core

• Add an HTTP client dedicated to functional API testing (#2608)
• Add PATCH support (#2895)
• Add a command to generate json schemas api:json-schema:generate (#2996)
• Add infrastructure to generate a JSON Schema from a Resource ApiPlatform\Core\JsonSchema\SchemaFactoryInterface (#2983)
• Replaces access_control by security and adds a security_post_denormalize attribute (#2992)
• Add basic infrastructure for cursor-based pagination (#2532)
• Change ExistsFilter syntax to exists[property], old syntax still supported see #2243, fixes it's behavior on GraphQL (also related #2640).
• Pagination with subresources (#2698)
• Improve search filter id's managment (#1844)
• Add support of name converter in filters (#2751, #2897), filter signature in abstract methods has changed see b42dfd198b1644904fd6a684ab2cedaf530254e3
• Ability to change the Vary header via cacheHeaders attributes of a resource (#2758)
• Ability to use the Query object in a paginator (#2493)
• Compatibility with Symfony 4.3 (#2784)
• Better handling of JsonSerializable classes (#2921)
• Elasticsearch: Add pagination (#2919)
• Add default, min, max specification in pagination parameter API docs (#3002)
• Add a swagger version configuration option swagger.versions and deprecates the enable_swagger configuration option (#2998)
• Order filter now documents asc/desc as enum (#2971)
• GraphQL: BC Break Separate query resource operation attribute into item_query and collection_query operations so user can use different security and serialization groups for them (#2944, #3015)
• GraphQL: Add support for custom queries and mutations (#2447)
• GraphQL: Add support for custom types
• GraphQL: Better pagination support (backwards pagination) (#2142)
• GraphQL: Support the pagination per resource
• GraphQL: Add the concept of stages in the workflow of the resolvers and add the possibility to disable them with operation attributes (#2959)
• GraphQL: Add GraphQL Playground besides GraphiQL and add the possibility to change the default IDE (or to disable it) for the GraphQL endpoint
• GraphQL: Add a command to print the schema in SDL api:graphql:export > schema.graphql (#2600)
• GraphQL: Improve serialization performance by avoiding calls to the serialize PHP function
• GraphQL: Allow to use a search and an exist filter on the same resource
• GraphQL: Refactor the architecture of the whole system to allow the decoration of useful services (TypeConverter to manage custom types, SerializerContextBuilder to modify the (de)serialization context dynamically, etc.)

Notes:

Please read #2825 if you have issues with the behavior of Readable/Writable Link

• Fix passing context to data persisters' remove method
• Ensure OpenAPI normalizers properly expose the date format
• Add source maps for Swagger UI
• Improve error message when filter class is not imported
• Add missing autowiring alias for Pagination
• Doctrine: ensure that EntityManagerInterface is used in data providers

• GraphQL: Use correct resource configuration for filter arguments of nested collection
• Swagger UI: compatibility with Internet Explorer 11
• Varnish: Prevent cache miss by generating IRI for child related resources
• Messenger: Unwrap exception thrown in handler for Symfony Messenger 4.3
• Fix remaining Symfony 4.3 deprecation notices
• Prevent cloning non clonable objects in previous_data
• Return a 415 HTTP status code instead of a 406 one when a faulty Content-Type is sent
• Fix WriteListener trying to generate IRI for non-resources
• Allow to extract blank values from composite identifier

• Fix denormalization of a constructor argument which is a collection of non-resources
• Allow custom operations to return a different class than the expected resource class

• Store the original data in the previous_data request attribute, and allow to access it in security expressions using the previous_object variable (useful for PUT and PATCH requests)
• Fix resource inheritance handling
• Fix BC break in AbstractItemNormalizer introduced in 2.4
• Fix serialization when using interface as resource
• Basic compatibility with Symfony 4.3

• Doctrine: allow autowiring of filter classes

• Doctrine: don't use fetchJoinCollection on Paginator when not needed

• Doctrine: fix a BC break in OrderFilter

• GraphQL: input objects aren't nullable anymore (compliance with the Relay spec)

• Cache: Remove some useless purges

• Mercure: publish to Mercure using the default response format

• Mercure: use the Serializer context

• OpenAPI: fix documentation of the PropertyFilter

• OpenAPI: fix generation of the servers block (also fixes the compatibility with Postman)

• OpenAPI: skip not readable and not writable properties from the spec

• OpenAPI: add the id path parameter for POST item operation

• Serializer: add support for Symfony Serializer's @SerializedName metadata

• Metadata: ApiResource's attributes property now defaults to null, as expected

• Metadata: Fix identifier support when using an interface as resource class

• Metadata: the HTTP method is now always uppercased

• Allow to disable listeners per operation (fix handling of empty request content)

  Previously, empty request content was allowed for any POST and PUT operations. This was an unsafe assumption which caused other problems.

