first
  711.         if (\count($payload) > || !\array_key_exists('id'$payload)) {
  712.             $events $this->executeWriteOperation($reference$payload$context$type);
  713.             /** @var EntityWrittenEvent $event */
  714.             $event $events->getEventByEntityName($reference->getEntityName());
  716.             $ids $event->getIds();
  717.             $id array_shift($ids);
  718.         } else {
  719.             // only id provided - add assignment
  720.             $id $payload['id'];
  721.         }
  723.         $payload = [
  724.             'id' => $parent['value'],
  725.             $manyToManyAssociation->getPropertyName() => [
  726.                 ['id' => $id],
  727.             ],
  728.         ];
  730.         $repository $this->definitionRegistry->getRepository($parentDefinition->getEntityName());
  731.         $repository->update([$payload], $context);
  733.         $repository $this->definitionRegistry->getRepository($reference->getEntityName());
  734.         $criteria = new Criteria([$id]);
  736.         $entities $repository->search($criteria$context);
  737.         $entity $entities->first();
  739.         if ($noContent) {
  740.             return $responseFactory->createRedirectResponse($reference$entity->getId(), $request$context);
  741.         }
  743.         return $responseFactory->createDetailResponse($criteria$entity$definition$request$context$appendLocationHeader);
  744.     }
  746.     /**
  747.      * @param array<string, mixed> $payload
  748.      */
  749.     private function executeWriteOperation(
  750.         EntityDefinition $entity,
  751.         array $payload,
  752.         Context $context,
  753.         string $type
  754.     ): EntityWrittenContainerEvent {
  755.         $repository $this->definitionRegistry->getRepository($entity->getEntityName());
  757.         $conversionException = new ApiConversionException();
  758.         $payload $this->apiVersionConverter->convertPayload($entity$payload$conversionException);
  759.         $conversionException->tryToThrow();
  761.         $event $context->scope(Context::CRUD_API_SCOPE, function (Context $context) use ($repository$payload$entity$type): ?EntityWrittenContainerEvent {
  762.             if ($type === self::WRITE_CREATE) {
  763.                 return $repository->create([$payload], $context);
  764.             }
  766.             if ($type === self::WRITE_UPDATE) {
  767.                 return $repository->update([$payload], $context);
  768.             }
  770.             if ($type === self::WRITE_DELETE) {
  771.                 $event $repository->delete([$payload], $context);
  773.                 if (!empty($event->getErrors())) {
  774.                     throw new ResourceNotFoundException($entity->getEntityName(), $payload);
  775.                 }
  777.                 return $event;
  778.             }
  780.             return null;
  781.         });
  783.         if (!$event) {
  784.             throw new \RuntimeException('Unsupported write operation.');
  785.         }
  787.         return $event;
  788.     }
  790.     /**
  791.      * @param non-empty-list<string> $keys
  792.      */
  793.     private function getAssociation(FieldCollection $fields, array $keys): AssociationField
  794.     {
  795.         $key array_shift($keys);
  797.         /** @var AssociationField $field */
  798.         $field $fields->get($key);
  800.         if (empty($keys)) {
  801.             return $field;
  802.         }
  804.         $reference $field->getReferenceDefinition();
  805.         $nested $reference->getFields();
  807.         return $this->getAssociation($nested$keys);
  808.     }
  810.     /**
  811.      * @param list<class-string<EntityProtection>> $protections
  812.      *
  813.      * @return list<EntityPathSegment>
  814.      */
  815.     private function buildEntityPath(
  816.         string $entityName,
  817.         string $pathInfo,
  818.         Context $context,
  819.         array $protections = [ReadProtection::class]
  820.     ): array {
  821.         $pathInfo str_replace('/extensions/''/'$pathInfo);
  822.         $exploded explode('/'$entityName '/' ltrim($pathInfo'/'));
  824.         $parts = [];
  825.         foreach ($exploded as $index => $part) {
  826.             if ($index 2) {
  827.                 continue;
  828.             }
  830.             if (empty($part)) {
  831.                 continue;
  832.             }
  834.             $value $exploded[$index 1] ?? null;
  836.             if (empty($parts)) {
  837.                 $part $this->urlToSnakeCase($part);
  838.             } else {
  839.                 $part $this->urlToCamelCase($part);
  840.             }
  842.             $parts[] = [
  843.                 'entity' => $part,
  844.                 'value' => $value,
  845.             ];
  846.         }
  848.         /** @var array{'entity': string, 'value': string|null} $first */
  849.         $first array_shift($parts);
  851.         try {
  852.             $root $this->definitionRegistry->getByEntityName($first['entity']);
  853.         } catch (DefinitionNotFoundException $e) {
  854.             throw new NotFoundHttpException($e->getMessage(), $e);
  855.         }
  857.         $entities = [
  858.             [
  859.                 'entity' => $first['entity'],
  860.                 'value' => $first['value'],
  861.                 'definition' => $root,