  If you wish to allow empty request content, please add "deserialize"=false to the operation's attributes. For example:

  <?php
  // api/src/Entity/Book.php
  
  use ApiPlatform\Core\Annotation\ApiResource;
  use App\Controller\PublishBookAction;
  
  /**
   * @ApiResource(
   *     itemOperations={
   *         "put_publish"={
   *             "method"="PUT",
   *             "path"="/books/{id}/publish",
   *             "controller"=PublishBookAction::class,
   *             "deserialize"=false,
   *         },
   *     },
   * )
   */
  class Book
  {
  

  You may also need to add "validate"=false if the controller result is null (possibly because you don't need to persist the resource).

• Return the 204 HTTP status code when the output class is set to null

• Be more resilient when normalizing non-resource objects

• Replace the data request attribute by the return of the data persister

• Fix error message in identifiers extractor

• Improve the bundle's default configuration when using symfony/symfony is required

• Fix the use of MetadataAwareNameConverter when available (configuring name_converter: serializer.name_converter.metadata_aware will now result in a circular reference error)

• Fix a dependency injection injection problem in FilterEagerLoadingExtension
• Improve performance by adding a NoOpScalarNormalizer handling scalar values

• Improve performance of the dev environment and deprecate the api_platform.metadata_cache parameter
• Fix a BC break in SearchFilter
• Don't send HTTP cache headers for unsuccessful responses
• GraphQL: parse input and messenger metadata on the GraphQl operation
• GraphQL: do not enable graphql when webonyx/graphql-php is not installed

See the announcement on Kévin's blog for a curated list of the changes.

• Listeners are now opt-in when not handling API Platform operations
• DISTINCT is not used when there are no joins
• Preserve manual join in FilterEagerLoadingExtension
• The elasticsearch attribute can be disabled resource-wise or per-operation
• The messenger attribute can now take the input string as a value (messenger="input"). This will use a default transformer so that the given input is directly sent to the messenger handler.
• The messenger attribute can be declared per-operation
• Mercure updates are now published after the Doctrine flush event instead of on kernel.terminate, so the Mercure and the Messenger integration can be used together
• Use Symfony's MetadataAwareNameConverter when available
• Change the extension's priorities (<0) for improved compatibility with Symfony's autoconfiguration feature. If you have custom extensions we recommend to use positive priorities.

• Fix JSON-LD contexts when using output classes
• GraphQl: Fix pagination (the endCursor behavior was wrong)
• GraphQl: Improve output/input behavior
• GraphQl: Improve mutations (make the clientMutationId nullable and return mutation payload as an object)
• MongoDB: Fix search filter when searching by related collection id
• MongoDB: Fix numeric and range filters

• Fix version constraints for Doctrine MongoDB ODM
• Respect _api_respond request attribute in the SerializeListener
• Change the normalizer's priorities (< 0). If you have custom normalizer we recommend to use positive priorities.

• Allow custom stylesheets to be appended or replaced in the swagger UI
• Load messenger only if available
• Fix missing metadata cache pool for Elasticsearch
• Make use of the new AdvancedNameConverterInterface interface for name converters
• Refactor input/output attributes, where these attributes now take:
  • an array specifying a class and some specific attributes (name and iri if needed)
  • a string representing the class
  • a falsy boolean to disable the input/output
• Introduce the DataTransformer concept to transform an input/output from/to a resource
• Api Platform normalizer is not limited to Resources anymore (you can use DTO as relations and more...)
• MongoDB: allow a 0 limit in the pagination
• Fix support of a discriminator mapping in an entity

See https://dunglas.fr/2019/01/api-platform-2-4/

Full changelog:

• MongoDB: full support
• Elasticsearch: add reading support (including pagination, sort filter and term filter)
• Mercure: automatically push updates to clients using the Mercure protocol
• CQRS support and async message handling using the Symfony Messenger Component
• OpenAPI: add support for OpenAPI v3 in addition to OpenAPI v2
• OpenAPI: support generating documentation using ReDoc
• OpenAPI: basic hypermedia hints using OpenAPI v3 links
• OpenAPI: expose the pagination controls
• Allow to use custom classes for input and output (DTO) with the input_class and output_class attributes
• Allow to disable the input or the output by setting input_class and output_class to false
• Guess and automatically set the appropriate Schema.org IRIs for common validation constraints
• Allow to set custom cache HTTP headers using the cache_headers attribute
• Allow to set the HTTP status code to send to the client through the status attribute
• Add support for the Sunset HTTP header using the sunset attribute
• Set the Content-Location and Location headers when appropriate for better RFC7231 conformance
• Display the matching data provider and data persiter in the debug panel
• GraphQL: improve performance by lazy loading types
• Add the api_persist request attribute to enable or disable the WriteListener
• Allow to set a default context in all normalizers
• Permit to use a string instead of an array when there is only one serialization group
• Add support for setting relations using the constructor of the resource classes
• Automatically set a 409 Conflict HTTP status code when an OptimisticLockException is thrown
• Resolve Dependency Injection Container parameters in the XML and YAML files for the resource class configuration
• RequestAttributesExtractor is not internal anymore and can be used in userland code
• Always use the user-defined metadata when set
• OpenAPI: add a description explaining how to use the property filter
• GraphQL: the look'n'feel of GraphiQL now match the API Platform one
• PHPStan level 6 compliance
• Add a show_webby configuration option to hide the spider in API docs
• Add an easter egg (find it!)