  862.                 'field' => null,
  863.             ],
  864.         ];
  866.         foreach ($parts as $part) {
  867.             /** @var AssociationField|null $field */
  868.             $field $root->getFields()->get($part['entity']);
  869.             if (!$field) {
  870.                 $path implode('.'array_column($entities'entity')) . '.' $part['entity'];
  872.                 throw new NotFoundHttpException(sprintf('Resource at path "%s" is not an existing relation.'$path));
  873.             }
  875.             if ($field instanceof ManyToManyAssociationField) {
  876.                 $root $field->getToManyReferenceDefinition();
  877.             } else {
  878.                 $root $field->getReferenceDefinition();
  879.             }
  881.             $entities[] = [
  882.                 'entity' => $part['entity'],
  883.                 'value' => $part['value'],
  884.                 'definition' => $field->getReferenceDefinition(),
  885.                 'field' => $field,
  886.             ];
  887.         }
  889.         $context->scope(Context::CRUD_API_SCOPE, function (Context $context) use ($entities$protections): void {
  890.             $this->entityProtectionValidator->validateEntityPath($entities$protections$context);
  891.         });
  893.         return $entities;
  894.     }
  896.     private function urlToSnakeCase(string $name): string
  897.     {
  898.         return str_replace('-''_'$name);
  899.     }
  901.     private function urlToCamelCase(string $name): string
  902.     {
  903.         $parts explode('-'$name);
  904.         $parts array_map('ucfirst'$parts);
  906.         return lcfirst(implode(''$parts));
  907.     }
  909.     /**
  910.      * Return a nested array structure of based on the content-type
  911.      *
  912.      * @return array<string, mixed>
  913.      */
  914.     private function getRequestBody(Request $request): array
  915.     {
  916.         $contentType $request->headers->get('CONTENT_TYPE''');
  917.         $semicolonPosition mb_strpos($contentType';');
  919.         if ($semicolonPosition !== false) {
  920.             $contentType mb_substr($contentType0$semicolonPosition);
  921.         }
  923.         try {
  924.             switch ($contentType) {
  925.                 case 'application/vnd.api+json':
  926.                     return $this->serializer->decode($request->getContent(), 'jsonapi');
  927.                 case 'application/json':
  928.                     return $request->request->all();
  929.             }
  930.         } catch (InvalidArgumentException UnexpectedValueException $exception) {
  931.             throw new BadRequestHttpException($exception->getMessage());
  932.         }
  934.         throw new UnsupportedMediaTypeHttpException(sprintf('The Content-Type "%s" is unsupported.'$contentType));
  935.     }
  937.     /**
  938.      * @param array<mixed> $array
  939.      */
  940.     private function isCollection(array $array): bool
  941.     {
  942.         return array_keys($array) === range(0\count($array) - 1);
  943.     }
  945.     private function getEntityDefinition(string $entityName): EntityDefinition
  946.     {
  947.         try {
  948.             $entityDefinition $this->definitionRegistry->getByEntityName($entityName);
  949.         } catch (DefinitionNotFoundException $e) {
  950.             throw new NotFoundHttpException($e->getMessage(), $e);
  951.         }
  953.         return $entityDefinition;
  954.     }
  956.     private function validateAclPermissions(Context $contextEntityDefinition $entitystring $privilege): ?string
  957.     {
  958.         $resource $entity->getEntityName();
  960.         if ($entity instanceof EntityTranslationDefinition) {
  961.             $resource $entity->getParentDefinition()->getEntityName();
  962.         }
  964.         if (!$context->isAllowed($resource ':' $privilege)) {
  965.             return $resource ':' $privilege;
  966.         }
  968.         return null;
  969.     }
  971.     /**
  972.      * @param list<EntityPathSegment> $pathSegments
  973.      *
  974.      * @return list<string>
  975.      */
  976.     private function validatePathSegments(Context $context, array $pathSegmentsstring $privilege): array
  977.     {
  978.         /** @var EntityPathSegment $child */
  979.         $child array_pop($pathSegments);
  981.         $missing = [];
  983.         foreach ($pathSegments as $segment) {
  984.             // you need detail privileges for every parent entity
  985.             $missing[] = $this->validateAclPermissions(
  986.                 $context,
  987.                 $this->getDefinitionForPathSegment($segment),
  988.                 AclRoleDefinition::PRIVILEGE_READ
  989.             );
  990.         }
  992.         $missing[] = $this->validateAclPermissions($context$this->getDefinitionForPathSegment($child), $privilege);
  994.         return array_unique(array_filter($missing));
  995.     }
  997.     /**
  998.      * @param EntityPathSegment $segment
  999.      */
  1000.     private function getDefinitionForPathSegment(array $segment): EntityDefinition
  1001.     {
  1002.         $definition $segment['definition'];
  1004.         if ($segment['field'] instanceof ManyToManyAssociationField) {
  1005.             $definition $segment['field']->getToManyReferenceDefinition();
  1006.         }
  1008.         return $definition;
  1009.     }
  1010. }