• /!\ Security: a vulnerability impacting the GraphQL subsystem was allowing users authorized to run mutations for a specific resource type, to execute it on any resource, of any type
• Fix normalization of raw collections (not API resources)
• Fix content negotiation format matching

• GraphQL: compatibility with webonyx/graphql-php 0.13
• OpenAPI/Swagger: expose properties[] as a collection parameter
• OpenAPI/Swagger: add a description for the properties[] filter
• OpenAPI/Swagger: Leverage advanced name converters
• JSON-LD: Prevent an error in ItemNormalizer when $context['resource_class'] is not defined
• Allow to pass a the serialization group to use a string instead of as an array of one element
• Modernize the code base to use PHP 7.1 features when possible
• Bump minimal dependencies of the used Symfony components
• Improve the Packagist description

• Open API/Swagger: fix YAML export
• Open API/Swagger: Correctly expose overridden formats
• GraphQL: display the stack trace when in debug mode
• GraphQL: prevent a crash when the class name isn't provided
• Fix handling of one-to-one relations in subresources
• Fix max depth handling when eager fetching is disabled
• Compatibility with Symfony 4.2
• Prevent calling the remove method from all data persisters
• Persist Doctrine entities with the DEFERRED_EXPLICIT change tracking policy
• Throw an InvalidArgumentException when trying to get an item from a collection route
• Improve the debug bar panel visibility
• Take into account the route_prefix attribute in subresources
• Allow to use multiple values with NumericFilter
• Improve exception handling in ReadListener by adding the previous exception

• Doctrine: revert "prevent data duplication in Eager loaded relations"

• Open API/Swagger: detect correctly collection parameters
• Open API/Swagger: fix serialization of nested objects when exporting as YAML
• GraphQL: fix support of properties also mapped as subresources
• GraphQL: fix retrieving the internal _id when id is not part of the requested fields
• GraphQL: only exposes the mutations if any
• Doctrine: prevent data duplication in Eager loaded relations
• Preserve the host in the internal router

• Data persisters: call only the 1st matching data persister, this fix may break existing code, see https://github.com/api-platform/docs/issues/540#issuecomment-405945358
• Subresources: fix inverse side population
• Subresources: add subresources collections to cache tags
• Subresources: fix Doctrine identifier parameter type detection
• Subresources: fix max depth handling
• GraphQL: send a 200 HTTP status code when a GraphQL response contain some errors
• GraphQL: fix filters to allow dealing with multiple values
• GraphQL: remove invalid and useless parameters from the GraphQL schema
• GraphQL: use the collection resolver in mutations
• JSON API: remove duplicate data from includes
• Filters: fix composite keys support
• Filters: fix the OrderFilter when applied on nested entities
• List Doctrine Inflector as a hard dependency
• Various quality and usability improvements

• Add support for deprecating resources, operations and fields in GraphQL, Hydra and Swagger
• Add API Platform panels in the Symfony profiler and in the web debug toolbar
• Make resource class's constructor parameters writable
• Add support for interface as a resource
• Add a shortcut syntax to define attributes at the root of @ApiResource and @ApiProperty annotations
• Throw an exception if a required filter isn't set
• Allow to specify the message when access is denied using the access_control_message attribute
• Add a new option to include null results when using the date filter
• Allow data persisters to return a new instance instead of mutating the existing one
• Add a new attribute to configure specific formats per resources or operations
• Add an --output option to the api:swagger:export command
• Implement the CacheableSupportsMethodInterface introduced in Symfony 4.1 in all (de)normalizers (improves the performance dramatically)
• Drop support for PHP 7.0
• Upgrade Swagger UI and GraphiQL
• GraphQL: Add a totalCount field in GraphQL paginated collections
• JSONAPI: Allow inclusion of related resources

• Fix ExistsFilter for inverse side of OneToOne association
• Fix to not populate subresource inverse side
• Improve the overall code quality (PHPStan analysis)

• Add support for deprecating resources, operations and fields in GraphQL, Hydra and Swagger
• Add API Platform panels in the Symfony profiler and in the web debug toolbar
• Make resource class's constructor parameters writable
• Add a shortcut syntax to define attributes at the root of @ApiResource and @ApiProperty annotations
• Throw an exception if a required filter isn't set
• Allow to specify the message when access is denied using the access_control_message attribute
• Add a new option to include null results when using the date filter
• Allow data persisters to return a new instance instead of mutating the existing one
• Add a new attribute to configure specific formats per resources or operations
• Add an --output option to the api:swagger:export command
• Implement the CacheableSupportsMethodInterface introduced in Symfony 4.1 in all (de)normalizers (improves the performance dramatically)
• Drop support for PHP 7.0
• Upgrade Swagger UI and GraphiQL
• GraphQL: Add a totalCount field in GraphQL paginated collections
• JSONAPI: Allow inclusion of related resources